Active Directory Integration Guide
- Vinodhraj DP
- Steven Lewis
- 1 Active Directory Overview
- 2 Active Directory Configuration
- 2.1 LDAP Connections
- 3 Active Directory User Import
- 3.1 Filter Import by Organizational Unit and Group
- 3.2 User Attribute Mapping
- 3.3 Users Import Filters
- 3.4 Understanding Attribute Based Access Control
- 3.5 Active Directory Administrator Import
- 3.6 Mapping Access Group Field to Physical Access Group
- 3.7 User Access Groups
- 3.8 Attribute Based Access Control Use Cases
Active Directory Overview
Active Directory integration is a way to integrate the Physical Access Control System with the existing logical infrastructure. In order to configure Active Directory you must login with the system account.
This section covers how to converge the logical provisioning that exists in Microsoft Active Directory with the logical access control of Primis. It is intended to go over the basic configuration of Active Directory with Primis to get your system up and running.
Active Directory Configuration
To configure Active Directory in Primis:
Login to Primis with the system account.
Click on the System navigation tab.
On the left, click on the Active Directory link.
Options | Description |
Connection Timeout | The connection timeout in seconds to the active directory. |
Audit Data Enabled | When this is enabled all changes made through the active directory integrations will be logged in the Audit logs. Enabling this option will dramatically increase the number of logs. The minimum hard disk space recommended is 500 GB when this feature is enabled. |
Web Login Enabled | Groups of administrators can be assigned to an administrator account. That account will link the admin profile to that permission for administration. It is recommended that for these types of accounts you name them differently than your standard user base to support the integration. |
User Sync Start Time | The start time of the synchronization on users, organizational units, and groups from LDAP connections. Multiple synchronization can be scheduled to run at different time of the day. |
User Sync Read Timeout | The timeout in seconds before the query issued by user sync is aborted. |
Force Update Enabled | This will force user updates from the active directory structure. |
Live Update Enabled | This feature enables an OU, Group, and Access Group attribute check against active directory on every card scan. If disabled it will rely on the data from the scheduled synchronization. |
Live Update Read Timeout | The timeout in seconds before the query issued by live update is aborted. |
Live Update On Imported LDAP Connection | This setting is only applicable when multiple LDAP connections are configured. When enabled, if the PIN/carddata is already imported to Primis, Live Update will be first performed on the LDAP connection where the PIN/carddata is imported from in order to speed up the Live Update process. |
4. Click Save button to save the configuration
LDAP Connections
To add a new LDAP connection:
 On the Active Directory Configuration page, click the Add LDAP Connection button.
On the LDAP Connection page, enter the connection information of the LDAP Server.
Â
Options | Description |
Name | The name of the LDAP connection. |
Server URL | The URL of the LDAP server. |
Search Base | Using the query structure, this is the search base for all queries. |
Domain | The DNS name of the domain that you would like to connect to. |
Username (User ID) | This is a user that has permissions to query the active directory domain defined. |
Password | Password of the active directory user. |
3. Click the Test Connection button to confirm Primis can connect to the LDAP server.
4. Click Save button to add the LDAP connection.
5. After the LDAP connection is saved, click the Cancel button to return to the Active Directory
Configuration page.
6. On the Active Directory Configuration page, click the One Time Sync button to import the OUs and LDAP groups from the LDAPserver.
7. Go to the Events tab, deselect Show Access Events Only, and check the event messages for LDAP synchronization status. After the LDAP synchronization is finished, go back to the Active Directory Configuration page and click the LDAP Connection that you just added. From the LDAP Connection page, you can specify the criteria for importing users and admin users from the LDAP Server.
Active Directory User Import
Filter Import by Organizational Unit and Group
From the search base provided in setup, the import screen populates with the Groups and Organizational Units (OUs). When selected, it will filter and only pull the select users into the Primis System to manage.
Note: Users, when moved in or out of these defined areas, will be added or deleted to the Primis system during the user synchronization.
