Targeting Active Directory
For each Active Directory domain, add a target (Manage th system >Resources >Target systems):
Type is Legacy Active Directory .
Address uses syntax described in Defining the target system address .
Administrator ID and Password are the credentials for the target system administrator you configured earlier .
It is recommended that you write the administrator ID in the format:
NETBIOS\userid
or
userid@domain.com
This is required in some cases, including where:
Bravura Security Fabric is installed on a Windows XP workstation
The
plugin-winsvcplugin is configured to update service, scheduled task, and iis directory credentials (Bravura Privilege)The
nrcifsprogram is configured to manage resources whose access is mediated by membership in Active Directory groups (Bravura Identity)The List entire forest target address option is specified and Bravura Security Fabric will be acting on objects outside the domain specified in the Domain or domain controller target address option.
Set Program to generate a list of target systems to
dcselectto accelerate password replication in Active Directory domains .By default, all connectors run the Bravura Security Fabric processes on the Bravura Security Fabric server, as the local psadmin account. To enable the target system administrator to run those processes, select the Run as? checkbox.
The full list of target system parameters is explained here.
Defining the target system address
Option | Description |
|---|---|
Options marked with a | |
Domain or domain controller | The DNS domain name, the domain controller’s FQDN or host name or IP Address; for example: globaldomain.example.com or \\mydomaincontroller.example.com or \\mydomaincontroller Use the IP address only if DNS is not resolving, otherwise avoid using the IP address of the domain controller. The DNS domain name or the FQDN should be specified. |
Base DN | Restrict listing to users in named container. (key: basedn) |
Group | List only those users who exist in a group. (key: group) |
Group file | List only those users who exist in groups named in a file. (key: groupfile) |
List nested groups | Recursively list all users and computers contained within groups specified by the Group or Group file option. (key: listNestedGrps) |
List members for nested groups | Recursively list users’ group membership for groups contained within groups specified by the Group or Group file option. (key: listNestedNOSGrps) |
Abort listing when an invalid group is encountered | Return failure when a group list includes an invalid group. (key: listFailOnNonExistentGrp) |
OU file | Restrict listing to users in multiple containers . (key: oufile) |
Abort listing when an invalid OU is encountered | Return failure when an OU list includes an invalid OU. (key: listFailOnNonExistentOU) |
Connection over SSL | Select to enforce SSL connections. (key: ssl) |
The Active Directory target system address syntax is as follows:
(<DNS domain name> | <DC's FQDN or host name>)[/basedn=<OU>][/oufile=<filename>][/group= Bravura Group ][/grpfile=<filename>][/listNestedGrps=<true|false>][/listNestedNOSGrps=<true|false>][/listFailOnNonExistentGrp=<true|false>][/listFailOnNonExistentOU=<true|false>][/ssl=<true|false>]
Options are an intersection of the two when used together.
Targeting Active Directory groups
You can restrict user listing to one or more named groups.
To restrict user listing by a single group membership, specify the Group on the Target system address configuration page.
Restrict user listing by multiple group memberships by listing groups in a group file, specified by the Group file field on the Target system address configuration page. This only restricts the listing of users as specified by the groups in the file; it does not restrict the listing of groups. To filter both users and groups, see Targeting multiple containers .
The file must be located in the \<instance>\script\ directory, and specify one group per line; for example:
IT Sales Finance
By default if a group list includes invalid groups the list will return success. You can cause the listing to abort when invalid groups are detected by setting Abort listing when an invalid group is encountered.
Active Directory connector will not list anything if the group file is empty.
Any line that begins with a hash mark (#) is ignored by the connector. A group with a hash mark (#) at the beginning of its name must be escaped with a backslash (\).
Listing accounts from group membership recursively
You can restrict listing by membership of one or more groups and recursively list all users and computers contained within.
To list user and computer objects recursively, select the List nested groups option.
If specified, the connector recursively searches for groups managed by the groups specified in the address, then constructs an account list search based on all specified nested groups.
