Importing Users from Active Directory
1. Integrate Active Directory and Import Users
1.1 Importing Users
1.2 Active Directory Synchronization
1.3 Assigning Roles
1. Integrate Active Directory and Import Users
You need to carry out the following steps to import users from AD and assign them necessary roles and permissions in Key Manager Plus.
You can store any key file securely in the Key Manager Plus repository from the Key Store tab. From here, you can also edit the key details, update key file, keep track of previous versions of the key, store them in an organized manner, or export the keys, or previous versions to your system or mail address.
1.1 Importing Users
From the server in which it is running, Key Manager Plus automatically gets the list of domains available under the Microsoft Windows Network folder. You need to select the required domain and provide domain controller credentials.
To do this,
- Navigate to Settings >> User Management >> Active Directory.
- Select the required Domain Name, which forms part of the AD from the drop-down.
- Specify the DNS name of the Domain Controller. This domain controller will be the primary domain controller.
- In case, the Primary Domain Controller is down, Secondary Domain Controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the available secondary domain controllers will be used. When you use SSL mode make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller.
- Enter a valid user credential (User Name and Password) of an user account within the particular domain. Then enter the Users / User Groups / OUs that you want to import as comma separated values and click Import. To import user groups/OUs directly, choose Groups/OU tree Import type and select the required groups from the list. While importing users from user groups/OUs, you can choose to enable Active Directory synchronization to keep the user database updated. See section 2.2 for more details.
- Also, Key Manager Plus provides an option to automatically discover SSL certificates in the Active Directory (AD) users as and when they are imported into Key Manager Plus. Enable the check box Import AD user certificate(s) to perform the discovery and import the certificates into the certificate repository of Key Manager Plus.
- For each domain, you can configure if the connection should be over an encrypted channel for all communication. To enable the SSL mode, the domain controller should be serving over SSL in port 636 and you will have to import the domain controller's root certificate into the Key Manager Plus server machine's certificate.
As mentioned above, to enable SSL mode, the domain controller should be serving over SSL in port 636. If the certificate of the domain controller is not signed by a certified CA, you will have to manually import the certificate into the Key Manager Plus server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain – that is the certificate of the Key Manager Plus server machine and intermediate certificates, if any.
1.2 Active Directory Synchronization
Keep the user database updated by enabling Active Directory (AD) synchronization while importing users from AD. Set up recurring synchronization schedules for single or multiple AD domains. Creating AD user synchronization schedules allows importing users from user groups or organizational units that are part of multiple AD domains. Once an AD Synchronization schedule is set up, any new users added to the Active Directory domain will automatically be imported into Key Manager Plus when the AD synchronization schedule runs. To enable AD user sync, follow the below steps:
- Select the Enable Active Directory Sync checkbox.
- Choose a preferred Recurrence Type: Daily, Weekly, or Monthly.
- Enter a Start Time and Start Date for the schedule.
- Click Import to start the import immediately. The AD sync schedule will also be created. However, if you click Save, all the domain and schedule details will be saved for future use but the user import will not begin until you click the Import option.
Using the above method, you can create a schedule to synchronize the entire user database of a selected AD Domain. To create AD sync schedules for a set of user groups or OUs, follow the below steps:
- Enter Domain details and credentials as instructed above. Under Import Type, click Groups/OU Tree.
- In this window, choose Groups or Organization Units and select the required User Groups using the checkboxes provided.
- Select the Enable Active Directory Sync checkbox.
- Choose a preferred Recurrence Type: Daily, Weekly, or Monthly.
- Enter a Start Time and Start Date for the schedule.
- Click Import to start the import immediately. The AD sync schedule will be created for the selected user groups. However, if you click Save, all the domain and schedule details will be saved for future use but the user import will not begin until you click the Import option.
To view the AD sync schedule you created, click the calendar icon () available at the top right corner. You will see options to enable, disable, or delete the existing schedules. If you choose to disable a schedule, the AD sync will stop temporarily, but the details will remain in the system - which means, the schedule will start running as usual if you enable it again.
Notes:
- Please note that you can create only one schedule for a selected AD domain. Within the selected domain, you may choose to import users from any number of groups or Organizational Units. If you create a new AD sync schedule for a domain that already has an existing schedule, the previously created schedule will be overwritten.
- After the user import into Key Manager Plus is complete, if a user is deleted in the AD domain, that particular user will be shown as 'locked' in Key Manager Plus. You can manually remove the user from the Key Manager Plus user list.
- A new audit log will be created each time the AD Sync Schedule runs. Each new user added during the schedule will also be tracked in the Audit tab.
To import domain controller's certificate into Key Manager Plus machine's certificate store: (you can use any procedure that you normally use to import the SSL certificates to the machine's certificate store. Refer to the example given below)
- In the machine where Key Manager Plus is installed, launch Internet Explorer and navigate to Tools >> Internet Options >> Content >> Certificates.
- Click Import.
- Browse and locate the root certificate issue by your CA.
- Click Next and choose the option Automatically select the certificate store based on the type of certificate and install.
- Again click Import.
- Browse and locate the domain controller certificate.
- Click Next and choose the option Automatically select the certificate store based on the type of certificate and install.
- Apply the changes and close the wizard.
- Repeat the procedure to install other certificates in the root chain.
Key Manager Plus server can now communicate with this particular domain controller over SSL. Repeat these steps for all domain controllers to which you want Key Manager Plus to communicate over SSL. Note that the DNS name you specify for the domain controller should match the CN (common name) specified in the SSL certificate for the domain controller.
- By default, Key Manager Plus will populate all the OUs and groups from AD. If you want to import only a particular user, enter the required user name(s) in comma separated form.
- Similarly, you can choose to import only specific user groups or OUs from the domain. You can specify the names in the respective text fields in comma separated form.
- Click Import. Soon after hitting this button, Key Manager Plus will start adding all users from the selected domain. During subsequent imports, only the new users entries in AD are added to the local database.
- In the case of importing organizational units (OUs) and AD groups, user groups are automatically created with the name of the corresponding OU/AD group.
Important Note:
Groups/OUs too large to display:
When you have a large number of groups or OUs in the domain controller, specifically when the number exceeds 2500, Key Manager Plus will not display them in the GUI. In such cases, you will see the message Groups too large to display / Organizational Units too large to display. When this happens, you have to specify the groups or OUs that are to be imported alone, instead of getting all the groups / OUs in the display.
- What will be role of the users imported from AD, in Key Manager Plus?
The users added to the Key Manager Plus database will have the role as Operators. - Can I handle both AD and non-AD permissions to login to Key Manager Plus?
Yes. You can use both your AD and local (non-AD) passwords to login to the application. The choice can be made in the GUI login screen itself.
1.3 Assigning Roles
All the users imported from AD will be assigned the Operator role by default. To assign specific roles to specific users and/or to assign SSH user accounts of discovered resources, refer the Modify Users page of the help document.
To delete the users, refer to the delete section of this help document.