 To Import Users:
On the LDAP Connection page, click the Import Users button.
Â
On the Import Users page: To import all users, check the Import All Users box. To import users from Groups and OUs, click the entry in the Available box to move it to the Selected box. To search users in nested Active Directory groups, select the Nested Group Search checkbox.
Â
Options | Description |
Import All Users From Groups | Imports all users who are part of the selected AD groups. |
Import All Users From OUs | Imports all users found in the OU, and all sub OUs. |
3. Click Save button to save the import user configuration.
User Attribute Mapping
There are two types of fields to map in the User Attributes Mapping tab. Fields that are automatically mapped and user selected fields.
On the Import Users page, click the User Attributes Mapping tab.
Automatically Mapped Fields: These fields are defined and statically mapped to AD attributes.
Primis User Attribute | Active Directory Name |
Username (User ID) | objectSID |
First Name | givenName |
Last Name | Sn |
Display Name | displayName |
Telephone | telephone number |
Â
Primis Selected Mapped Fields:
Primis User Attribute | Mapping Behaviour and Features |
Start Date | The date must be a properly formatted date. If specified, it will be the start date of the user access. |
Expiry Date | The date must be a properly formatted date, and will disable the user credentials after the defined expiry date. |
Card Data | Map to multiple AD attributes. When a card is deleted from active directory, it will be deleted in Primis. |
Pin | Select mapping to a single AD attribute. This attribute will be mapped to the User PIN in Primis. The value in this AD attribute must be unique. |
Access Linked AD Attributes | Map to multiple AD attributes. It will show up in a list of all possible assigned values across all users to assign to an access group. So assigning of values to users can be mapped to access groups. If the user has this attribute, they will be granted access. |
User Category | Select mapping to multiple AD attributes. The first value found in the mapped AD attributes will be used as the user’s category. |
Custom Fields | Select mapping to a single AD attribute. If an attribute is a multiple value string, attribute is chosen in active directory. Supporting a Custom Mapping Name. |
Users Import Filters
To further refine the import criteria on importing users, you can create filters based on the value of the user’s AD attributes.
On the Import Users page, click the AD Users Import Filters tab.
Â
There are two ways to specify the user import filter. By selecting the Attribute Exclusion Filter option, you can define filters to exclude certain users from importing to Primis. Alternatively, you can select the Advanced LDAP Filter option to specify the actual import filter query for importing users to Primis.
Define Attribute Exclusion Filter
Define LDAP filter query
Â
Click Save button to save the configuration.
Understanding Attribute Based Access Control
Leveraging the Access Group link to physical security allows the administration team to cut down on time associated with the users.
Active Directory Administrator Import
Groups of administrators can be assigned to an administrator account by selecting Import Admin Users from the LDAP Connection dialog. That account will link the admin profile to that permission for administration. It is recommended that for these types of accounts you name them differently than your standard user base to support the integration.
For this section to allow the login from this group, you must have the Web Login Enabled box checked on the Active Directory Configuration page.
Mapping Access Group Field to Physical Access Group
The Primis system will pull into the attribute list a list of all possible attributes that are currently loaded within active directory. On every card scan, Primis will ask active directory if the user has the variable that is selected.
User Access Groups
User access groups can be linked to AD Groups, OU’s and/or Attributes.
Attribute Based Access Control Use Cases
Besides associating a user access group to AD OU(s) and Group(s), you can select an AD attribute and use it as an Access Linked AD attribute.
This allows for several use cases around applying logical attributes to the physical space:
Umbrella Company Management: By Company name for contractors, employees, you can grant access to areas between time frames.
Business Specific Attributes: Every business have attributes that can drive access to physical areas:
Title
Department
Training Level
Geographic Association: Allowing anyone from the state to have general access to your front door and lobby area.
Clearance Levels: Clearance in AD allows for internal controls on physical area the same way you would allow AD.