Active Directory(AD)
The Active Directory (AD) module in Qntrl Bridge allows you to integrate with Microsoft Active Directory to manage users, computers, and groups within your organization securely.
AD is a directory service developed by Microsoft to centrally manage network resources such as users, computers, and applications. These entities are stored as Objects, which are organized under Organizational Units (OU) within one or more domains.
Qntrl connects to AD through Bridge, enabling you to automate tasks like adding users or groups, disabling accounts, and resetting passwords directly from your workflows.
Use Case
If you want to add a user to the AD, you can create a job request in Qntrl and execute the job. Through Bridge, Qntrl connects to AD, adds the user, and returns a success response.
Prerequisite
- Organization Unit should be created in the AD server.
- While creating credentials, select Type as Active Directory and provide the User DN and Password of the AD. Click here to learn how to create a credential.
- Ensure AD Lightweight Directory Services is activated.
- Learn more about AD Lightweight Directory Service.
- By default, LDAP requests are made only through LDAP(non SSL). If you prefer to use LDAPS(SSL), enable LDAPS port on the AD server.
- If you are unable to connect with the Bridge AD server, verify your hostname and network settings.
- By default, LDAP requests are made only through LDAP(non SSL). If you prefer to use LDAPS(SSL), enable LDAPS port on the AD server.
- To enable LDAPS, ensure AD Lightweight Directory Services is activated. For step-by-step instructions, click here.
For more information on AD Lightweight Directory Services, click here.
How to Enable LDAP over SSL(LDAPS)
- Set Up LDAPS: To facilitate SSL requests, it's essential to enable LDAP over SSL (LDAPS). Refer here to set up LDAPS on Windows Server.
- Obtain LDAPS Certificate: Once LDAPS is enabled, you'll receive a certificate, preferably in .pfx (password-protected) or .cer format. Copy this certificate to the machine where the bridge is installed.
- Modify LDAP Config File: Open the Bridge/conf/ldap-config.properties file and locate the bridge.ldap.use.ssl=false property. Change the value from 'false' to 'true' (i.e., bridge.ldap.use.ssl=true).
- Specify Certificate Format:
- For .cer format: bridge.ldap.file.type=cer
- For .pfx format: bridge.ldap.file.type=pfx (default is .pfx)
- Specify the file path of the certificate in the property bridge.ldap.ssl.certificate.path=<PATH_TO_CERTIFICATE>.
- For .pfx Certificates Only:
- Encrypt the certificate password before adding it to the configuration by navigating to the Bridge/bin directory and running encrypt.bat <PASSWORD>.
- Add the encrypted password to the configuration: bridge.ldap.ssl.certificate.password=<ENCRYPTED_PASSWORD>.
- Set Custom Port (Optional): By default, port 389 is used for non-SSL, and port 636 for SSL requests. To use a custom port, specify it in the property bridge.ldap.use.custom.port=<CUSTOM_PORT>.
- Restart Bridge: Once all configurations are completed, restart the bridge to apply the changes.
Working with LDIF Scripts
Qntrl Bridge supports LDIF (LDAP Data Interchange Format) scripts for automating AD operations.
- LDIF scripts can perform most AD tasks except read operations.
- While standard LDIF scripts do not support variables, Qntrl’s AD module extends LDIF capabilities to support variable substitution, enabling dynamic script execution.
- Upload and execute these scripts via Bridge as part of your AD task.
This allows greater flexibility in managing directory entries, attributes, and relationships directly from your automated workflows.
Sample LDIF Script:
dn:%q_dn%
changeType: modify
replace: mail
mail: %q_mail_id%
Variable Formatting
- The format for variables in LDIF scripts is %q_<variable_name>%
Example: %q_mail_id% - Variable names must follow snake_case (lowercase letters with underscores).
- When referencing these variables in Bridge payloads or Circuit variables,
omit the %q_% prefix and use only the snake_case name - Example:
- In LDIF script → %q_mail_id%
- In Bridge payload → "mail_id": "sample@domain.com"
If you are unable to connect with the Bridge AD server, verify your hostname and network settings.
