Active Directory connector

The Active Directory Connector synchronises users, groups and Organisational Units from Microsoft Active Directory or OpenDS to Collaborate and Publisher. This is part of the HighQ Appliance.

The AD Connector allows you to integrate with your current AD setup, allowing you to manage user access via your domain rather than through Collaborate. If you have a group of users that are all brand new to Collaborate or the organisation, you can add these users quickly in AD and use the sync to grant them access to Collaborate.

Also if you have a group of users that are no longer part of your company you can then set these users to archived (within your AD) and this will then restrict the user's access in Collaborate.

Configuring an Active Directory connector

If you have purchased the Active Directory (AD) connector, the HighQ professional services team will assist with the configuration. If you need to verify or change the configuration of the connector, open the Module Management
section to show the list of configured modules.

To archive (disable) or switch a connector back to active:

Select the Edit
icon in the Module Management
screen.

Change the Status
.

Select Save
.

If you need to create a new Active Directory module:

Select Add Module
in the Module Management
screen.

Complete all fields and select Save
/

In the

Module Management

screen, use the Module type
column to find the Directory connector
in the list. Select the Module name of the Directory connector to check or configure. Note your instance may have more than one AD connector.

The module configuration window opens, Sync Schedule
is displayed by default.

Configuration options

After you have opened the module, the following configuration options are displayed on the screen.

Check driver configuration

From the list of configuration options, select Driver configuration
. The latest version of the External driver
is selected, and either the latest Collaborate or Publisher Internal driver
is selected.

Check the driver version and that the driver matches the type of site to which it connects, Collaborate
or Publisher
.

If you have changed the driver, or need to update the driver, click Update driver
.

Collaborate configuration

From the list of configuration options, select Collaborate Configuration
. The Collaborate Configuration
screen allows you to update the application URL, security keys and optional or system settings.

Collaborate application URL
- the collaborate URL and instance name; e.g. https://colaborate_url/instance_name

Collaborate authentication key
- the authentication key, as configured by HighQ support on the Collaborate instance ('API plain key')

Collaborate encryption key
- the authentication key, as configured by HighQ support on the Collaborate instance ('API secret key')

Enable user profile update
- if this is selected, user profile fields can be updated after the initial synchronisation

Proxy configuration
- select if an internal proxy is required

Custom authorization
- this option is available only for Publisher - select if custom authorization is required

Click Save & Test heartbeat
to apply changes and test for a valid response.

Optional settings

Click Optional settings
to configure:

Collaborate REST API URL
- the URL for the REST API and version; e.g. 'api/1/'

Collaborate authentication type
- the authentication used to connect to Collaborate, in all cases this is set to 'Basic'

Directory API call delay
- the delay (in ms) between two consecutive API calls

Click Save & Test heartbeat
to apply changes and test for a valid response.

System settings

In System settings
, configure the basic system settings of your Active Directory connector, such as log file name, maximum log size, log level, etc.

Click System settings
to configure:

File name
- the location and file name of the log file; click Download log
to download a copy of the log

Maximum log size (MB)
- the log will not exceed the size entered here; the default is 200
MB, maximum 1024 MB

Log level
- select the detail saved to the log (ALL, DEBUG, INFO, WARN or ERROR); The default is INFO

Delete historical purge data
- remove data older than the selected period; reports are not generated for data older than this; the default is Six months

Synchronise user telephone number as separated codes
- select if telephone numbers are separated into country code, area code and phone number, the default is False

Synchronise user profile image
- synchronise profile pictures if the Active Directory 'thumbnailPhoto' is mapped correctly in User Mapping; the default is False

Synchronise user profile image with pixels
- the height and width (as 'height:width') of the profile image; the default is 350:350
. Images that are too small are not synchronised

Synchronise user profile image with Thread Pool size
- define the size of batches used to synchronise profile images; the default is 10

Synchronise user profile image with MD5 hash-value comparison
- compare MD5 hash values of old and new profile images; the default is False

Click Save & Test heartbeat
to apply changes and test for a valid response.

AD configuration

Active Directory is fully configured by HighQ professional services when deployed; however, if your AD configuration changes, you may need to make some changes in Appliance.

Click AD Configuration
:

External driver settings

Host/Server name
- enter the hostname or IP address, and the port of your LDAP server

Secure SSL
- select this checkbox to use an SSL connection to connect to the Directory server (off by default)

Authentication type
- this is the authentication method for your LDAP server. If your LDAP server allows an anonymous connection and you want to connect anonymously, click Anonymous
. Otherwise, click Simple

Authorized user
- use this username to connect to the LDAP (directory) server. Please use the suggested format.

