I’m operating for a huge corporate who has a large user account store in Oracle Unified Directory LDAP. They want to use these present debts and synchronise them to Azure Active Directory for Azure application amenities corresponding to future Office 365 services. Microsoft state here that Azure Active Directory Connect AAD Connect will, in a ‘Future Release’ version, supply native LDAP help “Connect to single on premises LDAP listing”, so timing wise I’m in a troublesome place – do I guide my purchaser to try to use the latest version?at the time of writing is: v1. 1.
649. 0 or stay up for this ‘future unlock version’?. This blog won’t have a very large lifespan – indeed a new version of AAD Connect may be released at any time with native LDAP tree assist, so make sure to research AAD Connect just before providing a design or implementation. My buyer doesn’t have any requirement for ‘write back’ facilities where data is written back from Azure Active Directory to the local directory user store so this blog post covers just a directly export from the on premises LDAP into Azure Active Directory. I contacted Microsoft and they stated it’s supported ‘today’ to supply connectivity from AAD Connect to LDAP, so I’ve spun up a Proof of Concept PoC lab to choose how to find it operating in this latest version of AAD Connect. Good news first, it works!Bad news, it’s not rather well documented so I’ve created this blog just to define my learnings in getting it working for my PoC lab.
I don’t have access to the Oracle Unified Directory in my PoC lab, so I substituted in Active Directory Lightweight Directory Services AD LDS so my configuration reflects the use of AD LDS. During the AAD attach installing wizard specially the ‘Connect your directories’ page, it expects to connect to an AD DS forest to development the installing. In this version of AAD Connect, the ‘Directory Type’ listbox only shows ‘Active Directory’ – which I’m expecting to include more alternatives when the ‘Future Release’ edition is accessible. I created a single Domain Controller forest root domain and used the local HOST file of my AAD Connect Windows Server to point the forest root domain FQDN e. g.
‘forestAD. inner’ to the IP address of that Domain Controller. I didn’t need to ‘join’ my AAD Connect Windows Server to that domain to finished the installing, with the intention to show you how to decommission this AD DS if it’s put into Production if Microsoft releases an AAD Connect edition that doesn’t require AD DS. If I tried use a native Windows Server ie. ‘Serverusername’ user, it would just give me universal connection errors and never bind to the LDAP tree, although that user had full administrative rights to the AD LDS tree.
I gave up troubleshooting this – so I’ve resigned myself to desiring a service account in the LDAP tree itself. If you ‘edit’ each of those existing AD DS rules, you’ll get a choice to create a copy of that rule set and disable the customary. Select ‘Yes’ will create a copy of that rule, and you may then modify the ‘Connected Systen’ to use the LDAP Connector instead of the AD DS Connector:I also changed the priority numbering of each of the rules from ‘201’ to ‘203’ to have these new rules utilized last in my Synchronization Engine. I ended up with the configuration of these three new ‘cloned’ rules for my LDAP Connector:I found I had to edit or remove any rules that required right here:There are obviously many, some ways of configuring the guidelines in your LDAP tree but I thought I’d share how I did it with AD LDS. The reasoning why I ‘cloned’ existing rules was that I desired to offer protection to the information integrity of Azure AD basically. There are many, many default data mapping rules for Azure AD that include the AD DS rule set – a large number of them use ‘TRIM’ and ‘LEFT’ functions to make sure the data reaches Azure AD with the accurate formatting.
It may be appealing to see how Microsoft tackles these rules sets in a more ‘wizard’ driven approach – particularly since LDAP trees can be highly customised with unique attribute names and knowledge approaches. Before final the ‘Synchronization Rules Editor’, don’t forgot to ‘re enable’ each of the e. g AD DS Connector rules you’ve formerly cloned as the Synchronization Rules Editor assumes you’re not editing the Connector they’re using. Select the original rule cloned, and uncheck the ‘Disabled’ box. Lastly, you might be wondering: how does the AAD Connector Scheduler the only based absolutely in PowerShell with seemingly no customisation commands pickup the new LDAP Connector?Well, it’s simply an issue of naming your ‘Run Profiles’ in the Synchronization Engine with the text: ‘Delta’ and ‘Full’ where required. Select ‘Configure Run Profiles’ in the Engine for your LDAP Connector:I then created ‘Run Profiles’ with an identical naming conference as those created for AD DS and Azure AD:Next time I ran an ‘Initial’ which executes ‘Full Import’ and ‘Full Sync.
’ jobs or a ‘Delta’ AD Scheduler job I’ve formerly blogged concerning the AD Scheduler, but that you could find the authentic Microsoft doc on it here, my new LDAP Connector Run Profiles were done instantly together with the AD DS and AAD Connector Run Profiles:Before I finally end up, my colleague David Minnelli has found IDAMPundit’s blog post about a latest bug upgrading to AAD Connect v1. 1. 649. 0 version if you already have an LDAP Connector. In a nutshell, just open up the existing LDAP Connector and step via each page and re put it aside to clear the issue. Edit: I have had someone query how I’m authenticating with these money owed, well I’m leveraging an current SecureAuth service that uses the WS Federation protocol to talk with Azure AD.
So ‘Federation’ definitely – I’m not extracting passwords out of this LDAP or doing any sort of password hash synchronization.