Synchronizing directory service

Last updated
Save as PDF

Synchronizing directory service

To copy the objects and users of your directory service to the Directory service structure of the Console, synchronize the Console with the directory service domain controllers. If only the structure of your directory service has changed, synchronize the structure. Only domains, OUs and folders are considered. The first domain controller was added during the installation. After the installation, other domain controllers of different directory services are added in Console under Administration | Synchronization | Directory service settings

Adding a domain controller

Synchronization requires the domain controller/server account information of the directory service. You can define or change these settings. If no user is specified, synchronization will be performed under the system account. The performing account must have at least read permission.

Add a domain controller

Go to Administration | Synchronization | Directory service settings.
Near User authentication, select how EgoSecure Agents identify users from your directory services: using Windows Sid or Novell Guid. The most common way is Windows authentication.

Novell authentication must be used only when the Novell Client is installed on all computers with EgoSecure Agents.

In the Domain controllers area, click Add on the toolbar and select a directory service type from the drop-down menu:
- Active Directory (By default, AD doesn't use LDAP protocol. If you use LDAP protocol in your AD, select LDAP instead of AD.)
- Azure AD
- LDAP (Any directory service, which works via Lightweight Directory Access Protocol).
- Novell eDirectory.

The Domain controller – [directory service] dialog appears.
Define the name of the domain controller or of the NDS/LDAP Server. For details about filling in the fields for Azure AD, see Setting up Azure Active Directory and getting credentials.
Enter the account information of the directory service user.
Select where to start a directory service synchronization:
- For Active Directory, enter the organizational unit of in the Start OU field.
- For NDS / LDAP directory services, specify the server context in the Context field.
If required, activate the Use SSL-based encryption checkbox. You should create an SSL certificate for use with your EDP and DC/LDAP servers.
Click Check.
Once the connection is tested successfully, click OK to confirm and close the dialog.
Click Save to save the changes.
If you selected LDAP in step 3, the LDAP settings tab appears under Administration | Synchronization. For details about LDAP settings, see Defining settings for LDAP synchronization.
Click Synchronize to perform the synchronization of the selected domain controller with the settings defined under Administration | Synchronization | Synchronization.

“Own directory” mode support

Adding users in Console directly.
No synchronization is needed.
When a new user registers on the server, its entry appears under the own directory in the Unsorted folder.

Setting up Azure Active Directory and getting credentials

To get credentials from Azure AD necessary for EgoSecure, you need to register an application, define permissions for it and copy the application client secret (password).

Register a new application using the Azure portal. For details about registering an application, see Microsoft docs - Register an app.
Now you have credentials for Application ID and Directory ID fields in the InstallShield Wizard or under Administration | Synchronization | Directory service settings.
In the Certificates & secrets section, click New client secret and copy it. The client secret becomes not accessible once you leave the page. For details about adding a client secret, see Microsoft docs - Configure app to access web APIs.
Now you have credentials for the Application password field in the InstallShield Wizard or Administration | Synchronization | Directory service settings.
Add the following permissions for the application:
- User.Read.All
- Group.Read.All
- Directory.Read.All
For details about adding permissions, see Microsoft docs - Configure app to access web APIs.

Defining settings for LDAP synchronization

Under Administration | Synchronization | LDAP settings, define the rules for matching the EgoSecure classes and attributes with the LDAP classes and attributes so that during the synchronization the EgoSecure database can recognize objects from directories that work via the LDAP protocol. You have two ways: to activate the schema with predefined classes and attributes or add your own schema and define classes and attributes.

Enabling the predefined schema

1Go to Administration | Synchronization | LDAP settings.
In the LDAP schemas definition area, right-click one of the predefined schemas and select Activate.
Below in the LDAP Schema – [schema name] area, under Classes, check whether EgoSecure classes match with LDAP classes.
Under Attributes, check whether EgoSecure attributes match with LDAP attributes.
Under Alternative attributes, define which EgoSecure classes and attributes correspond to which LDAP classes and attributes.
- E.g.: the Name attribute might have different values in LDAP depending whether it belongs to the Group or to the Folder class.
Click Save on the toolbar in the LDAP schemas definition area.

Creating and enabling you own schema

Go to Administration | Synchronization | LDAP settings.
In the LDAP schemas definition area, click Add on the toolbar.
The New LDAP Schema entry appears.
Define the schema name, if necessary.
Below in the LDAP Schema – [schema name] area, under Classes, define which EgoSecure classes correspond to which LDAP classes:
Click Add on the toolbar.
In the EgoSecure column, select one of the EgoSecure classes from the drop-down.

In the LDAP column, enter the value that represents the selected class in LDAP.
Repeat steps for all classes you need.
Under Attributes, define which EgoSecure attributes correspond to which LDAP attributes:
- Click Add on the toolbar.
- In the EgoSecure column, select one of the EgoSecure attributes from the drop-down.
- In the LDAP column, enter the value that represents the selected attribute in LDAP
- Repeat the steps for all attributes you need.
Under Alternative attributes, define which EgoSecure classes and attributes correspond to which LDAP classes and attributes.
- Click Add on the toolbar.
- In the EgoSecure class column select one of the EgoSecure classes from the drop-down.
- In the LDAP class column, enter the value that represents the selected class in LDAP.
- In the EgoSecure attribute column, select one of the EgoSecure attributes from the drop-down for matching with the selected class.
- In the LDAP attribute column, enter the value that represents the selected attribute in LDAP.
- Repeat the steps for all alternative attributes you need.
In the LDAP schemas definition area, right-click your created schema and select Activate from the context menu.
Click Save on the toolbar in the LDAP schemas definition area.

Setting up synchronization

You can select the scope of synchronization and define which products to automatically enable for new users, computers, or groups of the directory service, and how to deal with deleted users. For details, see: Activating products

Synchronization settings

Option	Description
Synchronize directory structure only	Synchronizes only the directory service structure. For details, see Setting up synchronization of the structure
Synchronize only active users/computers	Synchronizes only active users and computers of the directory service. If disable account action has been performed for a user or a computer, such objects are not synchronized.
Synchronize only changes in AD for the last [x] days	Synchronizes the directory service changes of a specific time period. Enter the number of days. This option does not take deleted directory service objects into account during synchronization. To detect objects deleted from AD/NDS, full synchronization is required.
Delete objects that were removed from the Directory after [x] days	Removes deleted directory service objects from the console after a defined period of time (Administration \| AD Synchronization \| Deleted objects). This option is available only if the option Synchronize only changes in AD for the last [x] days is disabled.
Detailed log file of the synchronization	Records all synchronization events into a separate synchronization log file. One log file is created for one day under C:\ProgramData\EgoSecure\EgoSecureServer\LOG.

Automatic product activation

Option	Description
Activate products for new users/computers all selected products only group-matching products	Automatically activates selected products for new users/computers. activates all selected products activates only the selected products, which are already activated for the group in which new user/computer is located. A group must be synchronized with the server before adding new users/computers there. Otherwise, users/computers in this group are not considered as new ones.
Deactivate products for inactive users/computers	Deactivates products for inactive users/computers. Inactive users/computers are the objects of a directory service, for which the disable account operation has been performed. The option is available only if the option Synchronize only active users/computers is disabled in the Synchronization settings area.
Match product activation with the activated products of the group	Automatically activates only the products, which are already enabled for a group. Products are activated for both new and existing users/computers. Products previously enabled for a user/computer become disabled if they are not enabled for a group. The option is available only if the options Synchronize directory structure only and Activate products for new users/computers are disabled. There are two types of groups: Groups imported from the Active Directory EgoSecure groups created in a domain under User management/Computer management \| Directory service structure. EgoSecure groups created in the domain can contain only AD users/computers while EgoSecure groups created in the Own directory can contain only local users/computers.

Option

Description

Activate products for new users/computers

all selected products
only group-matching products

Automatically activates selected products for new users/computers.

activates all selected products
activates only the selected products, which are already activated for the group in which new user/computer is located.

