diff --git a/docs/integrations/sources/active-directory/01_user_create.png b/docs/integrations/sources/active-directory/01_user_create.png new file mode 100644 index 000000000..2762693bd Binary files /dev/null and b/docs/integrations/sources/active-directory/01_user_create.png differ diff --git a/docs/integrations/sources/active-directory/02_delegate.png b/docs/integrations/sources/active-directory/02_delegate.png new file mode 100644 index 000000000..997c4cf14 Binary files /dev/null and b/docs/integrations/sources/active-directory/02_delegate.png differ diff --git a/docs/integrations/sources/active-directory/03_pb_status.png b/docs/integrations/sources/active-directory/03_pb_status.png new file mode 100644 index 000000000..54355ac23 Binary files /dev/null and b/docs/integrations/sources/active-directory/03_pb_status.png differ diff --git a/docs/integrations/sources/active-directory/index.md b/docs/integrations/sources/active-directory/index.md new file mode 100644 index 000000000..3dd7d5270 --- /dev/null +++ b/docs/integrations/sources/active-directory/index.md @@ -0,0 +1,55 @@ +# Active Directory Integration + +## Preparation + +The following placeholders will be used: + + - `ad.company` is the Name of the Active Directory domain. + - `passbook.company` is the FQDN of the passbook install. + +## Active Directory Setup + +1. Open Active Directory Users and Computers + +2. Create a user in Active Directory, matching your naming scheme + + ![](./01_user_create.png) + +3. Give the User a password, generated using for example `pwgen 64 1`. + +4. Open the Delegation of Control Wizard by right-clicking the domain. + +5. Select the passbook service user you've just created. + +6. Ensure the "Reset user password and force password change at next logon" Option is checked. + + ![](./02_delegate.png) + +## passbook Setup + +In passbook, create a new LDAP Source in Administration -> Sources. + +Use these settings: + +- Server URI: `ldap://ad.company` + + For passbook to be able to write passwords back to Active Directory, make sure to use `ldaps://` + +- Bind CN: `@ad.company` +- Bind Password: The password you've given the user above +- Base DN: The base DN which you want passbook to sync +- Property Mappings: Select all and click the right arrow + +The other settings might need to be adjusted based on the setup of your domain. + +- Addition User/Group DN: Additional DN which is *prepended* to your Base DN for user synchronization. +- Addition Group DN: Additional DN which is *prepended* to your Base DN for group synchronization. +- User object filter: Which objects should be considered users. +- Group object filter: Which objects should be considered groups. +- User group membership field: Which user field saves the group membership +- Object uniqueness field: A user field which contains a unique Identifier +- Sync parent group: If enabled, all synchronized groups will be given this group as a parent. + +After you save the source, a synchronization will start in the background. When its done, you cen see the summary on the System Tasks page. + +![](./03_pb_status.png) diff --git a/mkdocs.yml b/mkdocs.yml index 99fae727a..f246df78f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -47,6 +47,8 @@ nav: - Overview: policies/index.md - Expression: policies/expression.md - Integrations: + - as Source: + - Active Directory: integrations/sources/active-directory/index.md - as Provider: - Amazon Web Services: integrations/services/aws/index.md - GitLab: integrations/services/gitlab/index.md