Configuring AD Agent Settings
After AD Agent is successfully installed and running, login to your LogMeOnce account, go to "Smart Menu" and select "Directories". This is a unified directory service, and it shows a summary of all your directories with the current status (Not Configured / Connected / Disconnected) including number of users and groups imported. As new users are added this list will be updated automatically.
- Select the directory you would like to configure
- Main page: This shows Active Directory's general information.
- Connected Agent: It shows status of the AD Agent, and version number. It is possible to add multiple AD Agents.
- Organization Units (OU): The OU is automatically populated based on information from Active Directory. Select the the root OU or multiple OUs that will be synced with LogMeOnce. Any changes to selected OUs will be synced in real-time with LogMeOnce. In the example below the root OU and OU's are selected. All users and groups from selected OU will be synced based on user and group filters.
- User Filter: The "User Filter" is a powerful filtering option that provides extensive flexibility to LDAP administrator. This filter is used to filter which users should be synced. In the example below, the default LDAP filter is shown, which imports all users from selected OUs.
- Group Filter: The "Group Filter" is another powerful filtering option which provides extensive flexibility to LDAP administrator. It is used to filter which groups should be synced. In the example below, the default LDAP filter is shown, which imports all groups from selected OUs.
- Organization Units (OU): In the example below only one OU is selected. All users and groups from selected OU will be synced based on user and group filters.
- User Filter: In the example below, the default LDAP filter is shown that imports all users from selected OUs.
- Group Filter: In the example below, the default LDAP filter is shown that imports all groups from selected OUs.
- Organization Units (OU): In the example below, the root OU and all OUs below it are selected. All users and groups from selected OU will be synced based on user and group filters.
- User Filter: In the example below, a "custom user filter" is selected. The default LDAP filter is shown which imports all users from selected OUs.
- Group Filter: In the example below, a custom user filter is selected.
- How to get a Full DN (Distinguished Names) of a user
1. Open a windows command prompt
2. Type: dsquery user -name <known username>
- How to get a Full DN of a group
1. Open a windows command prompt
2. Type: dsquery group -name <known group name>
Example Below, please see full DN for your AD group, in this example of LogMeOnce group
C:\> dsquery group -name logmeonce
"CN=LogMeOnce,CN=Users,DC=corp,DC=amazonworkspaces,DC=com"
Custom User Filter: This filter will monitor all users added to the LogMeOnce filter in those selected OUs. If a user is added or deleted from this OU, it will automatically sync with LogMeOnce.
(&(objectClass=user)(objectCategory=person)(memberOf=CN=LogMeOnce,CN=Users,DC=corp,DC=amazonworkspaces,DC=com))
Custom Group Filter: This filter will monitor specific group based on this filter in selected OUs. It will sync the selected folder.
(&(objectCategory=group)(distinguishedName=CN=LogMeOnce,CN=Users,DC=corp,DC=amazonworkspaces,DC=com))
Provisioning and Authentication
LogMeOnce offers multiple provisioning options for Active Directory;
- Enable import from selected OU to LogMeOnce:
After saving changes for all users & groups from selected OU, it will be imported to LogMeOnce - Enable Real-Time provisioning:
When a user or group attribute is modified in your Active Directory, it will be synced with LogMeOnce in real-time within seconds. - Authentication:
Enable Active Directory Authentication - User Name format:
Select the username users should enter to log into LogMeOnce. The options are User Principal Name (UPN) and SAM Account Name.
Attribute Mapping and Custom Attributes
LogMeOnce comes packaged with a list of profile attributes from AD, however this can be customized, and additional fields can be added.
- Use default attributes or "add" additional attributes from AD. The data from these attributes will be synced with LogMeOnce.
- Select from a list of AD Attributes and save changes
High Availability (HA)
You can add multiple instances of AD Agents which will be listed under Connected Agents. You can restart monitoring and perform imports.
Users and Groups - filter examples
- Default user filter
(&(objectClass=user)(objectCategory=person)) - Filter users who are members of specific group(s)
(&(objectClass=user)(objectCategory=person)(memberOf=<group dn>)) - Filter users who are member of at least one of two groups (OR condition)
(&(objectClass=user)(objectCategory=person)(|(memberOf=<group dn 1>)(memberOf=<group dn 2>))) - Default group filter
(objectCategory=group) - Filter one specific group
(&(objectCategory=group)(distinguishedName=<group dn 1>)) - Filter two specific groups
(&(objectCategory=group)(|(distinguishedName=<group dn 1>)(distinguishedName=<group dn 2>)))
Testing User and Group filters
You may follow these steps to test users and groups filters that you have built before saving your AD configuration in LogMeOnce:
1. Enter Active Directory Users and Computers
2. Right mouse click on "Saved Queries" -> New -> Query
3. Enter Name for query - and click "Define Query"
4. From Find - select "Custom Search"
5. Under Advanced tab - paste filter query and click OK
Related Articles:
Comments
Article is closed for comments.