The Engine provides an out-of-the-box integration with Active Directory to retrieve the following information via the Lightweight Directory Access Protocol (LDAP):
User: Distinguished Name, Full name, Department, Job title.
Device: Distinguished Name.
The Engine retrieves as well the following information through DNS resolution (DNS namespaces mirror the AD domains used by an organization):
This article discusses data integration from Active Directory and should not be confused with Active Directory Authentication.
LDAP v3 and Active Directory
Compatible with Windows Server 2012 and later instances, supporting the LDAP v3 protocol. See Active Directory LDAP Conformance on the Microsoft website for more information.
Although Nexthink officially supports Active Directory based on Windows Servers only, other LDAP v3 compliant implementations (such as OpenLDAP) should work as long as the schema in use is the same as in Active Directory.
Setting Up Active Directory Authentication
LDAP servers require an authenticated connection before allowing queries (searches). This authenticated connection is called a bind. Most LDAPs allow an anonymous bind─where no username or password is submitted; however, others restrict searches to its members and require an authenticated username and password. An Active Directory server requires authenticated access for read-only searches, and you need to have a bind DN and the corresponding bind password. The syntax for the bind DN depends on the LDAP server itself:
NetBIOS logon name<domain name>\<username>Active Directory User Principal Name (UPN)firstname.lastname@example.orgDistinguished NameCN=username, OU=users, DC=domain, DC=name
The Engine supports the authenticated method using the Distinguished Name syntax only.
Configuring the Engine through the Web Console
Log in to the Web Console that is hosting the Engine from your web browser:
Click the Engine tab at the top of the window.
Select Active Directories from the left-hand side menu.
Click the button ADD ACTIVE DIRECTORY to add a new AD server.
Fill out the form Add Active Directory as follows:
Server address: Enter here the IP address of your Active Directory server (we currently do not support the DNS or NetBIOS name) and the TCP server port (usually 389).
Bind DN: The Distinguished Name. Example: CN=reflexengine, CN=applications, OU=servers, DC=company, DC=local.
Bind Password: Enter the password corresponding to the Bind DN account.
Base DN: The Base DN to be used as a starting point for directory searches. Base DN is usually the Organizational Unit where users are located. Example: “OU=Users, DC=company, DC=local”.
Scope: The SCOPE setting is the starting point of an LDAP search and the depth from the base DN to which the search should occur. There are three options (values) that can be assigned to the scope parameter (we strongly recommend the subtree scope option):
base: This value indicates searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!).
onelevel: This value is used to indicate searching all entries one level under the base DN - but not including the base DN or any entries under that one level under the base DN.
subtree: This value indicates searching all entries at all levels under and including the specified base DN.
Optional: Click TEST LDAP PARAMETERS to check the connection with the AD server.
Click on OK to add the server. The Engine restarts.
Due to the technology used to query Active Directory, the Engine retrieves information from those objects belonging to the domain specified in the configuration only (see LDAP Base DN above). It does not follow referrals nor retrieve any information from objects in other domains, even when these other domains share a trust relationship with the configured domain.
Add as many Active Directory servers to the configuration as needed to retrieve objects from several domains.
Querying Active Directory to obtain a User's Distinguished Name
For testing purposes, we advise you to use a powerful tool from Microsoft called Active Directory Explorer. Download it from here.
Here is an example of how you can retrieve a user's DN using this tool :
Connect to your AD using your windows username.
Click on Search > "class = User -- user" > "Attribute = sAMAccountname" > "relation = is" > "value = YOUR Windows username", then click on Add.
Click on Search to retrieve the corresponding user's DN.
Active Directory data retrieval
The Engine queries its configured LDAP servers each time that it discovers a new user or a new device.
Engines do not automatically refresh LDAP information once they have retrieved it for a particular user or device. It is however possible to force a manual update via the Finder:
Log in to Finder as a user with system configuration permissions.
Click the sprocket icon in the top right corner of the Finder window.
Select the option Synchronize with Active Directory...
Finder schedules a synchronization with Active Directory data.
The operations described in this article should only be performed by a Nexthink Engineer or a Nexthink Certified Partner.
If you need help or assistance, please contact your Nexthink Certified Partner.