If you are experiencing problems with Active Directory (AD) integration, this article may help you to understand how AD integration was implemented in CentreStack, and may help you to diagnose AD issues.
CentreStack integrates with Active Directory (AD) by allowing you to import AD users through the web portal. Once you have a successful link between CentreStack and an AD, you will be able to select the following AD entities when defining Team Folder Collaborators or Team Folder permissions:
- Organizational Units,
- Proxied Groups (aka. Roles. Example: Administrators, Users, Guests, etc.), and
If you import one or more users by selecting an AD group that contains the users, the users will not show up in CentreStack's user management until they have logged in to CentreStack for the first time. If you import an AD user directly, the user will show up immediately under CentreStack's user management.
Once a user is imported into CentreStack, it will remain linked to Active Directory by the following 3 AD properties. All 3 properties must match in both systems:
- userPrincipalName (aka. UPN, example: firstname.lastname@example.org),
- sAMAccountName (aka. SAM, example: myname), and
- email (email@example.com)
You can inspect these properties in AD to diagnose AD/CentreStack link problems by right-clicking on a user and choosing "Properties" from the contextual menu. Then, select the "Attribute Editor" to view the property names and values. The Attribute Editor is part of AD's Advanced Features, so if you don't see this option, enable it from the View menu. In CentreStack, the AD values are stored in the database and are not visible through the web portal.
Any changes made to a user in AD are not reflected back to CentreStack, nor vice-versa. For example, if a person changes her last name due to marriage, the last name change has to be performed manually on both CentreStack and AD. If you only change the last name in AD, then the link will still be maintained with CentreStack as long as the userPrincipalName, sAMAccountName, and email don't also change. The user will be able to log in to CentreStack, but the display name will be different on both systems. At the time of this writing this behavior is by design, but additional AD synchronizations may be implemented in the future.
If you change a user's password in AD, the user will immediately be able to log in to CentreStack with both the new password (from AD).
If you disable the user only in AD, the CentreStack login will also be effectively disabled, but the user will appear as if it is enabled under the user management screen. To avoid confusion, you will also have to disable/suspend the user in CentreStack.
For the reasons mentioned above, it is best not to "recycle" AD users by simply renaming the AD properties of a person who has left the organization with a new user. It is always best to create new AD users from scratch, and then import them into CentreStack.
Unlike changes in users, any changes in AD Organizational Units (OU) and Groups, such as OU/Group renames or adding/removing of child entities, are reflected back immediately to CentreStack. If they don't you can try clicking on the refresh button from the Tenant Dashboard->User Details (click on a user)->Groups page. If you notice that the group memberships don't update even after a group refresh, please make sure that you are connecting to AD with an administrative account. Creating service accounts for this is not recommended, since they lack the "read memberOf" LDAP setting. Without this, an AD connection can be established, but CentreStack may not work properly.
If you have any questions, please don't hesitate to contact us at firstname.lastname@example.org.