The purpose of "Active Directory Sync" module is to establish data import from Active Directory and to allow LDAP authentication. The main features include:

  • Import of Users, Org Units and Groups
  • Automatic synchronization by schedule
  • Flexible rules based on membership in OUs / Groups
  • Synchronization of all LDAP attributes in users' profiles
  • Ability to use LDAP credentials for Single Sign-On


Table of Contents

Establishing LDAP connection

Setting up LDAP mapping rules

Import of Org Units and Groups

Sync, Auth and troubleshooting


Establishing LDAP connection

This section describes how to establish LDAP connection and test it. Please check Technical Requirements and follow up instructions below.

  • Technical requirements
  • Active Directory server should be accessible from the outside of your network. Access can be restricted to trusted IP addresses of the Passport. To find those IP addresses - navigate to: Users > Active Directory Sync, click "add server", and copy IP addresses that are listed on yellow background. Firewall should be configured to allow inbound TCP connections from those IP addresses on “Port”, defined in connection configuration.
  • In order to use secure LDAP connection (LDAP SSL) - please configure SSL certificate. Certificates, that have been issued by trusted Certificate Authorities (CA) - will be imported automatically. But, in case of using self-signed certificate - please contact Technical Support, asking to import your self-signed certificate from Active Directory server and mark it as trusted. Otherwise, LDAP integration won't work.
  • Creating connection


To establish connection with Active Directory - navigate to: Users > Active Directory Sync and click "add server" and fIll out data as per instructions below:


  • LDAP Domain: Active Directory domain name (e.g. ad.mycompany.com or mycompany.local etc).
  • Host: Hostname or IP address of the AD server.
  • Port: Port for non-secure connections (default is 389).
  • SSL Port: Port for secure connections (default is 636).
  • User Name: Username of LDAP user that will be used to read data from Active Directory (admin privileges are not mandatory).
  • Password: Password that corresponds to the username entered above.
  • Authentication requires SSL: Check this box if the AD server requires secure connections.
  • Allow administrators of sub organizations to use this server: Activate to allow administrators of sub-organizations use this connection.
  • Email Domain Name: Enter the domain name, which is different from LDAP domain, and represents email domain of users - if you'd like to let users log in using their email addresses in addition to their LDAP usernames.
  • Conduct synchronization upon schedule: Activate to allow automatic synchronization of data from the AD server on a regular basis.
  • Schedule: If previous option is activated - please choose the desired schedule of data sync. Available intervals are: 12, 24, 48 hours.


Click "OK" to save changes. Or skip this step - in order to test connection prior to saving.

  • Testing of connection


This option allows to test LDAP connection.

  • Click "Test connection options".
  • Fill out username and password of a user from Active Directory.
  • Click "Test Connection". System will show notification about the status of LDAP connection - in top area of the screen. Click "OK" to save changes (even if connection is not established successfully - for future use).


Setting up LDAP mapping rules

This section describes how to map Org Units / Groups from Active Directory to Organizations, Roles and Groups in Passport. To create LDAP mapping, please do the following:

  • Creating LDAP mapping rules

Choose organization for which you are going to create LDAP mapping, using selector of Organizations in top left corner of the screen.

  • Click "add mapping" in bottom right corner.
  • Click "Add OU or Group" - to browse AD tree structure.
  • To navigate inside the AD tree - click on arrows beside the elements' names. To choose element - click on its name.
  • Once the element of AD tree is selected - assign the desired Role or Group by clicking "Add Role" or "Add Group" and choose the desired value.
  • To assign grade level automatically - click "Add grade" and choose value from the list.
  • To save LDAP mapping - click "Add" and confirm your decision. To discard changes - click "Cancel". Changes will be applied after the next successful synchronization.
  • Editing LDAP mapping rules
  • To edit LDAP mapping - click "Edit" beside its name.
  • To replace elements - click "Remove" and choose appropriate elements for replace.
  • To save changes - click "Update" and confirm your decision. To discard changes - click "Cancel". Changes will be applied after the next successful synchronization.
  • To remove LDAP mapping - click "Remove" beside its name.
  • Priorities of the rules

Group with Org Unit can be combined in one LDAP mapping rule. In this case, system will apply logical "AND". Thus, users in Active Directory should be members of both LDAP elements. Otherwise - the respective rule would be ignored.

