Skip to main content

Active Directory Synchronization

Synchronize users and groups from your on-premises Active Directory environment with Authsec for seamless enterprise integration.

Overview

Active Directory (AD) synchronization enables automatic user and group provisioning from your existing AD infrastructure. This feature ensures that user accounts, group memberships, and organizational structure are kept in sync between your AD domain and Authsec.

Prerequisites

Before configuring AD synchronization:

  • Active Directory domain controller access
  • Administrative credentials with read permissions
  • Network connectivity between Authsec and AD servers
  • Valid SSL certificates for secure communication

Configuration

Connection Setup

Establish a secure connection to your AD environment:

{
  "domain": "yourdomain.com",
  "server": "dc01.yourdomain.com",
  "port": 636,
  "useSSL": true,
  "baseDN": "DC=yourdomain,DC=com",
  "bindUser": "CN=AuthsecSync,OU=ServiceAccounts,DC=yourdomain,DC=com",
  "bindPassword": "secure-password"
}

API Endpoints

Test Connection

Test the connectivity to your AD server before enabling synchronization.

Endpoint: POST /ad/test-connection

Request Body:

{
  "domain": "yourdomain.com",
  "server": "dc01.yourdomain.com",
  "port": 636,
  "useSSL": true
}

Response:

{
  "success": true,
  "message": "Connection successful",
  "serverInfo": {
    "domainController": "DC01",
    "domain": "yourdomain.com",
    "forest": "yourdomain.com"
  }
}

Test Network Connection

Verify network connectivity and firewall settings.

Endpoint: POST /ad/test-network

Request Body:

{
  "server": "dc01.yourdomain.com",
  "port": 636,
  "timeout": 5000
}

Response:

{
  "success": true,
  "message": "Network connection successful",
  "latency": 45,
  "portOpen": true
}

Synchronize Users

Perform a full synchronization of users from AD to Authsec.

Endpoint: POST /ad/sync

Request Body:

{
  "syncType": "full",
  "includeGroups": true,
  "filter": {
    "organizationalUnit": "OU=Users,DC=yourdomain,DC=com",
    "userFilter": "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
  },
  "options": {
    "createUsers": true,
    "updateUsers": true,
    "disableMissing": false,
    "syncAttributes": ["displayName", "mail", "department", "title"]
  }
}

Response:

{
  "syncId": "sync_123456789",
  "status": "completed",
  "summary": {
    "usersCreated": 150,
    "usersUpdated": 45,
    "usersSkipped": 5,
    "groupsCreated": 12,
    "groupsUpdated": 8,
    "errors": 2
  },
  "duration": 120000
}

Agent-Based Synchronization

Configure agent-based synchronization for distributed environments.

Endpoint: POST /ad/agent-sync

Request Body:

{
  "agentId": "agent_001",
  "targetDomains": ["domain1.com", "domain2.com"],
  "syncSchedule": "0 */4 * * *",
  "syncScope": {
    "includeSubdomains": true,
    "excludeOUs": ["OU=Disabled,DC=domain1,DC=com"]
  },
  "notificationSettings": {
    "email": "admin@yourdomain.com",
    "webhook": "https://your-webhook-url.com/ad-sync"
  }
}

Response:

{
  "agentId": "agent_001",
  "status": "configured",
  "nextSync": "2024-01-15T14:00:00Z",
  "configuration": {
    "domains": 2,
    "schedule": "Every 4 hours",
    "scope": "All subdomains except specified OUs"
  }
}

Synchronization Process

Full Synchronization

  1. Discovery Phase: Scan AD for users and groups
  2. Validation Phase: Verify data integrity and permissions
  3. Sync Phase: Create/update users and groups in Authsec
  4. Verification Phase: Confirm successful synchronization
  5. Reporting Phase: Generate sync reports and notifications

Incremental Synchronization

For ongoing synchronization after initial setup:

  • Monitors AD change notifications
  • Syncs only modified objects
  • Reduces network traffic and processing time
  • Maintains real-time consistency

Error Handling

Common Issues

  • Connection Timeout: Check network connectivity and firewall rules
  • Authentication Failure: Verify credentials and account permissions
  • SSL Certificate Issues: Ensure valid certificates are installed
  • LDAP Filter Errors: Validate filter syntax and AD schema

Troubleshooting

# Test basic connectivity
ldapsearch -H ldaps://dc01.yourdomain.com:636 -D "CN=AuthsecSync,OU=ServiceAccounts,DC=yourdomain,DC=com" -W -b "DC=yourdomain,DC=com" "(objectClass=user)"

# Check certificate validity
openssl s_client -connect dc01.yourdomain.com:636 -showcerts

Monitoring and Logging

Sync Logs

Monitor synchronization activities through detailed logging:

  • User creation/update events
  • Group membership changes
  • Error conditions and resolutions
  • Performance metrics

Alerts and Notifications

Configure alerts for:

  • Synchronization failures
  • Authentication issues
  • Performance degradation
  • Security events

Best Practices

  1. Schedule syncs during off-peak hours
  2. Use incremental sync for frequent updates
  3. Test configurations in staging environment first
  4. Monitor sync performance and adjust batch sizes
  5. Maintain backup of AD credentials
  6. Regularly review and audit sync logs

Security Considerations

  • Use LDAPS (LDAP over SSL) for encrypted communication
  • Implement least-privilege access for sync accounts
  • Regularly rotate service account passwords
  • Monitor for unauthorized access attempts
  • Enable audit logging for compliance

Support

For additional assistance with AD synchronization: