Directory Synchronization - LDAP Sync for Active Directory

Updated

This article contains information on configuring Mimecast Directory Integration with Active Directory, including LDAP(S) setup, user permissions, integration steps, and validation to ensure secure and seamless synchronization.

If you have an On-Premise Active Directory, you can use LDAP directory synchronization to automatically add and manage your users and groups. This removes the administrative overhead of performing these tasks manually. Creating an integration between Mimecast and your Active Directory allows end users to use their primary email address and Active Directory password to sign in to Mimecast applications.
 

What You Will Need

      • An inbound connection from the Mimecast IP Range to your domain controller.
      • A user account with Read permissions to Active Directory.
      • A Mimecast Administrator account with edit permissions to the following menu items:
        • Users & Groups | Directory Synchronization
        • Users & Groups | Applications

Preparing Your Environment

  1. Ensure your firewall is configured to pass LDAP(S) requests from us to your domain controller.
  2. Create a user with Read permissions to your Active Directory.

We recommend that the user's password be set to never expire to prevent service interruptions.

Creating the Mimecast Directory Integration

We strongly recommend you create a secure directory integration. See the 2020 LDAP Channel Binding and LDAP Signing Requirement for Windows page on the Microsoft Support Portal for further details.

  1. Log in to the Mimecast Administration Console.

  2. Navigate to Users & Groups | Directory Synchronization menu item.

  3. Select the Create New Integration button.

  4. Complete the dialog as follows:

 

Field / Option Description
Name Enter a name for the integration.
Description Enter a description to help identify the directory Integration.
Type Select On-Premises Active Directory (LDAP)

  1. Click the Next Button.

  2. Populate the Settings as follows:

 

Field / Option Description
Hostname/IP Address  Enter the hostname or IP address to contact your Active Directory and allow access to it for the regional Mimecast IP ranges. See the Mimecast Data Centers and URLs page for further details.
Alternate Host Enter an alternate hostname to be used when the primary host is unavailable.
Encryption Integration Select whether the integration should be encrypted using LDAPS.
Encryption Mode If the Encrypt Integration option is checked, specify one of the following encryption modes:
Encryption Mode Description
Strict - Trust Enforced This mode requires a certificate issued by a Mimecast trusted public certification authority and a key length greater than 1024 bits to be installed on your domain controller.
Relaxed This mode must be used if your certificate is self-signed, has a key length of less than 1024 bits, or has an incomplete trust chain.
Port Specify the port we should use to integrate your Active Directory (e.g., 636 for secure integrations (LDAPS) and 389 for unsecured integrations (LDAP)).
User Distinguished Name  Specify the distinguished name of the user we should use to authenticate to your Active Directory. See the Determining the Distinguished Name section below for further detail.
User Password Enter the user password.
Root Distinguished Name Specify the root distinguished name for your Active Directory (e.g., DC=domain,DC=local) to be used as an integration filter. If you only want to expose part of your Active Directory to us, enter a Root DN higher in your directory tree (e.g., OU=New York,DC=domain,DC=local).

  1. Click the Next button.

  2. Populate the Options as follows:

 

Field / Option Description
Acknowledge Disabled Accounts If selected, user accounts disabled in Active Directory are also disabled in Mimecast.
Filter Email Domains Optionally list the domains the directory integration synchronizes with. This can be used when there are multiple directory integrations where each integration is dedicated to specific domains or when your Mimecast account is part of an Advanced Account Administration setup.

Entries must be comma separated, and no spaces can be used.
Include Contacts Enable to include organizational contacts.
Maximum Sync Deletions This is the maximum number of accounts that will be updated to Created by message in transit when they are no longer part of the synchronization result. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information.
Delete Users This allows the deletion of accounts that are no longer part of the synchronization result. See Directory Synchronization Maximum Synchronization Deletions and Deleted Users for more information.

