Active Directory (On-Premises)
  • 19 Feb 2024
  • 3 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Active Directory (On-Premises)

  • Dark
    Light
  • PDF

Article summary

This guide will teach you how to set up the connection between your On-Premises Microsoft Active Directory and Clarity Security.

Estimated time to complete: 10 minutes

If you run into any problems, please contact your support team or support@claritysecurity.io.

Before You Begin

You must have Clarity Connect configured for your tenant for any on-prem applications to communicate to Clarity.  

How to Setup the Connector

You will need an account (typically a service account) to facilitate the connection between Clarity and your on-prem Active Directory (by way of Clarity Connect).  If you have this already, skip to Step 4.

Note
This connector relies on the LDAPS port running on the default port, 636, on your Active Directory Server.


Step 1: Create an Account

Create an account using the following steps (or contact your IT department to create one).

Step 2: Configure the Account

Fill out the info following your organization's standards.  You will need the distinguishedName and password for configuration in Clarity (distinguishedName shown below).

New Object - User Configure

Step 3: Delegate Control

You will need to delegate control for the newly created service account.  The following permissions are required for all features to work:

  • Create, delete, and manage user accounts
  • Read all user information
  • Modify the membership of a group

Delegation of Control Wizard

Step 4: Retrieve the Distinguished Name

For the newly created service account, you will need to grab Distinguished Name for use during configuration.

Note
To find the distinguished name you right-click on the account, go to Properties > Attribute Editor > and scroll to distinguishedName

Object Properties - Attribute Editor - distinguishedName

Step 5: Log in to Clarity

Log in to your Clarity tenant using an account with Admin permissions.

Step 6: Click on Applications > Marketplace

Clarity - Applications > Marketplace

Step 7: Find MS Active Directory > Connect

Scroll or search to find MS Active Directory and click

Step 8: Connect App

Complete the App Settings form.  Details for fields common to all applications can be found in the following article: Common App Configuration Steps

MS AD Connection Fields:

  • ad_host: This can either be the IP address or Fully Qualified Domain Name for your Active Directory server.
  • username: This is the distinguished name for the service account you created in Step 4.
    • Example: CN=Clarity Service,CN=Users,DC=claritysecuritydemo,DC=io
  • password: This is the password for the service account you created earlier in Step 2.
  • base_dn: This is the distinguished name for where you want Clarity to search for Users, Groups, etc. inside your Active Directory.
    • "DC=claritysecuritydemo,DC=io" would allow searching an entire domain for accounts, but "OU=UsersOU,DC=claritysecuritydemo,DC=io" would only allow Clarity to search inside of the "UsersOU" and anything nested inside.
  • restrict_to_ous: This setting allows you to further filter out the directory objects you want to manage. This is a pipe-delimited string of DNs associated with the OUs and Containers that you want to pull directory objects from. For example, you could set the following:
    OU=Marketing,DC=claritysecuritydemo,DC=io|OU=Developers,DC=claritysecuritydemo,DC=io|OU=Users,DC=claritysecuritydemo,DC=io
    which would result in Clarity only pulling in directory objects belonging to any of those OUs (and their descendants).
Note for on-prem applications
You must change the dropdown for Access via must be changed manually to "Clarity Connect (on-prem connector)"

Configure App Step 1 - Connect App

Step 9: App Settings

Complete the App Settings form.  Details for each field can be found in the following article: Common App Configuration Steps

Configure App Step 2 - App Settings

Step 10: User Settings

Complete the User Settings form, and check the table at the top to see if any features are unsupported.  Details for each field can be found in the following article: Common App Configuration Steps

Configure App Step 3 - User Settings

Step 11: Validate Your Selections and Save

Save
Clicking the Save button will trigger the first full sync for your application (even if you selected Manual Syncing).  This includes Service Users, Entitlements, Service User Entitlements, Service User Attributes.

Need Help?

If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.