Contents

Sync Users from Active Directory or LDAP

To sync users from Active Directory or a Lightweight Directory Access Protocol (LDAP) database, you must add an external identity and create one or more queries.

In AuthPoint, LDAP external identities represent external user databases. They connect to user databases to get user account information and validate passwords. The queries you add to an external identity specify which users to sync from your Active Directory or LDAP database. They pull user information and create AuthPoint user accounts for the users that are found.

There are two ways to query users:

  • Group Sync — Select the LDAP groups you want to sync users from and AuthPoint creates the query for you
  • Advanced Queries — Create your own LDAP queries to specify which groups or users to sync

LDAP external identities must be added to the configuration for a Gateway, and the AuthPoint Gateway must be installed on your corporate network in a location that has Internet access and that can connect to your LDAP server. The Gateway enables communication between WatchGuard Cloud and your Active Directory or LDAP database.

To delete an LDAP user in AuthPoint, the best practice is to remove the user from their AD or LDAP group to give them the Quarantine status in AuthPoint, then delete the user in AuthPoint. For more information, see Quarantined Users.

Add an External Identity

  1. Select External Identities.
  2. From the Choose an External Identity Type drop-down list, select LDAP. Click Add.

  1. In the Name text box, type a descriptive name for the external identity.
  2. In the LDAP Search Base text box, type your LDAP database. In this example, the domain is example.com so we type dc=example,dc=com. Tip!The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first part of the distinguished server name>,dc=<any part of the distinguished server name that appears after the dot>.

    For more information about LDAP syntax and how to use a search base to limit the directories on the authentication server where the external identity can search for users, see Find Your Active Directory Search Base.

  1. In the System Account and Passphrase text boxes, type the credentials for a user that has permissions to perform LDAP searches and binds. If this user is not in the default Users folder, select the slider and type the full distinguished name of the user. Tip!The standard format for the distinguished name of a user is: cn=<name of user>,ou=<name of organizational unit>,dc=<first part of the distinguished server name>,dc=<any part of the distinguished server name that appears after the dot>.

    In this example, we have a user named administrator that is in an OU called AuthPoint (not the default Users folder). So we must select the slider and type the distinguished name of our user as CN=administrator,OU=AuthPoint,DC=example,DC=com.

    The System Account user does not have to be an administrator.

  1. From the Synchronization Interval drop-down list, specify how often you want to synchronize the LDAP database. If you select Every 24 hours, you must also specify what time the synchronization starts each day.
  2. For Type, select whether this is an Active Directory or a different type of LDAP database. For other databases, you must specify each attribute value. You do not have to do this for Active Directory because the attribute values are known.
  3. In the Domain text box, type your LDAP domain name.
  4. If this not an Active Directory, type a value for each attribute.

  1. In the Server Address text box, type the IP address of your LDAP server.
  2. In the Server Port text box, type the port for your server.

  1. Click Save.

Add the External Identity to the Gateway Configuration

The external identity must be added to the configuration for a Gateway that is installed on your corporate network and has access to the LDAP server. Once you do that, you can test the connection to your LDAP database.

If you do not have an existing Gateway, you must add one. For more information, see About Gateways.

To add an external identity to the configuration for a Gateway:

  1. Select Gateway.
  2. Click the Name of your Gateway.

  1. In the LDAP section, in the Select an LDAP external identity list, select the external identity for your LDAP or Active Directory server.

  1. Click Save.

Your external identity is now connected to your Gateway. This enables communication between WatchGuard Cloud and your Active Directory or LDAP database.

To test the connection to your external identity.

  1. From the navigation menu, select External Identities.
  2. Next to the external identity you added for your LDAP database, click and select Check Connection.

Sync Your Users

Now that you have created an external identity for your LDAP database and connected the external identity to your Gateway configuration, you must specify which users to sync from your LDAP database.

There are two ways to query users:

  • Use the group sync feature (recommended)
  • Create an advanced query

After you add a query to find your users (manually or with group sync), AuthPoint syncs with your Active Directory or LDAP database at the next synchronization intervalThis is defined in the Synchronization Interval drop-down list on the LDAP Configuration page for your external identity. and an AuthPoint user account is created for each user identified by the query. If your query returns more users than you have available licenses for, the sync only creates as many users as your license supports.