  1. Click on the Next button.

  2. The Integration summary will be displayed. Review the Integration.

  3. Click on the Next button.

  4. The integration will run an automatic test.

  5. Click on Create Integration.

Determining the Distinguished Name

The Distinguished Name (DN) attribute refers to a user account and its position in the Active Directory tree hierarchy. To determine the DN of your user:

  1. Open a command prompt on your Domain Controller.
  2. Type the following command:
dsquery user -name mimecast_account

(where mimecast_account is the user account name).

The output looks like the example below. Exclude the quotation marks when adding the Distinguished Name to the directory connection (e.g., CN=Mimecast,OU=Users,OU=London,DC=domain,DC=local).

Validating Your Configuration

To validate your settings:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Directory Synchronization menu item.
  3. Select the Directory Integration you want to test.
  4. Click on the Test Connection button.

A Sliding Pane will open, and a series of tests will be performed. They include:

      • Hostname/IP address checks.
      • Connectivity tests.
      • Certificate tests.
      • Authentication tests.
      • Sample address tests.

If a test fails, a tooltip will display, holding additional information, including possible solutions.

When an Alternate Host has been configured for the connection and the connectivity test to the primary Hostname/IP Address results in an error, it will continue with the tests for the Alternate Host. If a test partly succeeds (e.g., only one Mimecast data center can connect), the other tests will continue using the functioning connection.

The test option can be used while your settings haven’t been saved yet. You can select the option before saving your changes.

Finalizing the Integration

To enable users to log in using their Active Directory password:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Select the Default Authentication Profile.
  5. Select the LDAP Directory Connector (Active Directory and Domino) option in the Domain Authentication Mechanisms drop-down.
  6. Click on the Save and Exit button.

Next Steps

Once these steps are complete, we'll synchronize with your Active Directory automatically three times daily at 8 am, 1 pm, and 11 pm. To validate your scheduled synchronizations are completing successfully, view the status of a directory integration using the Users & Groups | Directory Synchronization Administration Console menu item. To test the integration immediately and run a synchronization at any time, select the Sync All button on the Users & Groups | Directory Synchronization page.

Customers with Multiple Domains

Parent & Child Domains

If you operate with a parent or child domain organization, there are two ways to synchronize your domains. Your choice depends on the number of Active Directory users and groups.

      • If you have less than a few thousand objects across your domains, it should be sufficient to use one integration. Just ensure the hostname points to a domain controller running the Global Catalog role and that you use the Global Catalog port (e.g., 3269 secured (LDAPS) or 3268 unsecured (LDAP)).

        If using the Global Catalog port, note that while Global Groups will be synchronized, group members won't because the member attribute isn't present in the Global Catalog.

      • If you have tens of thousands of objects across your domains, consider creating an integration for each child domain to optimize performance. To do this, repeat the steps above for each of your domains, using the Root Distinguished Name option to apply filters for each child domain on each integration.

Exchange Resource Domains

If you operate with an Exchange Resource domain, you'll have the same user objects in both of your domains, with the object enabled in one domain and disabled in another. You'll likely have resources in both domains you want to synchronize with us (e.g., additional distribution or security groups). In this scenario, you should follow these steps:

  1. Create a directory integration for each of your domains by following the steps in the sections above.
  2. For the integration to the domain where your users are enabled, use the Acknowledge Disabled Accounts option so that legitimately disabled users are also disabled in Mimecast.
  3. For the integration to the domain where your users are disabled by design, don't use the Acknowledge Disabled Accounts option. This ensures that Mimecast users don't unexpectedly become disabled.

Multiple Root Domains

If you operate with multiple different Active Directory domains (e.g., you recently acquired another company and inherited their domain, or your company has different Active Directory domains for global offices), you should create a directory integration for each of your domains following the steps outlined in the sections above.

See Also...

Related to

Was this article helpful?
0 out of 4 found this helpful

Comments

0 comments

Please sign in to leave a comment.