Active Directory Synchronization
The professional BlueMind subscription includes access to tools that facilitate the integration of BlueMind into your information system.
This article describes the functionalities of the Active Directory access module.
Active Directory scope
The admin console is used to create and manage users, groups and other entities directly in BlueMind.
However, information systems often include a centralized directory – such as LDAP or Active Directory – which we recommend that you use to manage users and groups centrally. When you do, user management can be delegated to an Active Directory directory and accounts created automatically through periodic synchronization.
Active Directory synchronization allows BlueMind:
- transparently import your directory's user and groups database periodically.
- authenticate BlueMind users directly against the Active Directory.
This tool eliminates the need to manage a user database in BlueMind, and the problems of multiplying passwords. Passwords are centralized in the AD directory and BlueMind does not know or import them.
Active Directory authentication
For users imported from the directory, authentication is carried out via this directory, as the BlueMind database does not have Active Directory passwords.
Operating principle
BlueMind allows you to import and use users and groups from an Active Directory system.
An Active Directory incremental import is carried out on each domain on the BlueMind side.
The passwords of imported users are validated directly against the Active Directory. BlueMind does not store any passwords.
New users can log into a BlueMind server even if they haven't been imported yet. Their BlueMind account will be created upon request automatically if the authentication process is successful.
User or group provisioning (creation or modification) from the Active Directory to BlueMind therefore takes place:
- during server configuration, with the initial import
- periodically during the day, through scheduled jobs
- or automatically when a user logs in.
Installation
To access the synchronization features with an AD directory, it is necessary to install the ad-import plugin.
To do this, connect to the server and use the following commands to launch the plugin installation:
- Debian/Ubuntu
- RedHat/CentOS
sudo aptitude update
sudo aptitude install bm-plugin-admin-console-ad-import bm-plugin-core-ad-import
yum update
yum install bm-plugin-admin-console-ad-import bm-plugin-core-ad-import
When installation is complete, restart the bm-core component using the following command:
bmctl restart
Configuration
Active Directory connection set up
-
Log into the target BlueMind server as global administrator "admin0".
-
In the admin console go to System Management > Modify Domain > select the domain > AD import tab:
-
Check "Enable AD import"
-
Fill in the information requested with the Active Directory parameters provided in the table below:
| Parameter Requested | Active Directory Value |
|---|---|
| AD user login | Login ID used to make queries to the Active Directory server. Any user account with permission to browse the Active Directory tree in read-only mode can be used. The login is login@DOMAIN e.g. admin@ad-domain.ltd |
| AD user password | Password for the account entered in the AD user login box |
| AD server hostname or IP | Active Directory server IP or FQDN address. The TLS protocol is used as a priority if the directory allows it. This field may be empty if it is possible to determine the server location using the SRV DNS record. _ldap._tcp.dc._msdcs.DOMAIN e.g. _ldap._tcp.dc._msdcs.ad-domain.tldFor more information on the DNS record, see the Microsoft article: How DNS Support for Active Directory Works |
| AD root DN | Root for Active Directory search. If left empty, searches are made using the root DN. Used to limit the search to a sub-section of the Active Directory tree. |
| AD user filter | Filter for searching user entries in the AD. Only users matching the applied filter are imported. The LDAP syntax of filters, described by RFC 4515, can be used. See the examples of LDAP User Filters and the Microsoft article: LDAP Syntax Filters |
| AD group filter | Filter for searching group entries in the AD. Only groups corresponding to the applied filter are imported. The LDAP filter syntax, described in RFC 4515, can be used. See the examples of LDAP Group Filters and the Microsoft article LDAP Syntax Filters |
| Split domain group | This field can be left empty. It will be ignored if the split domain functionality is not configured for BlueMind. Emails addressed to members of this group will be redirected to another mail server in the same domain (configured via domain segmentation). |
| Allow AD password change | Allows users to change their AD password from BlueMind. The password font defined in AD applies. |
| Last execution successful | Date of last import run without errors. The incremental import mode takes into account changes made in AD since this date. |
| Last import status | Date and status of last AD import run. In the event of errors, the logs of the scheduled task of this domain's AD import provide more information |
| Start incremental synchronization | Force an incremental mode AD import run. Only changes made since the Last Successful Run date are considered in AD. This operation corresponds to running the scheduled task of AD import of this domain. |
| Start global synchronization | Force AD import to run in global mode. In this mode, the date Last successful execution is not taken into account. All entries corresponding to the import parameters are processed. This operation can take a long time, depending on the number of AD entries to be processed. |
User roles configuration
When BlueMind is configured to import its user database from an Active Directory, BlueMind no longer has control over password management rules. BlueMind cannot write to the Active Directory and is therefore unable to change Active Directory passwords.
As a result, you must disable access to the password change interface (which only acts on the BlueMind password) for users that have been imported from the Active Directory.
Access to the password interface is disabled through roles in users' admin page: General → Change own password (see Roles: Access and Administration).
Active Directory users and local BlueMind users can coexist on a single BlueMind domain. Access to the password change interface must therefore depend on user type. Groups can be used to assign different roles to different user types.
Go to our page on Groups (→ Roles).
Login method
The BlueMind Active Directory plugin is not restrictive and does not require a specific schema. Simply enter the following information:
- the hostname (or IP address) of the Active Directory server
- a "username" / "password" pair in the AD directory, enabling connections to be made.