If not specified, only immediate members of a specified group are listed.
Listing managed group membership recursively
You can recursively list users’ group membership for groups contained within groups specified by the Groups to list users from option. To list group membership recursively, select the List members for nested groups option.
If selected, the connector recursively searches for groups managed by the groups specified in the address, then constructs a user list search based on all managed groups.
If not selected, only immediate members of a specified group are listed.
Ensure the account uniqueness in a group and its nested group to prevent group member duplication in the native system. For example, if Group1 contains User1, and Group2 contains Group1, then Group2 implicitly has User1 as member and will be returned if nested group listing is enabled. However, if User1 is explicitly added to Group2 as a member, after listing, Group2 will have duplicate User1 members.
Targeting a specific container
Normally, Bravura Security Fabric lists all users from the specified Active Directory domain. You can restrict Bravura Security Fabric to list only those users who exist in a named container; for example, if your Active Directory is divided into organizational units. Specify the container’s distinguished name (DN) in the Base DN field on the Target system address configuration page; for example:
For example:
cn=psynchusers
ou=people,ou=hr
When including a container in an Active Directory target system address line, do not specify the domain portion (dc=) of the DN. The domain portion is automatically determined from the domain or domain controller name specified in the first part of the target address.
You must escape backslashes and commas in the address with the backslash (\) character. For example:
ou=Calgary\,Alberta,ou=hr
ou=Calgary \\ City,ou=hr
All immediate groups under the base DN are listed regardless of whether there is a single group or a group list file specified in the address line.
Targeting multiple containers
You can restrict Bravura Security Fabric to list only those groups and users that exist in one of several named containers. To do this you must create a file specifying the OUs to be searched, and specify the file in the OU file field on the Target system address configuration page.
The file must be located in the \<instance>\script\ directory. The format of the file is to specify one OU per line. The entire OU does not need to be specified since agtad determines the domain specific part of the OU from the domain itself. If you want to search a whole subtree under the domain start the line with *, ; otherwise, the level directly under the specified OU is searched. Use to declare a comment. The following are sample lines:
# List all users in the built-in user OU ⋆,CN=Users # List all Developers in Chicago ou=development,ou=Chicago # List all staff in Des Moines ⋆,ou=Des Moines
By default if an OU file includes invalid OUs the list will return success. You can cause the listing to abort when invalid OUs are detected by selecting Abort listing when an invalid OU is encountered
Active Directory connector will not list anything if oufile is empty.
Using sub-hosts to replicate password changes
In a global, native-mode Active Directory domain, password resets may take a long time to replicate from the domain controller serving the Bravura Security Fabric server to domain controllers accessed by users.
Bravura Security Fabric can bypass this replication process by directly setting a user’s new password and account status flags (intruder lockout, change password flag and expiry time/date) on each DC that the user might access. This includes DCs in the site from which the user’s web browser connected to Bravura Security Fabric , DCs in the site housing the user’s home directory, and regional DCs accessed by mail, database or other systems that the user might access.
To accelerate password replication in this way, set the Program to generate a list of target systems on the Target system information page for your Active Directory domain to dcselect.exe.
The sub-host plugin adds a list of DCs and sites to the help desk password reset screen, so that a help desk user can reset passwords on specific domain controllers. The plugin also automatically selects domain controllers for all self-service functions, based on the user’s web browser IP address and home directory server IP address.
To specify additional domain controllers for users of certain sites, edit the text file dc.man in the \<instance>\script\ directory. This file has the format:
domain domain-name site site-name DC1 DC2
Site names may contain the wild cards ? (any single character) and ⋆ (any sequence of characters).
An example of dc.man follows:
domain example.com # Every user should get a password reset on this central DC: site ⋆ centraldc.example.com # Users in Madrid should get a reset in London too: site madrid.⋆ londondc1.example.com londondc2.example.com # Users in Hong Kong should get a reset in Tokyo: site hk.example.com tokdc1.example.com tokdc1.example.com