Active Directory Synchronization
The BlueMind professional subscription gives you access to tools that make it easier to integrate BlueMind into an information system.
While the administration console lets you create and manage entities directly in BlueMind, information systems often have a centralized directory, such as LDAP or Active Directory, on which it is preferable to rely.
This section describes the operation and setup of the Active Directory directory access module.
How the tool works
Features
With the Active Directoryadd-on, user management is delegated to a Active Directory directory, and account creation is automated thanks to synchronization with BlueMind.
This synchronization enables :
- import users and groups from the directory:
BlueMind imports users and groups from a Active Directory system. BlueMind imports each domain incrementally. - authentication of BlueMind users:
When the domain's Authentication type is configured for internal authentication and synchronization Active Directory is enabled, users imported from the directory are authenticated using the Active Directory directory. Imported user passwords are then validated with the Active Directory server. BlueMind does not store any passwords. - logging new users:
A new user can log on to a BlueMind server even if it has not yet been imported. Their BlueMind account will be created upon request automatically if the authentication process is successful.
This tool eliminates the need to manage a user database in BlueMind, and the problems of multiplying passwords. The password is centralized in the Active Directory directory and is neither known nor imported by BlueMind.
Synchronization principles
The provisioning (creation or modification) of a user or group from Active Directory to BlueMind takes place :
- during server configuration, with the initial import
- periodically during the day, through scheduled jobs
- or automatically when a user logs in.
To achieve this, the Active Directory add-on works in 3 complementary ways:
-
Global import
Scans all users and groups from Active Directory (taking into account directory root and filters) and imports them into BlueMind. Those that do not exist are created, and existing ones are modified if necessary.
Global mode runs automatically on first run, during initial import. Thereafter, it is only by clicking on the "Start global synchronization" button on the administration console (see "Configuration" paragraph below) that it is triggered.⚠️ Depending on the number of directory entries, global synchronization can take a very long time. This action should only be taken in exceptional cases.
-
Incremental import
Scans only users that have changed since the last error-free import. Only data that has been created, deleted or modified in Active Directory since the date of the last successful import is imported into BlueMind.
Incremental mode runs automatically and regularly via the scheduled jobImportADJobcreated when the add-on is installed.For further information on scheduled job management see at Scheduled Jobs.💡 This system optimizes synchronization.
-
Real-time import
Search for the user in Active Directory when he is not known in BlueMind; if found, import and authenticate him on Active Directory to give him immediate access to BlueMind.
Installation
To access the synchronization features with an AD directory, it is necessary to install the ad-import plugin.
To do this, connect to the server and use the following commands to launch the plugin installation:
- Debian/Ubuntu
- RedHat/CentOS
sudo aptitude update
sudo aptitude install bm-plugin-admin-console-ad-import bm-plugin-core-ad-import
yum update
yum install bm-plugin-admin-console-ad-import bm-plugin-core-ad-import
When installation is complete, restart the bm-core component using the following command:
bmctl restart
Configuration
Only the global administrator can configure Active Directory synchronization for a domain.
Domain administrators can view the settings and launch the ImportADJob import task in Scheduled Jobs.
To configure the Active Directory connection :
- Log in as global administrator admin0@global.virt
- Go to System Management > Supervised Domains > choose domain > Import AD tab:
- Check "Enable AD import"
- Fill in the information requested with the Active Directory parameters provided in the table below:
Parameter Requested Active Directory Value AD user login Login ID used to make queries to the Active Directory server. Any user account with Active Directory tree path rights can be used in read-only mode.
The login is in the formlogin@DOMAIN, for exampleadmin@ad-domain.ltd.AD user password Password for the account entered in the AD user login box AD server hostname or IP Active Directory server IP or FQDN address. The TLS protocol is used as a priority if the directory allows it.
This field can be empty if the server location can be determined using the SRV DNS record._ldap._tcp.dc._msdcs.DOMAINe.g._ldap._tcp.dc._msdcs.ad-domain.tld
For more information on DNS registration, see the Microsoft article: How DNS Support for Active Directory WorksAD root DN Root for Active Directory search. If left empty, searches are made using the root DN. Used to limit the search to a sub-section of the Active Directory tree. AD user filter 1 Filter for searching user entries in the AD. Only users matching the applied filter are imported. The LDAP filter syntax, described in RFC 4515, can be used. AD group filter 1 Filter for searching group entries in the AD. Only groups corresponding to the applied filter are imported. The LDAP filter syntax, described in RFC 4515, can be used. Split domain group This field can be empty.
This field will be ignored if the split domain feature is not configured for BlueMind.
The emails sent to the users of this group are redirected to another mail server of the same domain (configured via domain segmentation).Allow AD password change Allow users to change their AD password from within BlueMind.
The password font defined in AD applies.
⚠️ The user must have the "Allow AD password change" right in AD and the "Change password" role on the BlueMind side (see Roles: access and administration rights).Last execution successful Date of last import run without errors.
The incremental import mode takes into account changes made in AD since that date.Last import status Date and status of last AD import run.
In the event of errors, the AD import scheduled job logs for this domain provide further information in Scheduled JobsStart incremental synchronization Force AD import to run in incremental mode.