LDAP users that do not have a name, user name, or email address are not included in the synchronization.

The created user accounts appear on the Users page with a green Activated status icon next to the user name. The Activated status icon indicates that the user has been created and is currently active (not blocked). You can identify users synced from an external identity by the LDAP tag next to their name in the list of users.

Each user is sent an email that they use to activate their token in the AuthPoint mobile app. When a user activates their token, their token information is shown in the Token column with a green Activated status icon next to the token.

Before you continue, make sure that each user account has a valid email address. If the email address for a user account is not correct, the user cannot receive the email message to activate a token.

Group Sync

With group sync, you select the LDAP groups you want to sync users from and the AuthPoint group the users are added to. We recommend that you use group sync to sync your users because it creates a query for you.

Before you continue, be aware of these requirements:

  • If the selected LDAP groups have more users than you have available licenses for, the sync only creates as many users as your license supports
  • LDAP users that do not have a name, user name, or email address are not included in the synchronization

To sync LDAP groups:

  1. Select External Identities.
  2. Next to your external identity, click and select Group Sync.

  1. On the Group Sync page, click Add New Group to Sync.

  1. In the Add Group Sync window, from the Select LDAP Groups drop-down list, select the LDAP groups you want to sync users from. You can select multiple groups.

  1. From the Select the Group drop-down list, select the AuthPoint group to add the users to.

    For each group sync, all users are added to the same AuthPoint group. To add users to separate AuthPoint groups, you must create a separate group sync for each LDAP group whose users you want in a different AuthPoint group.

  1. Click Save.
    The Add Group Sync window closes.

AuthPoint syncs with your Active Directory or LDAP database at the next synchronization intervalThis is defined in the Synchronization Interval drop-down list on the LDAP Configuration page for your external identity. and an AuthPoint user account is created for each user identified by the query.

To start a sync immediately, on the External Identities page, next to the your external identity, click and select Start Synchronization.

If a user is deleted in your Active Directory or LDAP database, the related AuthPoint user account is not deleted. Instead, the user is given the Quarantine status. For more information, see Quarantined Users.

Add an Advanced Query

With advanced queries, you can create your own LDAP query to specify which groups or users to sync. When you add and validate an advanced query, AuthPoint user accounts are created for each user identified by the query.

Before you continue, be aware of these requirements:

  • If your query returns more users than you have available licenses for, AuthPoint only creates as many users as your license supports
  • LDAP users that do not have a name, user name, or email address are not included in the synchronization

To add an advanced query:

  1. Select External Identities.
  2. Next to the LDAP external identity you added, click and select Advanced Query.

  1. On the Advanced Query page, click Add Advanced Query.

  1. In the Name text box, type a descriptive name for the query.
  2. From the Group drop-down list, select the AuthPoint group to add the users from this query to.
  3. In the Advanced Query text box, type your query. In most cases, your query will be memberOf= followed by the distinguished name of the group you want to sync with the query. The distinguished name of our group is CN=MyAuthGroup,CN=Users,DC=myorg,DC=local, so our query is memberOf=CN=MyAuthGroup,CN=Users,DC=myorg,DC=local.

  1. Click Validate Advanced Query to preview your query results. You can see the number of users your query returns and a preview of the first 10 users.

    No users are synced when you validate a query. Users are only synced after you have added your query to the external identity and saved the changes.

  2. Click Add to add your query to the external identity.

AuthPoint syncs with your Active Directory or LDAP database at the next synchronization intervalThis is defined in the Synchronization Interval drop-down list on the LDAP Configuration page for your external identity. and an AuthPoint user account is created for each user identified by the advanced query.

To start a sync immediately, on the External Identities page, next to the your external identity, click and select Start Synchronization.

If a user is deleted in your Active Directory or LDAP database, the related AuthPoint user account is not deleted. Instead, the user is given the Quarantine status. For more information, see Quarantined Users.

Edit an Advanced Query

  1. Select External Identities.
  2. Next to the LDAP external identity you added, click and select Advanced Query.

  1. On the Advanced Query page, from the queries list, click the Name of the query you want to edit.

  1. In the Add Advanced Query window, make your changes.
  2. Click Update.

See Also

Add Users Manually

About Gateways

Quarantined Users

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search