Configuring the ClearID LDAP Synchronization Agent - ClearID

Before you can synchronize an Active Directory (AD) with Genetec ClearID™, you must first configure the Genetec ClearID™ LDAP Synchronization Agent.

1. Open the ClearID LDAP Synchronization Agent (Genetec.ClearID.LdapSyncAgentConfiguration.exe) and configure your settings.
   
2. In the User directory settings section, enter your user directory details:
   The User directory settings section is used to connect to the LDAP directory containing user attributes.

   LDAP search path

   Enter your organizational unit. For example, OU=Genetec. This search path specifies the location, root folder, or group containing Active Directory user attributes.

   NOTE: The distinguishedName of the AD group is required for the LDAP search path field.

   Refresh interval (min.)

   Enter a refresh interval in minutes. For example, 60 to synchronize attributes every hour.

   NOTE: Depending on the size of your organization and the number of attributes, 12hr. or 24hr. synchronizations (720 or 1440 mins) might be more appropriate.

3. In the Connection settings section, configure the host connection settings:
   The Connection settings section is used to connect to the server where the User Directory settings are stored.

   Host

   Enter the address of your Active Directory. For example, Genetec.com.

   Port

   Enter the default port for your Active Directory. For example, 389.

   LDAP authentication type

   Select an authentication type from the following:

   Default windows credentials

   For a client-side application, this option uses the Windows credentials (username and password) of the user running the application.

   Simple bind

   With the Simple bind option, the credentials (username and password) used to bind the LDAP client to the LDAP server are passed over the network unencrypted.

   CAUTION:

   Simple bind authentication type is not recommended in production LDAP servers.

   Simple bind over SSL

   Best Practice: With the Simple bind over SSL option, the credentials (username and password) used to bind the LDAP client to the LDAP server are passed over the network encrypted.

   Username

   If Simple bind or Simple bind over SSL was selected, enter the username supplied by your organization.

   Password

   If Simple bind or Simple bind over SSL was selected, click Set password and enter a password, then click OK.

   NOTE: Use industry best practices for creating strong passwords. All passwords stored in the configuration file are encrypted.

4. (Optional) In the Network settings section, configure the Web proxy settings:
   The Network settings section is used to configure proxy settings.

   Use Web Proxy

   Select the Use Web Proxy checkbox to specify that a proxy server is required to access the internet.

   This option is typically used by customers behind a firewall or where network access to the internet is restricted.

   A proxy server is a server that verifies and forwards incoming client requests to other servers for further communication. For example, when a client is unable to meet the security authentication requirements of the server but should be permitted access to some services.

   Proxy URL

   If Use Web Proxy is enabled, enter the proxy URL supplied by your organization.

   For example, https://proxy:8080/outgoing. This information is typically supplied by the network administration team.

   Proxy Authentication

   Proxy authentication is the process of validating user credentials for access to a proxy server. This authentication typically includes a username and can also include a password.

   Click to select either Default Credentials or Specific Credentials:

   Default Credentials

   Specifies that proxy authentication is not required.

   Specific Credentials

   Specifies that proxy authentication is required.

   Proxy Username

   If proxy authentication Specific Credentials was enabled, enter the proxy username supplied by your organization.

   Proxy Password

   Click Set password and enter a password, then click OK.

   NOTE: Use industry best practices for creating strong passwords.

   Proxy Domain

   Enter the domain name supplied by your organization.

   Proxy connection status

   Status icons indicate a valid () or invalid () proxy connection. The status is only displayed after the Verify button has been clicked.

   Verify

   Click Verify to test that the connection settings for your proxy server are valid.

5. In the ClearID settings section, configure the settings:
   The ClearID settings section is used to connect to ClearID services and synchronize data.

   ClearID service authentication key

   Click more () to navigate to and select the authentication key for your API integration. This key is used to authenticate the synchronization agent communications when making requests to your ClearID account.

   • Indicates that the synchronization agent is not connected to ClearID and a private key is needed.
   • Indicates that the synchronization agent is connected to ClearID and that the private key has been provided.

   The following API URL settings are automatically completed after the ClearID service authentication key has been selected:

   Token API URL (read-only)

   The Token service provides the authentication token to contact the identity and principal service.

   Identity API URL (read-only)

   The Identity service is used to access all ClearID identity information.

   Principal API URL (read-only)

   The Principal service is used to give web portal access to users.

   Default Country (ISO 3166 3 letters)

   Enter your three-letter country code. For example, the USA or CAN.

   NOTE: The three-letter country codes are based on the Alpha-3 codes in the ISO 3166-1 country codes standard.

   Principal has portal access

   Select the checkbox to enable ClearID web portal access for synchronized users.

6. (Optional) In the Advanced settings section, leave these fields blank.
   The Advanced settings section is used to customize the synchronization agent behavior.

   Create inactive identities

   Select the checkbox to create inactive ClearID identities for any inactive users found in the Active Directory during synchronization.

   Best Practice: This checkbox is typically cleared to prevent the creation of inactive users.

   Users query filters

   (Optional) Enter custom user query filters as specified by your deployment contact.

   IMPORTANT: Only use this option when you are advised to by your deployment contact.

7. Click Save.
   

   The Synchronization Agent config file is saved to C:\ProgramData\Genetec ClearID LDAP Synchronizer\config.json

   Tip: You can delete this file if you want to remove all your settings and configure the synchronization agent again.
8. Open the Windows Task Manager, and right-click the Genetec ClearID LDAP Synchronizer (Genetec.ClearID.LdapSyncAgent.Service.exe) windows service.
   
   1. If it is the first time you configure the agent, click Start to start your service so that your configuration settings are activated.
   2. If the agent is already running, click Restart to restart your service so that your configuration changes are activated.