AD Tasks
The tasks linked with the AD Engine module and the request data for diverse operations executed in Active Directory via Bridge, outlined in the following section.
Common keys in Request data
Keys | Description |
task_details | A JSON object that contains details of the task. |
ad_host | Location of the AD. |
ad_dn | Distinguished Name of AD. |
activity_name | Name of the activity performed in AD. When executing an LDIF script, specify this value as file. |
task_name | A system-defined name for the respective modules. 'ad_task' is the task name for Active Directory. |
credential | A JSON object that contains the name of the AD server credential. |
name | Name of the AD server credential. |
object_name | Name of the object. |
object_type | Type of the object. |
organization_unit | Name of the OU. |
properties | A JSON object that contains additional information related to the user. |
objectClass | Category/type of the object. |
givenName | Display name of the user. |
user_name | Login name of the user in AD. |
password | Password of the user. |
AD Task
Used to execute any AD operation by running an LDIF script through Bridge.
This task acts as a flexible alternative to predefined actions and supports variable substitution for dynamic execution.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN>","activity_name": "file","script_name": "<SCRIPT_NAME>","variable": {"<KEY>": "<VALUE>","<KEY>": "<VALUE>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
Add AD User
To add a new user to the Active Directory in a private network.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "create_object","object_name": "<OBJECT_NAME>","organization_unit": "<ORGANIZATION_UNIT_NAME>","object_type": "user","properties": {"ObjectClass": "user","givenName": "<DISPLAY NAME OF THE USER>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
Add AD Computer
To add a new computer to the Active Directory of the client's network.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "create_object","object_name": "<OBJECT_NAME>","organization_unit": "<ORGANIZATION_UNIT_NAME>","object_type": "computer","properties": {"ObjectClass": "computer","givenName": "<DISPLAY NAME OF THE OBJECT>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
Add AD Group
To add a new group to the Active Directory of the client's network.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "create_object","object_name": "<OBJECT_NAME>","organization_unit": "<ORGANIZATION_UNIT_NAME>","object_type": "group","properties": {"ObjectClass": "group","givenName": "<DISPLAY NAME OF THE GROUP>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
Add User To Group
To add a user under a group in the Active Directory of the client's network.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "create_object","object_name": "<OBJECT_NAME>","organization_unit": "<ORGANIZATION_UNIT_NAME>","object_type": "group","properties": {"ObjectClass": "group","givenName": "<DISPLAY NAME OF THE GROUP>"}},"credential": {"name": "<CREDENTIAL_NAME>"}}
group_name - name of the group in AD.
Disable AD User
To disable an existing user in the Active Directory.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "disable_user","user_name": "<USER_NAME>"},"credential": {"name": "<CREDENTIAL_NAME>"}}
Enable AD User
To enable a disabled user in the Active Directory.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "enable_user","user_name": "<USER_NAME>"},"credential": {"name": "<CREDENTIAL_NAME>"}}
Unlock AD User
To unlock the user, who has been locked due to multiple incorrect password entries.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "unlock_account","user_name": "<USER_NAME>"},credential": {"name": "<CREDENTIAL_NAME>"}}
Reset AD Password
If the password has been forgotten or if there is a need to reset the password.
This task is exclusively performed using LDAPS (LDAP over SSL). Please refer here for instructions on enabling LDAP over SSL.
Request data
{"task_name": "ad_task","task_details": {"ad_host": "<HOST_NAME>","ad_dn": "<DN OF THE AD MACHINE>","activity_name": "reset_password","user_name": "<USER_NAME>","password": "<PASSWORD>","is_unlock_account": true,"is_user_reset_password_next_logon": true},"credential": {"name": "<CREDENTIAL_NAME>"}}
where,
is_unlock_account - If the user account is locked, whether to unlock it while resetting the password.
true - to unlock the account
false - to not unlock the account
is_user_reset_password_next_logon - After resetting the password, whether to make it mandatory for the user to reset the password during his next login.
true - password has to be reset during the next logon
false - not necessary to reset the password again during the next logon
Troubleshooting
1. Do I need to install AD tools on the Bridge server to use the Active Directory module in PowerShell?
Yes. The Active Directory module (RSAT – Remote Server Administration Tools) must be installed to run AD commands locally in PowerShell. RSAT is not pre-installed by default on server or client machines, so ensure it is added to the machine where Bridge is installed.
