Active Directory(AD)
Active Directory (AD) is a service developed by Microsoft that provides a centralized way to manage all your network machines, users, and resources in one place.
Active Directory stores data as Objects, which include users, groups, applications, and devices. These objects are categorized based on their names and other attributes and they can be accessed by administrators in an organization. The objects can be organized as an independent group under an Organization Unit(OU). If your organization contains several domains, you can create organizational unit structures in each domain that are independent of the structures in other domains.
Qntrl can synchronize with Active Directory services through Bridge and can perform operations securely.
Use Case
If you want to add a user to the AD, you can create a job request in Qntrl and execute the job. Through Bridge, Qntrl connects to AD, adds the user, and returns a success response.
Prerequisite
- Organization Unit should be created in the AD server.
- While creating credentials, select Type as Active Directory and provide the User DN and Password of the AD. Click here to learn how to create a credential.
- If you are unable to connect with the Bridge AD server, check your hostname and network.
- By default, LDAP requests are made only through LDAP(non SSL). If you prefer to use LDAPS(SSL), enable LDAPS port on the AD server.
How to Enable LDAP over SSL(LDAPS)
- Set Up LDAPS: To facilitate SSL requests, it's essential to enable LDAP over SSL (LDAPS). Refer here to set up LDAPS on Windows Server.
- Obtain LDAPS Certificate: Once LDAPS is enabled, you'll receive a certificate, preferably in .pfx (password-protected) or .cer format. Copy this certificate to the machine where the bridge is installed.
- Modify LDAP Config File: Open the Bridge/conf/ldap-config.properties file and locate the bridge.ldap.use.ssl=false property. Change the value from 'false' to 'true' (i.e., bridge.ldap.use.ssl=true).
- Specify Certificate Format:
- For .cer format: bridge.ldap.file.type=cer
- For .pfx format: bridge.ldap.file.type=pfx (default is .pfx)
- Specify the file path of the certificate in the property bridge.ldap.ssl.certificate.path=<PATH_TO_CERTIFICATE>.
- For .pfx Certificates Only:
- Encrypt the certificate password before adding it to the configuration by navigating to the Bridge/bin directory and running encrypt.bat <PASSWORD>.
- Add the encrypted password to the configuration: bridge.ldap.ssl.certificate.password=<ENCRYPTED_PASSWORD>.
- Set Custom Port (Optional): By default, port 389 is used for non-SSL, and port 636 for SSL requests. To use a custom port, specify it in the property bridge.ldap.use.custom.port=<CUSTOM_PORT>.
- Restart Bridge: Once all configurations are completed, restart the bridge to apply the changes.
AD Tasks
The tasks linked with the AD Engine module and the request data for diverse operations executed in Active Directory via Bridge, outlined in the following section.
Common keys in Request data,
Keys | Description |
task_details | A JSON object that contains details of the task. |
ad_host | Location of the AD. |
ad_dn | Distinguished Name of AD. |
activity_name | Name of the activity performed in AD. |
task_name | A system-defined name for the respective modules. 'ad_task' is the task name for Active Directory. |
credential | A JSON object that contains the name of the AD server credential. |
name | Name of the AD server credential. |
object_name | Name of the object. |
object_type | Type of the object. |
organization_unit | Name of the OU. |
properties | A JSON object that contains additional information related to the user. |
objectClass | Category/type of the object. |
givenName | Display name of the user. |
user_name | Login name of the user in AD. |
password | Password of the user. |
Add AD User
To add a new user to the Active Directory in a private network.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "create_object","object_name": "<OBJECT_NAME>","organization_unit": "<ORGANIZATION_UNIT_NAME>","object_type": "user","properties": {"ObjectClass": "user","givenName": "<DISPLAY NAME OF THE USER>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
Add AD Computer
To add a new computer to the Active Directory of the client's network.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "create_object","object_name": "<OBJECT_NAME>","organization_unit": "<ORGANIZATION_UNIT_NAME>","object_type": "computer","properties": {"ObjectClass": "computer","givenName": "<DISPLAY NAME OF THE OBJECT>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
Add AD Group
To add a new group to the Active Directory of the client's network.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "create_object","object_name": "<OBJECT_NAME>","organization_unit": "<ORGANIZATION_UNIT_NAME>","object_type": "group","properties": {"ObjectClass": "group","givenName": "<DISPLAY NAME OF THE GROUP>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
Add User To Group
To add a user under a group in the Active Directory of the client's network.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "create_object","object_name": "<OBJECT_NAME>","organization_unit": "<ORGANIZATION_UNIT_NAME>","object_type": "group","properties": {"ObjectClass": "group","givenName": "<DISPLAY NAME OF THE GROUP>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
group_name - name of the group in AD.
Disable AD User
To disable an existing user in the Active Directory.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "disable_user","user_name": "<USER_NAME>"},"credential": {"name": "<CREDENTIAL_NAME>"}}
Enable AD User
To enable a disabled user in the Active Directory.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "enable_user","user_name": "<USER_NAME>"},"credential": {"name": "<CREDENTIAL_NAME>"}}
Unlock AD User
To unlock the user, who has been locked due to multiple incorrect password entries.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "unlock_account","user_name": "<USER_NAME>"},credential": {"name": "<CREDENTIAL_NAME>"}}
Reset AD Password
If the password has been forgotten or if there is a need to reset the password.
This task is exclusively performed using LDAPS (LDAP over SSL). Please refer here for instructions on enabling LDAP over SSL.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "reset_password","user_name": "<USER_NAME>","password": "<PASSWORD>","is_unlock_account": true,"is_user_reset_password_next_logon": true},"credential": {"name": "<CREDENTIAL_NAME>"}}
where,
is_unlock_account - If the user account is locked, whether to unlock it while resetting the password.
true - to unlock the account
false - to not unlock the account
is_user_reset_password_next_logon - After resetting the password, whether to make it mandatory for the user to reset the password during his next login.
true - password has to be reset during the next logon
false - not necessary to reset the password again during the next logon
Related Articles
Zoho Directory in Qntrl
What is Active Directory? Active Directory (AD) by Microsoft is a domain management system for centralized networks. Using AD, you can add users, define their privilege, store and manage information, and authorize and authenticate user accounts. What ...AD task
The AD task is used to connect to the Active Directory of the company's network and perform AD operations securely there. The following AD States are available in AD Task: Add AD User Add AD Group Add User to Group Add AD Computer Enable AD User ...Parameters in Circuit
Parameters in Circuit allow you to use dynamic values in your automated workflows, making it easier to customize and control various parts of your process. These parameters are created in the ConfigStore and can be referenced throughout the different ...Overview of Users
Organization users Your employees can be added to Qntrl organization as users . Once you add a user to the organization, an invitation email will be sent to their email address. Upon accepting the invite, they will become a current user of your ...Parallel
Parallel state allows you to process multiple states in parallel and perform simultaneous executions. The executions are initiated at the same time, and their input, output, and results are processed and generated concurrently. Additionally, the ...
You are currently viewing the help articles of Qntrl 3.0. If you are still using our older version and require guidance with it, Click here.