Before you can synchronize an Active Directory (AD) with Genetec ClearID™, you must first configure the Genetec ClearID™ LDAP Synchronization Agent.
Before you begin
- Download a service authentication key.
- Install the ClearID LDAP Synchronization Agent on its own dedicated server. It does not
require a Security Center server.NOTE: The ClearID LDAP Synchronization Agent is not generally available as a public download. The synchronizer download is supplied by your Deployment contact when needed.
- Part number: CD-IDSYNC-SERVICE-1Y is required for LDAP import.
What you should know
Procedure
-
Open the ClearID LDAP Synchronization Agent (Genetec.ClearID.LdapSyncAgentConfiguration.exe) and configure your settings.
-
In the User directory settings section, enter your user directory
details:
The User directory settings section is used to connect to the LDAP directory containing user attributes.
- LDAP search path
- Enter your organizational unit. For example, OU=Genetec.
This search path specifies the location, root folder, or group containing Active
Directory user attributes.NOTE: The distinguishedName of the AD group is required for the LDAP search path field.
- Refresh interval (min.)
- Enter a refresh interval in minutes. For example, 60 to
synchronize attributes every hour.NOTE: Depending on the size of your organization and the number of attributes, 12hr. or 24hr. synchronizations (720 or 1440 mins) might be more appropriate.
-
In the Connection settings section, configure the host connection
settings:
The Connection settings section is used to connect to the server where the User Directory settings are stored.
- Host
- Enter the address of your Active Directory. For example, Genetec.com.
- Port
- Enter the default port for your Active Directory. For example, 389.
- LDAP authentication type
- Select an authentication type from the following:
-
- Default windows credentials
- For a client-side application, this option uses the Windows credentials (username and password) of the user running the application.
- Simple bind
- With the Simple bind option, the credentials (username and
password) used to bind the LDAP client to the LDAP server are
passed over the network unencrypted.CAUTION:Simple bind authentication type is not recommended in production LDAP servers.
- Simple bind over SSL
-
Best Practice: With the Simple bind over SSL option, the credentials (username and password) used to bind the LDAP client to the LDAP server are passed over the network encrypted.
- Username
- If Simple bind or Simple bind over SSL was selected, enter the username supplied by your organization.
- Password
- If Simple bind or Simple bind over
SSL was selected, click Set password
and enter a password, then click
OK.NOTE: Use industry best practices for creating strong passwords. All passwords stored in the configuration file are encrypted.
-
(Optional) In the Network settings section, configure the Web
proxy settings:
The Network settings section is used to configure proxy settings.
- Use Web Proxy
- Select the Use Web
Proxy
checkbox to
specify that a proxy server is required to access the internet.
This option is typically used by customers behind a firewall or where network access to the internet is restricted.
A proxy server is a server that verifies and forwards incoming client requests to other servers for further communication. For example, when a client is unable to meet the security authentication requirements of the server but should be permitted access to some services.
- Proxy URL
- If Use Web Proxy is enabled, enter the proxy
URL supplied by your organization.
For example, https://proxy:8080/outgoing. This information is typically supplied by the network administration team.
- Proxy Authentication
- Proxy authentication is the process of validating user credentials for access to a
proxy server. This authentication typically includes a username and
can also include a password.
Click to select either Default Credentials or Specific Credentials:
- Default Credentials
- Specifies that proxy authentication is not required.
- Specific Credentials
- Specifies that proxy authentication is required.
-
- Proxy Username
- If proxy authentication Specific Credentials was enabled, enter the proxy username supplied by your organization.
- Proxy Password
- Click Set password and enter a
password, then click
OK.NOTE: Use industry best practices for creating strong passwords.
- Proxy Domain
- Enter the domain name supplied by your organization.
- Proxy connection status
- Status icons indicate a valid () or invalid () proxy connection. The status is only displayed after the Verify button has been clicked.
- Verify
- Click Verify to test that the connection settings for your proxy server are valid.
-
In the ClearID settings section, configure the settings:
The ClearID settings section is used to connect to ClearID services and synchronize data.
- ClearID service authentication key
- Click more () to navigate to
and select the authentication key for your API integration. This key is used to
authenticate the synchronization agent communications when making requests to your
ClearID account.
- Indicates that the synchronization agent is not connected to ClearID and a private key is needed.
- Indicates that the synchronization agent is connected to ClearID and that the private key has been provided.
- Token API URL (read-only)
- The Token service provides the authentication token to contact the identity and principal service.
- Identity API URL (read-only)
- The Identity service is used to access all ClearID identity information.
- Principal API URL (read-only)
- The Principal service is used to give web portal access to users.
- Default Country (ISO 3166 3 letters)
- Enter your three-letter country code. For example, the USA
or CAN.NOTE: The three-letter country codes are based on the Alpha-3 codes in the ISO 3166-1 country codes standard.
- Principal has portal access
- Select the checkbox to enable ClearID web portal access for synchronized users.
-
(Optional) In the Advanced settings section, leave these fields
blank.
The Advanced settings section is used to customize the synchronization agent behavior.
- Create inactive identities
- Select the checkbox to create inactive ClearID identities for any inactive users
found in the Active Directory during synchronization. Best Practice: This checkbox is typically cleared to prevent the creation of inactive users.
- Users query filters
- (Optional) Enter custom user query filters as specified by your deployment
contact. IMPORTANT: Only use this option when you are advised to by your deployment contact.
-
Click Save.
Tip: You can delete this file if you want to remove all your settings and configure the synchronization agent again.
-
Open the Windows Task Manager, and right-click the Genetec ClearID LDAP
Synchronizer (Genetec.ClearID.LdapSyncAgent.Service.exe)
windows service.
- If it is the first time you configure the agent, click Start to start your service so that your configuration settings are activated.
- If the agent is already running, click Restart to restart your service so that your configuration changes are activated.
Results
After you finish
- Check the ClearID web portal to verify that the new identities for Active Directory users have been synchronized and contain the correct attributes.
- (Optional) You can click Open Service Log folder to view the
ErrorLog.txt or Eventlog.txt log files.
NOTE: The information in the Service Log folder is typically used when you raise a support call or if advised by your deployment contact to send Service logs to Genetec Inc..