By default, all users and groups are imported from the Active Directory. Filters used to query part of the directory can be configured with the following information:
- directory root
- filters to use for user and group synchronization - to restrict imported data.
Finally, you can specify the split domain group.
The tool allows you to check directly whether the directory is accessible and access has been configured correctly.
How the synchronization tool works
User accounts
The Active Directory plugin has three interdependent functions:
- global import of all users
- incremental import
- real-time import on authentication
The global import browses through all Active Directory users and groups (taking into account the AD root and filters) and imports them into BlueMind. Those that do not exist are created, and existing ones are modified if necessary.
The incremental import works the same way, but only browses through the users modified since the last import.
Finally, import on authentication looks for the user unknown to BlueMind in the Active Directory. If the user is found, it is imported and authenticated in the Active Directory, giving the user immediate access to BlueMind.
Account status
Accounts imported from an Active Directory that complies with the LDAP filter are activated automatically.
Conversely, accounts can be suspended or deleted from the Active Directory thereby forbidding them access to the mail system. A user deleted in the Active Directory is merely suspended in BlueMind.
Scheduled Active Directory synchronization
Incremental import
When the Active Directory plugin is installed, BlueMind creates a scheduled job whose purpose is to synchronize user and group databases against the Active Directory at regular intervals.
Incremental imports only process the data that has been created, deleted or modified since the last import.
As shown in the following screenshot, the scheduled task can be:
- automatic: executed based on criteria from earlier imports, at 4-hour intervals at the most;
- scheduled: with a cron-type scheduling format, which allows any execution frequency;
- disabled: in this case, the scheduled job is not executed.
Scheduled jobs monitoring
The scheduled tasks monitoring screen is used to check that tasks have been carried out correctly. The screenshot below shows a log of synchronization jobs performed, execution date and results:
Active Directory-BlueMind mapping
User attributes
AD BlueMind import relies on member and memberOf to determine membership, and therefore does not support primary group management.
On the other hand, it seems inadvisable to change the primary user group except for a specific need.
| BlueMind | Active Directory Attribute | Note |
|---|---|---|
| login | sAMAccountName | Values are mapped on import for compatibility reasons: - accented letters are replaced by their non-accented equivalent - all letters are changed to lowercase - spaces are replaced by '_' |
| title* | personalTitle | Title: Sir, Madam, Miss... |
| firstname | givenName | |
| lastname | sn | |
| formatedName | displayName | If the displayName attribute is absent, the field will be generated by BlueMind by concatenating the various non-empty parts of first name, last name, title, etc. in the same way as the Full Name in contact cards. |
| jobtitle* | title | Job title: Manager, IT Director, etc. |
| description | description | |
| mail otherMailbox proxyAddresses | The default BlueMind address is defined by the first of the values found in the following fields (in order):
Subsequent addresses are used as aliases. NB: only addresses prefixed with "SMTP:" or "smtp:" are taken into account (syntax defined by Microsoft). ⚠️ If none of these attributes is filled in or valid, an address of the following form will be assigned: login@<default domain> | |
| street | streetAddress | |
| zip | postalCode | |
| town | l | |
| country | co | |
| state | st | |
| Work phones | telephoneNumber otherTelephone | |
| Home phones | homePhone otherHomePhone | |
| Mobile phones | mobile otherMobile | |
| Fax | facsimileTelephoneNumber otherFacsimileTelephoneNumber | |
| Pager | pager otherPager | |
| memberOf | memberOf | List of groups the user is a member of. The BlueMind user is added to groups previously imported only. |
| service | department | |
| photoID | thumbnailPhoto | Profile picture: attribute content is imported as profile picture for related account |
| user.value.contactInfos. organizational.org.company | company | |
| user.value.contactInfos. organizational.org.department | department |
Group attributes
| BlueMind | Active Directory Attribute | Note |
|---|---|---|
| name | sAMAccountName | |
| description | description | |
| mail proxyAdresses | The default BlueMind address is defined by the first of the values found in the following fields (in order):
⚠️ If none of these fields are filled in, then the group will have no mailbox in BlueMind. otherMailbox does not exist for groups. The solution for adding an alias mailbox to a group is to use local groups or create as many groups as you need in AD, each with an alias, then add the desired groups and/or users as members. | |
| member | member | Only synchronized groups and users are added to BlueMind groups |
Allocation of rights
Access to applications is subject to the roles users are assigned.
As AD imports do not handle roles, imported users are not assigned any roles, and they are unable to access applications (webmail, contacts, calendar).
The easiest and most effective way of handling this is through groups:
- in the AD, assign one (or several, if desired) common group to users
- launch a first import: the group(s) are imported into BlueMind along with users
- go to the admin console and assign the desired roles to the group(s)
Roles are maintained during subsequent imports and updates.
In the future, simply assign new users to this/ese group(s) in order to give them the desired roles.
Forcing or correcting a UID
A user's UID can be filled in or corrected in the user's admin page in BlueMind.
To do this, go to the admin console > Directories > Directory Browser > select user > Maintenance tab: enter the user's AD UID in the ExternalID box then save.
User information will be synchronized with the Active Directory at the next execution of the ImportADJob task.
ExternalID must be prefixed with "ad://".
For example:
ad://5d6b50-399a6-1e6f2-d01267d1f-0fbecb