A group must be synchronized with the server before adding new users/computers there. Otherwise, users/computers in this group are not considered as new ones.

Deactivate products for inactive users/computers

Deactivates products for inactive users/computers.

Inactive users/computers are the objects of a directory service, for which the disable account operation has been performed.

The option is available only if the option Synchronize only active users/computers is disabled in the Synchronization settings area.

Match product activation with the activated products of the group

Automatically activates only the products, which are already enabled for a group. Products are activated for both new and existing users/computers.

Products previously enabled for a user/computer become disabled if they are not enabled for a group.

The option is available only if the options Synchronize directory structure only and Activate products for new users/computers are disabled.

There are two types of groups:

Groups imported from the Active Directory
EgoSecure groups created in a domain under User management/Computer management | Directory service structure. EgoSecure groups created in the domain can contain only AD users/computers while EgoSecure groups created in the Own directory can contain only local users/computers.

Displaying members of synchronized directory service groups. Once directory service groups are synchronized, they appear in Directory service structure of the User management/Computer management menu. Directory service group members are not displayed. To display the members of a directory service group, right-click a group and select Group members from the context menu.

Setting up a full synchronization of the directory service

Go to Administration | Synchronization | Synchronization.
Specify the synchronization settings.
To exclude certain objects from the synchronization:
- Select the directory element in the Directory service structure area.
- Click Add.
The excluded objects appear in the Objects to exclude from synchronization area.

Massive exclusion of AD objects. It might be not convenient to define the objects, which must be excluded from the synchronization each time. Use the Active Directory attribute for the reasons of convenience. To exclude certain directory objects during all synchronizations, add the esSyncIgnore attribute with the value 1 for directory objects directly in the Active Directory.

In the Directory service structure area, select a directory object in the tree, from which to start the synchronization. Select All domains to synchronize all domain controllers of a user authentication type specified under Administration | Synchronization | Directory service settings.
Click Save.

Setting up synchronization of directory structure (domains, OUs and folders)

1Go to Administration | Synchronization | Synchronization.
Enable the Synchronize directory structure only check box.
Other check boxes become disabled and the Include groups check box appears.
To synchronize directory service groups, enable the Include groups check box.
Specify synchronization settings.
To exclude certain objects from the synchronization,
- Select the directory element in the Directory service structure area.
- Click Add.
- The excluded objects appear in the Objects to exclude from synchronization area.
Click Save.

Initiating synchronization

You can perform synchronization manually or use a scheduler to perform synchronization automatically.

Performing synchronization manually

Go to Administration | Synchronization | Synchronization.
In the Directory service structure area, select a directory object from which to start the synchronization. Select All domains to synchronize all domain controllers of a user authentication type specified under Administration | Synchronization | Directory service settings.
Edit the settings. For details see: Setting up synchronization
Click Start.
The synchronization starts and the Directory service structure of the Console becomes updated.

Performing synchronization automatically at specific time

Go to Administration | Synchronization | Schedule.
In the Directory service structure area, select a directory object from which to start the synchronization. Select All domains to synchronize all domain controllers of a user authentication type specified under Administration | Synchronization | Directory service settings
In the Server drop-down, select an EgoSecure Server for performing a scheduled synchronization (applies for all tasks in the list).
Click +Add in the work area.
Define the name and time or period for the synchronization.
Edit the settings. For details, see: Setting up synchronization
Click Save.
The synchronization will be performed at the specified period of time.

Transferring an account to a directory service object

The objects deleted from Active Directory, Novell eDirectory, LDAP or Azure AD are displayed under Deleted objects. The objects appear in this list only after the synchronization. Transfer an account of a deleted user to a directory service user for moving activated products with settings and permissions, encryption keys, audit and revision data, group membership.

Right-click a user under Administration | Synchronization | Deleted objects.
Select Transfer account to... from the context menu.
The Transfer account to... dialog appears.
Select a user whom to transfer the account.
Click OK.
The account is transferred to the selected directory service user. The user is automatically deleted from the list and from the database.