Login
    Contents x
    Active Directory (On-Premises)
    • 19 Feb 2024
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Active Directory (On-Premises)

    • Updated on 19 Feb 2024
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    This guide will teach you how to set up the connection between your On-Premises Microsoft Active Directory and Clarity Security.

    Estimated time to complete: 10 minutes

    If you run into any problems, please contact your support team or support@claritysecurity.io.

    Before You Begin

    You must have Clarity Connect configured for your tenant for any on-prem applications to communicate to Clarity.  

    How to Setup the Connector

    You will need an account (typically a service account) to facilitate the connection between Clarity and your on-prem Active Directory (by way of Clarity Connect).  If you have this already, skip to Step 4.

    Note
    This connector relies on the LDAPS port running on the default port, 636, on your Active Directory Server.


    Step 1: Create an Account

    Create an account using the following steps (or contact your IT department to create one).

    Step 2: Configure the Account

    Fill out the info following your organization's standards.  You will need the distinguishedName and password for configuration in Clarity (distinguishedName shown below).

    New Object - User Configure

    Step 3: Delegate Control

    You will need to delegate control for the newly created service account.  The following permissions are required for all features to work:

    • Create, delete, and manage user accounts
    • Read all user information
    • Modify the membership of a group

    Delegation of Control Wizard

    Step 4: Retrieve the Distinguished Name

    For the newly created service account, you will need to grab Distinguished Name for use during configuration.

    Note
    To find the distinguished name you right-click on the account, go to Properties > Attribute Editor > and scroll to distinguishedName

    Object Properties - Attribute Editor - distinguishedName

    Step 5: Log in to Clarity

    Log in to your Clarity tenant using an account with Admin permissions.

    Step 6: Click on Applications > Marketplace

    Clarity - Applications > Marketplace

    Step 7: Find MS Active Directory > Connect

    Scroll or search to find MS Active Directory and click

    Step 8: Connect App

    Complete the App Settings form.  Details for fields common to all applications can be found in the following article: Common App Configuration Steps

    MS AD Connection Fields:

    • ad_host: This can either be the IP address or Fully Qualified Domain Name for your Active Directory server.
    • username: This is the distinguished name for the service account you created in Step 4.
      • Example: CN=Clarity Service,CN=Users,DC=claritysecuritydemo,DC=io
    • password: This is the password for the service account you created earlier in Step 2.
    • base_dn: This is the distinguished name for where you want Clarity to search for Users, Groups, etc. inside your Active Directory.
      • "DC=claritysecuritydemo,DC=io" would allow searching an entire domain for accounts, but "OU=UsersOU,DC=claritysecuritydemo,DC=io" would only allow Clarity to search inside of the "UsersOU" and anything nested inside.
    • restrict_to_ous: This setting allows you to further filter out the directory objects you want to manage. This is a pipe-delimited string of DNs associated with the OUs and Containers that you want to pull directory objects from. For example, you could set the following:
      OU=Marketing,DC=claritysecuritydemo,DC=io|OU=Developers,DC=claritysecuritydemo,DC=io|OU=Users,DC=claritysecuritydemo,DC=io
      which would result in Clarity only pulling in directory objects belonging to any of those OUs (and their descendants).
    Note for on-prem applications
    You must change the dropdown for Access via must be changed manually to "Clarity Connect (on-prem connector)"

    Configure App Step 1 - Connect App

    Step 9: App Settings

    Complete the App Settings form.  Details for each field can be found in the following article: Common App Configuration Steps

    Configure App Step 2 - App Settings

    Step 10: User Settings

    Complete the User Settings form, and check the table at the top to see if any features are unsupported.  Details for each field can be found in the following article: Common App Configuration Steps

    Configure App Step 3 - User Settings

    Step 11: Validate Your Selections and Save

    Save
    Clicking the Save button will trigger the first full sync for your application (even if you selected Manual Syncing).  This includes Service Users, Entitlements, Service User Entitlements, Service User Attributes.

    Need Help?

    If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.

    Was this article helpful?
    What's Next
    Reduce risk while saving time, money, and employee effort with the most intuitive Identity Governance Platform on the market.
    Capabilities
    Use Cases
    About Clarity
    Connect With Us
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout