.png)
ActiveDirectory & LDAP provisioning
The Memority’s ActiveDirectory & LDAP connector can be used to provision an ActiveDirectory or any LDAP directory. However, some prerequisites must be respected to be able to provision the application.
This page explains how the provisioning works in Memority and prerequisites to be able to provision an application.
Definitions
What is a provisioning ?
Provisioning is used to automatically create, update and deactivate/delete accounts in target application and ensure that data are consistent between Memority (the authoritative source) and the application (the target).
It means that once Memority provisions your application, you shouldn't perform any creation, modification or deactivation/deletion of accounts directly in the application, it will be done automatically for you.
Memority ActiveDirectory & LDAP connector
The Memority ActiveDirectory & LDAP connector is used to create, update and at the end deactivate/delete objects in a target application (user accounts, groups or organizations) thanks to LDAPS commands.
The ActiveDirectory & LDAP connector, like any of others Memority connectors, computes delta between Memority data and target data at each event occurring on the Memority object to determine the action to perform:
Create an new object
Link an existing object
Update an existing object
Delete / Deactivate an existing object
To perform these actions, the Memority ActiveDirectory & LDAP connector works thanks to 5 methods that must be defined in the configuration : SEARCH, GET, CREATE, UPDATE and DELETE.
When an event is detected on an object, and that event impacts the provisioning because it has been defined in mapped attributes, then the following process will be triggered:
If an application’s object is already linked to the Memority’s object, then the connector use GET method to check if there is delta between Memority and application object
If a Memority’s object to provision is not linked to an existing application' object, then the connector use SEARCH method to check if there is already an existing application object matching SEARCH method
Whenever an action method is called (CREATE, PATCH or DELETE), a GET action is performed after that to validate the provisioning worked well. It means there 3 requests for each action performed by the connector.
When the identity authorization is removed, the connector will use the DELETE method to deactivate or delete the account in the application.
Memority accesses to the schema of the directory and so is able to provision custom attributes.
The correlation key between Memority and ActiveDiretory account is the ObjectID, so even if the ActiveDirectory account is moved or modified locally, Memority will be able to find it and overwrite modifications.
The correlation key between Memority and LDAP account is the DN, so even if the ActiveDirectory account is moved or modified locally, Memority will be able to find it and overwrite modifications through the search method.
The Memority REST connector provisioning process
ActiveDirectory & LDAP authentication prerequisites
To be able to requests directory actions, Memority’s connector need to authenticate against the application. The ActiveDirectory & LDAP connector bind to targeted directory in LDAPS thanks to an IPSec tunnel set between Memority’s network and client’s network.
To be able to set the LDAPS binding, Memority must trust the whole certificate chain that generated the directory SSL certificate. So any private root certificate must be added to the dedicated Synchronization service setting sync.ssl.trust.trustStore to be trusted.
The connector bind with an account that should have administration rights on the account. The provisioning account’s password shouldn’t expire to avoid any issue.
ID | Pre-requisites |
|---|---|
AUTH1 | An IPSec tunnel must be set between Memority’s network and client’s directory network. |
AUTH2 | Root & intermediate certificates must be trusted by Memority. |
AUTH3 | A provisioning account must be created with a password to authenticate (the connector uses DN as login and the password). |
AUTH4 | The provisioning account must have domain administrator rights, or at least these rights: · Create, delete and manage user accounts · Reset user passwords and force password change at next logon · Read all user information · Create, delete and manage groups · Modify the membership of a group · Create, delete and manage inetOrgPerson accounts · Reset inetOrgPerson accounts and force password change at next logon · Read all inetOrgPerson information |
AUTH5 | The provisioning account’s password shouldn’t expire. |
ActiveDirectory configuration prerequisites
Memority ActiveDirectory connector officially supports versions since Windows Server 2019.
The schema must be readable by the provisioning account to be able to get existing attributes.
ID | Pre-requisites |
|---|---|
CONF1 | The ActiveDirectory version should be Windows Server 2019 or latest. |
CONF2 | The schema must be readable by the provisioning account. |