Active Directory: LDAP Direct

SECURITY Full Access or Team Access privileges in Workplace Manager

NAVIGATION Multiple paths with multiple steps, but in Workplace Online, configuration of this feature takes place on Configuration > Integrations > Active Directory tile > Setup or Manage button > Configure > LDAP Direct radio button.

Please read this...

This article is a supplement to the Active Directory integration guide. Only continue with this article after reading the Active Directory integration guide, and when you have a clear understanding of the integration functionality.

This article explains how to integrate with Active Directory using the LDAP Direct method specifically.

About LDAP Direct AD

The LDAP Direct Active Directory integration is a method that allows you to integrate Active Directory with your Workplace team. This mode eliminates the need for one or more machines within the domain running a Workplace integration agent to authenticate the users. Instead, Workplace leverages the LDAPS protocol to directly query AD.

This new connection method involves connecting directly to the target domain via the LDAPS protocol (LDAP over SSL (TLS)).

While the integration is easier, faster, and does not have the hardware requirements of the Active Directory: On Prem Agent method, it does require opening a port in your firewall to facilitate communication between your Active Directory and Workplace account.

Requirements

Local requirements

Windows Server 2003 or later
Open SSL port in the target domain (default 636)
SSL certificate for the target domain.

NOTE For more information, see: https://support.microsoft.com/en-us/kb/321051

An account in the domain which Workplace uses for authentication. These credentials are stored on the server. The account only needs “Read” permissions to the domain, so a standard user account can be used for this purpose.
It is strongly recommended the password policy in Active Directory for this user is set to "Password never expires!"
Firewall configured to accept communication from the Workplace server outgoing IP address range, represented by the appropriate DNS names for your region. To identify your region, login to Workplace Online. Once logged in, use the domain name shown in the browsers address bar to identify the corresponding DNS names that need to be allowed to connect to your AD server(s):

Region	DNS Names
United States	mgt-sj.soonr.com, mgt-usw3.soonr.com, mgt-use1.soonr.com
Europe	eu.soonr.com: mgt-dk.soonr.com
Canada	mgt-cae2.soonr.com, mgt-cae1.soonr.com
Australia	mp.soonr.com: mgt-mp.soonr.com

Workplace requirements

SECURITY Administrator credentials for a Workplace Team.

Configuration

Go to Configuration > Integrations > Active Directory tile > Manage button > Configure > LDAP Direct radio button.

Complete the following fields:

Field	Description
Authentication Domain	Enter the domain to be used to authenticate users.
Synchronization at	Specify the time that automated daily AD synchronization will occur, or select Synchronize Manually to perform this activity manually, using the Synchronize button on the Active Directory page in Workplace Online. For more information about synchronization, refer to About synchronization.
LDAP Search Path	Complete the LDAP search path as specified in the LDAP Search Path Syntax section of the Active Directory integration guide topic. To add multiple paths, click the Add path button.
Default phone number prefix	This optional field allows you to enter a telephone prefix which will automatically be applied to any phone number that does not start with ‘+’. In AD environments where prefixes have not been entered, this allows the prefix to be automatically appended upon import into Workplace. Entries into this field must be in the format ‘+XX’, where ‘XX’ is the desired country code.
Host Name	The IP address or hostname of the domain server.
Port	The port number for LDAPS (default is 636).

Click Test LDAP Connection to Active Directory
In the resulting window, enter your domain user name and your domain password, then click Test.

NOTE This will start a multistage test, showing green check marks if successful, or displaying an error message with an explanation if a failure occurs at any stage of the checks.

If the test fails, close the dialog box, correct the appropriate field and run the test again.

If the test completes successfully, you may click Show server certificate and verify the information is as expected.

Click Save Certificate. The certificate will now be displayed with a status of Stored.
Clicking Get certificate from host will retrieve the current certificate from the host.
Clicking View more details will display detailed information about the certificate.
Enter domain username into the User Name field.

IMPORTANT Ensure you enter the username - not the email address!

Click Set Password and enter the password associated with the username as per set 6.

NOTE Be aware this password will be stored securely in the Workplace service.

The selections/entries you make in the Alert Settings section control who will be sent a notification in the event of an Active Directory alert such as disconnection or reconnection.
In the Send alerts to: section, select the All administrators or Selected users radio button.
If you choose Selected users, enter the name or email address of an administrator in the field below the radio buttons, or click the icon to use a data selector.

IMPORTANT If you choose Selected users and do not select any administrators in the associated field, no one will receive Active Directory alert messages, so it's very important to select one or more recipients.

Click Save.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.