2. Why am I unable to connect to the AD server through Bridge?
- Check whether the Bridge host machine can communicate with the AD server over the network.
- Verify that the hostname and port (389 for LDAP / 636 for LDAPS) are correct.
- Ensure that no firewall restrictions or proxy settings are blocking communication.
- Confirm that the Bridge service is running and has network access.
3. I’m getting “Invalid credentials” while executing AD operations. What should I do?
Recheck the User DN and Password provided while creating the AD credential in Qntrl.
Make sure the AD user account has the required permissions to perform create, modify, or delete operations.
If credentials were updated or reset recently in AD, update them in Qntrl as well.
4. LDAPS connection is failing. How can I fix it?
- Confirm that AD Lightweight Directory Services (AD LDS) is enabled on the AD server.
- Verify that the SSL certificate for LDAPS is valid and imported into the Bridge machine.
- Open the Bridge/conf/ldap-config.properties file and ensure the following settings are correct:
- bridge.ldap.use.ssl=true
bridge.ldap.ssl.certificate.path=<PATH_TO_CERTIFICATE> - If using a .pfx certificate, encrypt the password before adding it:
- bridge.ldap.ssl.certificate.password=<ENCRYPTED_PASSWORD>
- Restart the Bridge service after updating the configuration.
5. My LDIF scripts are failing. What could be wrong?
Ensure that your script follows the LDIF format and uses variables in the format %q_<variable_name>%.
When referencing variables in Bridge payloads or Circuit variables, omit the %q_% prefix and use only the snake_case variable name.
Example: In script → %q_mail_id% , In payload → mail_id
Confirm that the LDIF task being executed supports the operation. (Read/filter operations are not supported via LDIF scripts.)
6. How do I view detailed logs for failed AD executions?
Open Bridge Agent >> Core Service >> Logs to view real-time execution details.
Download the log file for deeper analysis using Bridge Agent → Logs → Download Log File.
You can also access logs locally from Bridge/logs/
7. The Bridge service is running, but no tasks are being executed. What can I do?
- Restart the Bridge service to refresh connections.
- Check the Bridge logs (Bridge/logs/bridge.log) for any authentication or certificate-related errors.
- If the issue persists, verify if the bridge agent is mapped correctly in Qntrl under Settings >> Bridge >> Installed Bridges.
Related Articles
AD task
The AD task is used to connect to the Active Directory of the company's network and perform AD operations securely there. The following AD States are available in AD Task: Add AD User Add AD Group Add User to Group Add AD Computer Enable AD User ...Bridge Agent Configuration
The Bridge Agent serves as the local management console for your Bridge. It allows you to view and control services, review messages and logs, configure modules, manage credentials, and maintain secure communication with external systems. Log in to ...Zoho Directory in Qntrl
What is Active Directory? Active Directory (AD) by Microsoft is a domain management system for centralized networks. Using AD, you can add users, define their privilege, store and manage information, and authorize and authenticate user accounts. What ...Install and Configure Bridge
Follow the below step-by-step procedures to configure and use Bridge in Qntrl. Step 1: Download the Bridge agent Only one Bridge agent can be installed per machine. Log in to Qntrl. Navigate to (Settings) >> Advanced >> Bridge, and click Downloads. ...Credentials
The Credential module provides a streamlined solution for storing and managing authentication credentials for databases, remote machines, and application servers. Organizations dealing with multiple databases or APIs often face repetitive credential ...
You are currently viewing the help articles of Qntrl 3.0. If you are still using our older version and require guidance with it, Click here.