Only changes made since the date of Last successful execution are taken into account in AD.
This operation corresponds to the execution of the AD import scheduled job for this domain, which can be viewed in Scheduled JobsStart global synchronization Force AD import to run in global mode.
In this mode, the Last successful execution date is not taken into account. All entries corresponding to the import parameters are processed.
This operation can take a long time, depending on the number of AD entries to be processed.
Login method
The BlueMind Active Directory plugin is not restrictive and does not require a specific schema. Simply enter the following information:
- the hostname (or IP address) of the Active Directory server
- a "username" / "password" pair in the AD directory, enabling connections to be made
By default, all users and groups are retrieved from Active Directory. Filters for querying part of the directory can be configured with the following information:
- directory root
- filters to use for user and group synchronization - to restrict imported data
Finally, you can specify the split domain group.
The "Test connection" button allows you to check directly whether the directory is accessible and access is correctly configured.
For security reasons, it is necessary to re-enter the Active Directory directory access password before each connection test, even if it has already been entered and saved.
Mapping Active Directory - BlueMind
User attributes
AD BlueMind import relies on member and memberOf to determine membership, and therefore does not support primary group management.
On the other hand, it seems inadvisable to change the primary user group except for a specific need.
| BlueMind | Active Directory Attribute | Note |
|---|---|---|
| login | sAMAccountName | Values are mapped on import for compatibility reasons: - accented letters are replaced by their non-accented equivalent - all letters are changed to lowercase - spaces are replaced by '_' |
| title | personalTitle | Title: Sir, Madam, Miss... |
| firstname | givenName | |
| lastname | sn | |
| formatedName | displayName | If the displayName attribute is absent, the field will be generated by BlueMind by concatenating the various non-empty parts of first name, last name, title, etc. in the same way as the Full Name in contact cards. |
| jobtitle | title | Job title: Manager, IT Director, etc. |
| description | description | |
| mail otherMailbox proxyAddresses | The default BlueMind address is defined by the first of the values found in the following fields (in order) :
The following are used as aliases. NB: only addresses prefixed with "SMTP:" or "smtp:" are taken into account (syntax defined by Microsoft). ⚠️ If none of these attributes is filled in or valid, an address of the form: login@<default domain> will be assigned | |
| street | streetAddress | |
| zip | postalCode | |
| town | l | |
| country | co | |
| state | st | |
| Work phones | telephoneNumber otherTelephone | |
| Home phones | homePhone otherHomePhone | |
| Mobile phones | mobile otherMobile | |
| Fax | facsimileTelephoneNumber otherFacsimileTelephoneNumber | |
| Pager | pager otherPager | |
| memberOf | memberOf | List of groups the user is a member of. The BlueMind user is added to groups previously imported only. |
| service | department | |
| photoID | thumbnailPhoto | Profile picture: attribute content is imported as profile picture for related account |
| user.value.contactInfos. organizational.org.company | company | |
| user.value.contactInfos. organizational.org.department | department |
Group attributes
| BlueMind | Active Directory Attribute | Note |
|---|---|---|
| name | sAMAccountName | |
| description | description | |
| mail proxyAdresses | The default BlueMind address is defined by the first of the values found in the following fields (in order) :
⚠️ If none of these fields are filled in, then the group will have no mailbox in BlueMind. otherMailbox does not exist for groups. The solution for adding an alias mailbox to a group is to use local groups or create as many groups as you need in AD, each with an alias, then add the desired groups and/or users as members. | |
| member | member | Only synchronized groups and users are added to BlueMind groups |
Account management
Giving access to applications
Access to applications is via the roles assigned to users. As the Active Directory import does not manage roles, users have none once they have been imported, and cannot access applications (webmail, contacts, calendar).
The easiest and most effective way of handling this is through groups:
- in Active Directory, assign a common group to users (or several, if desired)
- launch 1st import: group(s) and users are imported into BlueMind
- go to the BlueMind administration console and assign the desired roles to the group(s)
During subsequent imports and synchronizations, the roles will be retained.
Subsequently, for new users, simply assign them to these group(s) and assign them the desired roles.
When new versions are released, BlueMind regularly adds new roles.
To ensure that the new right is activated for existing users during the upgrade, you should designate the group(s) into which you have placed users coming from Active Directory as default groups.
Suspend an account
Accounts imported from a Active Directory directory respecting the configured filter are automatically activated.
Conversely, they can be suspended or deleted from the Active Directory directory to prevent them from accessing mail. A user deleted in Active Directory is simply suspended in BlueMind.
Forcing or correcting a UID
A user's UID can be filled in or corrected in the user's admin page in BlueMind.
To do this, go to the administration console > Directories > Directory entries > select the user's file > Maintenance tab: fill in the ExternalID field with the user's UID in Active Directory then save.
The user's information will be synchronized with the Active Directory directory the next time the task is run. ImportADJobThis can be viewed at Scheduled Jobs.
The ExternalID must be prefixed with "ad://".
For example:
ad://5d6b50-399a6-1e6f2-d01267d1f-0fbecb