Active Directory or LDAP Compatible Services Sync Setup

A guide on how to use LDAP to sync your data.

Ryan Bickham avatar
Written by Ryan Bickham
Updated over a week ago

Learn how to synchronize Sift users and groups your existing Active Directory or other LDAP compatible tools.

Overview

Sift's LDAP Directory Sync feature allows you to import user accounts and profile attribute data directly from your Active Directory (AD) forest or domain, or from any LDAP-compatible identity management platform. This is a one-way operation, meaning that no information from Sift is imported into your user directory.

The LDAP Directory Sync feature also supports Secure Sockets Layer (SSL)/Transport Layer Security (TLS) (also known as LDAPS) to ensure secure communication.

Prerequisites

Prerequisites necessary for Active Directory synchronization are as follows:

  • Know your Active Directory domain controller hostname or IP address, the LDAP or LDAPS port for communicating with that server, and the directory search base DN.

  • A Windows 2012 or later, or modern Linux system (CentOS, Ubuntu, Red Hat) for runing the Sift LDAP Connector

  • The Sift LDAP Connector (downloadable links for Windows and Linux can be found below and in your Admin Dashboard under the LDAP Source type)

  • Having created a directory in the Sift Admin Dashboard for your LDAP Sync (Details on how to setup a directory can be found in this guide).

Connectivity Requirements

This application communicates with Sift’s service on TCP port 443. Firewall configurations that restrict outbound access to Sift’s service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability.

Setting up your LDAP Source Type

After having selected Microsoft LDAP as a source type from the Sift Directory Sources Page you will need to configure your Sift LDAP Connector to begin syncing users and user information.

Details on setting up directories and sources can be found in this article.

Select Setup LDAP on the Primary Source Settings Page

Setup the Sift LDAP Connector

Locate (or set up) a system on which you will install the Sift LDAP Connector. The proxy supports Windows and Linux systems (in particular, we recommend Windows Server 2012 R2 or later). 

The Sift LDAP Connector can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 2 GB RAM is usually sufficient).

Windows Install Instructions


On the system connected to your AD or LDAP compatible system, download the Sift LDAP Connector (Available here) and run the .msi file to launch the Setup Wizard.

Linux/Unix Install Instructions

Step 1: Download the ldap-connector-0.3.0 package

curl -Lo /tmp/sift-ldap-connector-0.1.0.tar.gz https://sift-product-releases.s3.amazonaws.com/sift-ldap-connector-0.3.0.tar.gz

Step 2: Expand the ldap-connector-0.1.0 package and install its dependencies 

tar -xzf /tmp/sift-ldap-connector-0.3.0.tar.gz -C /opt/ldap-connector --strip-components=1

cd /opt/ldap-connector

npm install

Step 3: Start your server

npm start

Configure the Sift LDAP Connector

Once the Sift LDAP Connector is installed on your environment, you can access configuration settings within the Connector Dashboard for the Connector by navigating the host computer browser to http://127.0.0.1:8000.

Upon your first visit to the Sift LDAP Connector Dashboard, you will be required to enter a Provisioning URL. This URL can be found in Source Settings for the Directory you setup in Step 1.

After you have successfully provisioned your Sift LDAP Connector, your Connector Dashboard will show a status as well as 5 additional configuration items LDAP Server URL, Base DN, Bind Username/Password, and User Filter.

__________________________________________________________________
LDAP Server URL

Enter the IP address or hostname of your AD domain controller (DC), followed by the port the Authentication Proxy server should use to contact the domain controller.

The typical port for unsecured LDAP or STARTTLS is 389, and LDAPS is usually 636.

Base DN

The base DN should be a level in your directory structure above both the users and groups you plan to synchronize.

Example: OU=CorpUsers,DC=domain,DC=local

Bind Username/Password
Ensure you have specified the username and password used to connect to your AD domain in the authproxy.cfg when you configured your Sift LDAP Connector server.

User Filter
Optionally, you can leverage standard LDAP queries to control which users are accessible to be synced to your instance of Sift. Common LDAP query examples can be found on the LDAP Wiki, specific questions can be routed to Support@JustSift.com

Optional- Preview User Data 

If you would like to preview the user data available for sync with Sift, you can select the Preview User Data option, allowing you to see the results of your configured LDAP settings including filters to ensure the right users are available for synchronization.

__________________________________________________________________

Once the five configuration items above have been successfully updated, your LDAP Connector is active and ready to start syncing users.

Mapping Attributes

Before your sync your data, you must map the data from your source to your Sift attributes. Details on mapping attributes can be found in this guide, with the same process being used for all source types.

Enable Sync

In order to begin syncing profiles from your data source, you must return to the Directory page in the Sift Admin Dashboard and navigate into your LDAP Source by clicking on the source name in the Sources Tab.


In the Source Settings Page, ensure the Enable Sync function is enabled at the top right of the page. This will allow your Sift instance to sync profiles from your LDAP source.

Disabling Sync

If you choose to disable your LDAP sync, or if your sync loses connection to your Sift LDAP Connector, your user data will remain as a reflection of the most recent successful sync with your domain. User data will not be deleted nor will any source settings be lost.

When you reactivate sync, or the Sift LDAP Connector link is re-established, sync will resume and any changes since the last sync will be reflected.

Debugging Failed Syncs

If your data sync is consistently in the failed state, trying one or more of the following may resolve your issue:

Check the connection state on your LDAP Connector

On the web interface of your LDAP Connector (available at http://127.0.0.1:8000) check the Sift Status and LDAP Status indicators at the top of the page.

If the Sift Status indicator turns to Disconnected, make sure that the machine where the LDAP connector is installed follows the Connectivity Requirements above and that your LDAP source is still set up on our admin dashboard.

If the LDAP Status indicator turns to Disconnected, make sure that

  • Your LDAP URL is accessible to the machine where the the connector is installed

  • Your username and password are correct

Check your LDAP Filter

Make sure that your Base DN and any User Filter return a valid set of users on your LDAP server. You should be able to test out receiving a user by using the Data Preview function on the LDAP Connector or on the mappings page of our admin dashboard.

Check Required Data Mappings

If Sift finds users from your data source that do not have all of our required mappings (Unique Identifier, first name, last name, and email), they will be ignored. If no users are found that have all of these attributes, then the sync will fail. Ensure that all users you want to be synced into Sift have a value for all of these mappings.

Contact Us

If the above steps do not fix the issue, you can contact us using the Chat button in the admin dashboard, and we can help you investigate!

Did this answer your question?