Mi-Enterprise Middleware installations with the appropriate license may enable the use of Active Directory to retrieve security groups and their members into Groups and Users on the Server.
This guide will highlight some key recommendations. Please refer to the extensive documentation on Active Directory settings from the Server manual.
To enable this feature,
1. Log into a Customer administration page (https://[servername]/MFS/Login.aspx) as an administrator.
2. Select "Admin", "Manage Active Directory Settings"
To configure Active Directory,
1. Set the "Domain" information
a. Provider (default "LDAP://") - in most if not all installations we have encountered, this is left as is.
b. Server (e.g. "dc.company.com") - this is FQDN of your Active Directory Domain Controller
c. Object Name (e.g. "DC=abc,DC=company,DC=com") - this setting is absolutely critical and the source of most configuration issues. Some recommendations:
2. Set the "Service Account"d. Authentication Types (default "Secure") - in most if not all installation, we have encountered, this is left as is.
1. Use the DC=xyz,DC=abc,DC=com, etc format.
2. Avoid including OU or Organizational Unit in the Object Name - in most if not all cases, it has not been successful.
3. Use as narrow a "scope" as possible however not too narrow that would miss targeted security groups and users below.
Use the Username, Password and "Test Credentials..." button to test the service account and to test the "Domain" settings above. Results will appear at the very bottom of the page.If an error appears, make changes to either the Domain Settings or the Service Account and use the "Test Credentials..." button again until successful.3. Set the "Groups"
In this section, you will define which AD security groups will be "Synced".There are two options -a. Use the button "Get groups from Active Directory..." which will retrieve all security groups and display them in the listbox to the right. (If the number of groups retrieved is large, the second option may be useful...)b. Use the Text field to manually enter the name of each security group, delimited by commas and then click "Add group(s) to list and select".In either option, the groups in the listbox that are highlighted will be "Synced" when the AD settings are saved.
5. Click "Save".
Most of the Settings in this sections are not changed except for the last item "The amount of time to wait before querying the Active Directory server again for changes." (Default: 00:05:00 - this is every 5 minutes). Since the default is just 5 minutes, this should be changed to avoid frequently querying AD. A setting of 24:00:00 is recommended.
6. Wait for AD synchronization to take place...
Please note that the parameters defined in the Server license (i.e. "max users") are also applicable the AD Sync process where if the maximum amount of users is reached, the AD Sync process will not retrieve and create this user.
Depending upon the synchronization frequency selected, the Server will periodic query AD for security groups and security group members.
Besides logging into the Customer and viewing the list of Groups and Users, the Server log will provide more detailed information on AD Sync progress. The log is located by default in c:\MFS\Logs\mfs.txt. Open this in a text editor, scroll to the most recent entries at the bottom and then search up for "ActiveDirectoryUpdatingEngine".