In case if 2 or more LDAP mappings match to LDAP membership of a user - the priorities are:

  • LDAP mapping rules, that consist from 2 elements
  • Highest position of LDAP element inside the AD tree
  • Separate Groups
  • Separate Org Units


Import of Org Units and Groups

This section describes how to import OUs / Groups from Active Directory in bulk and convert into Groups inside the Passport (can be used as analog of classes or types of the users - to manage Passport content). To set up import of LDAP Groups, please do the following:

  • Navigate to: Users > Active Directory Sync and click "Groups Import"
  • Click "Add OU or Group" - to browse AD tree structure.
  • To navigate inside the AD tree - click on arrows beside the elements' names. To choose element - click on its name.
  • System will try to import all OUs / Groups within the selected LDAP element inside AD tree. To filter OUs / Groups - set value of Group Name Pattern. It defines name pattern of OUs / Groups to be imported to Passport (e.g. if Group Name Pattern is 'Student' - the system will import all AD groups that contain 'Student' as a part of their names, under the condition that such groups have at least one user synchronized through Roles and Groups module. Click to see the supported name patterns.
  • Activate / Deactivate checkbox "Merging of matching groups Passport and Active Directory" -  to merge OUs / Groups from Active Directory with existing Groups inside the Passport (in case of name matching)
  • To save configuration - click "Save" and confirm your decision. To discard changes - click "Cancel". Changes will be applied after the next successful synchronization.


Sync, Auth and troubleshooting

  • Data synchronization

After establishing connection with Active Directory and creating at least one mapping rule - the respective users can be imported from Active Directory server. To do that - navigate to: Users > Active Directory Sync and click "Run Sync". System would show notification: "Data sync with Active Directory is initiated. It may take a few minutes for a process to complete". This message would disappear as soon as synchronization would be completed.

  • LDAP Authentication

Once the users have been imported - they should be able to login to the system, using their LDAP credentials. Both patterns of LDAP usernames are supported: username & username@domain

In case if "Email Domain Name" on the connection configuration step has been set - users should be able to login, by using "mail" attributes from AD profiles as the username (even if the domain is different from domain of Active Directory server itself).

  • Troubleshooting


  • To check status of LDAP connection:

Navigate to: Users > Active Directory Sync and check value of "Status".

  • To update status of LDAP connection:

Navigate to: Users > Active Directory Sync and click "refresh".

  • To test LDAP connection for selected credentials:

Navigate to: Users > Active Directory Sync, click "Edit Server Options" > "Test connection options", fill out username and password and click "Test Connection".

  • To identify whether the user was imported or not:

Navigate to: Users > Users, choose "All suborganizations" and search user by one of the attributes: username, email address, first name, last name.

  • To find all users who have been imported from selected OU or Group:

Navigate to: Users > Users, choose "All suborganizations" and search user by the name of OU or Group (e.g. OU=Users or CN=Staff).

  • To apply new SSL certificate of AD server (issued by trusted CA):

Navigate to: Users > Active Directory Sync, click "Edit Server Options" and save changes by clicking "OK".

  • To apply new SSL certificate of AD server (self-signed):

Contact Technical Support, by providing the domain name of Active Directory server.

  • To deactivate user profile of LDAP user:

Navigate to: Users > Users, find user account, activate its checkbox and click "Delete".

  • To re-import users who have been deleted previously:

Navigate to: Users > Active Directory Sync, edit and save any LDAP mapping or connection with AD server itself, and initialize data synchronization by clicking "Run Sync" (synchronization could take longer than usual)

  • To let user login, even if LDAP authentication does not work:

Navigate to: Users > Users, find user account, and set temporary password.

  • To change Organization, Role or Group of imported users:

Navigate to: Users > Active Directory Sync, edit respective LDAP mappings, and initialize data synchronization by clicking "Run Sync"