This article provides information on configuring LDAP Directory Synchronization in the Mimecast Connect Application, including prerequisites, determining the Distinguished Name, creating a directory connector and verifying synchronization for efficient user management.
If you are not using the Connect Application, see the Connect Process Guides page.
Introduction
If you have a Google Workspace, On-Premise, or Hybrid Active Directory, you can use LDAP Directory Synchronization to automatically manage your users and groups. This has the following benefits:
- The administrative overhead of performing these tasks is removed.
- End-users can use their primary email address and Active Directory password to sign in to Mimecast applications.
We'll automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily. These timings are taken from the region where your account is held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in GMT. For the North America region, the timing is EST. The synchronization timings will not be in your time zone if you are located in a different region than your Mimecast account. Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:
- Size of your Active Directory
- Number of changes
- Server load
Prerequisites
You'll need:
- Permission to create user accounts in your Active Directory.
- Access to your domain controller server.
- Access to your network's public firewall.
To synchronize your directory using LDAP, you'll need to complete the following tasks:
- Prepare your environment. This is a prerequisite external task.
- Create a Directory Connector in the Connect Application.
- Verify the synchronization in the Mimecast Administration Console.
If using Google Workspace, ensure that your Active Directory is synchronized with Google Workspace Directory using Google Cloud Directory Sync (GCDS).
The following prerequisite tasks must be performed before synchronizing your directory:
- Ensure there's a valid SSL Certificate, signed by a recognized Certificate Authority (CA), installed on your domain controller. This is only required when configuring LDAPS, not LDAP.
- Create a user account we can use to query your Active Directory, taking note of it's distinguished name and password. To prevent interruptions to your service, set the user account to:
-
- Have read access to the parts of your directory that require synchronization.
- Have a password that doesn't expire.
- Not require a password change on the first log on.
- Configure your firewall to always accept LDAPS connections from our IP ranges, and to route these through to your domain controller. Our IP ranges are displayed at Data Centers & URLs.
Determining the Distinguished Name
The Distinguished Name (DN) attribute refers to a user account and its position in the Active Directory tree hierarchy. To determine the domain name of your user:
- Open a command prompt on your Domain Controller.
- Type the following command:
dsquery user -name <mimecast_account>(where <mimecast_account> is the user account name).
The output is similar to the example below. Ensure you exclude the quotation marks when adding the Distinguished Name to the Mimecast configuration (e.g. CN=Mimecast,OU=Users,OU=London,DC=domain,DC=local).
Creating a Mimecast Directory Connector
We strongly recommend you create a secure directory connection. See the 2020 LDAP Channel Binding and LDAP Signing Requirement for Windows page on the Microsoft Support Portal for further details.
You can enable LDAP Directory Synchronization by creating a Mimecast Directory Connector in the Connect Application.
You can create a Mimecast Directory Connector by using the following steps:
- Log in to the Mimecast Connect Application.
- Navigate to Platform | Synchronize Your Directory.
- Click Start in the bottom right-hand corner of the Task Steps for LDAP section.
- When you're ready, click Next. The Create a Mimecast Directory Connector page is displayed.
- Enter your Active Directory connection details as shown below:
| Field | Mandatory | Description |
|---|---|---|
| Primary Host | Yes | Enter your Active Directory's hostname or public IP address. |
| Secondary Host | No | Enter an alternate hostname or public IP address for your Active Directory, to be used when the primary host is unavailable. This is optional, but recommended to ensure there are no breaks in service. |
| Encryption Mode | Yes | Select the encryption mode from the drop-down menu:
|
| Connection Port | Yes | Specify the port Mimecast should use to connect to your Active Directory. Typically, this is 636 for secure connections or 389 for unsecured connections. |
| User Account Distinguished Name | Yes | Enter the user account's Distinguished Name (e.g. CN=Mimecast). |
| User Account Password | Yes | Enter the user account's password. |
| Domain Root Distinguished Name | Yes | Enter the domain's root Distinguished Name (e.g DC=domain,DC=local). |
- Click the Test Connection button. A series of tests will be performed. They include:
-
- Hostname/IP address checks.
- Connectivity tests.
- Certificate tests.
- Authentication tests.
- Sample address tests.
If a test fails, a tool tip will display, holding additional information, including possible solutions.
When an Alternate Host has been configured for the connection and the connectivity test to the primary Hostname / IP Address results in an error, it will continue with the tests for the Alternate Host. If a test partly succeeds (e.g., only one Mimecast data center can connect), the other tests will continue using the functioning connection.
Only after a successful test will the Synchronize button be enabled.
-
Click Synchronize. A summary page is displayed with your directory synchronization details.
Verifying the Synchronization
You can verify that the synchronizations are completed successfully by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Usera & Groups | Directory Synchronization.
Comments
Please sign in to leave a comment.