Password
- connect to the LDAP (Directory) server using the supplied password

Proxy configuration
- enter proxy server information. You can select any previously added proxy details [

Optional settings

Connection timeout (seconds)
- this is the time to wait before opening new server connections to the directory server. The default value is 180
seconds

Page size
- this is the page size used when iterating search results from your server. The default value is 10

Incremental Sync
- this checkbox is selected by default. When incremental sync is disabled, it fetches all records from the LDAP (server). When incremental sync is enabled, it fetches only new, updated or deleted records from the server

Read timeout (seconds)
- if the directory provider does not send a response within the specified period, the read attempt will be aborted

Threshold limit for archive users
- if the quantity of archived users exceeds this limit, they are not synchronised. The default value is 5%
, the value can be between 1 and 100

If you change the threshold limit and select One time change, will revert after execution
, the defined limit only applied to the next sync. After the next sync, it is set back to the default value (5%)

Revert to default threshold limit
- this is visible if you set a permanent threshold by deselecting One time change.
Select to set the threshold limit back to 5% until a different threshold limit is set

Archive users removed from OU
- Users removed from an organizational unit are archived. If this is not selected removed users are deleted

Archive users removed from group
- Users removed from a group are archived. If this is not selected removed users are deleted

Sync users from nested groups into parent system level group
- Users are synced into a system level group, this ignores nested groups in the original database

External organisation
- select an organisation to sync users with an External role; i.e. not Internal or Basic users.

User configuration

User configuration allows you to map Active Directory fields to Publisher or Collaborate files with user and group mapping:

Search OU/group
- This will search the names of all OU/groups and list all returned results. You can also specifically distinguish a name to search for a specific OU. For example: [OU=TestOU,DC=ADTEST,DC=COM]test

Organization unit selection
- You can add or remove organisation units or groups for synchronisation. Select the organisation units from the left panel, select the checkbox and click Add link
. Within the right panel, select the checkbox of the organisation unit or groups, where the users and groups you want to synchronize exist and click Save
.

Synchronize users only
- When this checkbox is selected, it will

only

synchronize the users of the selected OU/groups.

Role
- shows the selected user role; all users in the group are defined as this account type.

Sync all child OU/groups
- When this checkbox is selected, users and groups of the selected OU/group up to n level, will be synchronized.

As of October 2022, the AD connector can define the user role during the sync process; Internal
, External
or Basic
. Select the role type in the drop-down menu before you click Add
.

Synchronization filters

Filters allow you to include or exclude users:

Synchronization filter - include rule
- The filter rules allow you to synchronise the configuration from a specific location within the directory tree. If the directory tree is large and has a lot of data, then this interface allows you to synchronise users from a specific location. Click Add organisation unit
and select the organisation from the drop down menu. You can click Add query
to specify a new query.

Synchronization filter - exclude rule
- The exclusion rules can be used to filter out users from the directory tree selected as the base configuration. Click Add organisation unit
and select the organisation from the drop down menu and click Apply filter rules
.

Click Add Organization Unit
to set a filter or query:

Click Add Filter
to set parameters for the filter:

User and group mapping

This allows you to map the user or group directory service attributes to Collaborate/Publisher attributes.

Click either User mapping
or Group mapping
:

If mappings are changed, you must save the configuration setting

and

the mapping page.

Sync schedule

Scheduling action

After configuring synchronisation, you can schedule actions that synchronise users and group(s) from the directory to Collaborate/Publisher. Actions can be scheduled to run on daily, hourly or a custom time basis.

Daily
schedule: Select an hour and minute to schedule daily

Hourly
schedule: Select a number to schedule for every X hours

Custom
schedule: Select
Manual
and enter a schedule. For example, if you want to schedule every 10 min, enter

0 0/10***?

Select Disable
to remove any schedule.

Select Preview
to display the number of users and groups that will be inserted, updated and deleted:

In the preview, select Click here
to create a detailed Preview Report
, which shows which users or groups will be inserted, updated and deleted.

Scheduler report

The scheduler report tracks actions performed by the module.

A total report, a success record and a failed record are generated. Click Download Report
to download the report as an .xls file.

Users and Groups

Users

This section provides a list of all synchronised users. There is a column for GUID
and Detail
:

Click the user's GUID
to see user details. Select the Member of
tab to see a list of the groups that contain the user.

Groups

This section provides a list of all synchronised groups. There is a column for GUID
and Group name
.

Click the group GUID
to see group details. Select the Members
tab to see a list of the users in the group.

This article applies to:

Product: HighQ, HighQ
Sub Product: api-administration
Subject: API, Integration

Insights

Featured topics

Legal technology to be your best

Research and know-how

Drafting and document automation

Knowledge management

Law firm practice & matter management

Risk & Fraud

Legal department management

Commentary

Evidence management

eRecruitment

Students

Explore solutions by process

Active Directory connector

Configuring an Active Directory connector

Configuration options

This article applies to: