Syncing Active Directory Users with Postini Message Security

There are two options to sync your Active Directory with Postini, you can host the sync on your server or on Postini’s servers.  You can find information here.

I chose to use the local server tool so that Postini isn’t poking through my firewall and accessing my LDAP.  I’m pushing the information to them.

Go ahead and download the tool here and then install it.  If you’ve ever installed an app, I’m sure that you can do this without detailed instructions.

This whole process is very similar to installing the Google Apps Directory Sync tool.  As a matter of fact – the interface is pretty much the same.  You can see how I set that up here.

Here is how to setup the Google Apps Directory Sync for Email Security.  NOTE: this will only sync users – NOT PASSWORDS.

  1. After installing the Google Apps Directory Sync for Email Security tool, go ahead and open the application.  The first screen you’ll need to configure is the Authentication screen which is highlighted in orange along the left side of the picture below.  At 1. you’ll enter the Admin Email and Password of your Postini account.  This is the account that has the FULL Admin rights for your whole Postini Account.
  2. Select Authentication at #2.  I chose Password since I didn’t go through setting up the Xauth in my Postini account.
  3. I checked the box at #3.  This will send any new users a welcome message from Postini.
  4. If you are using an SSL Proxy or an HTTP Proxy you’ll enter that information here.  I don’t use either on my network so I left them blank.

    Steps 1-4

  5. Here is where you will select which Organization you will sync with.  This is the organization that is setup within your Postini account.  You can sync with more than one Postini Organization if you choose to do so but they must be in the same Postini account.  I only have one Postini organization, therefore I chose the first option.

    Step 5

  6. The Directory Sync tool will remove any users from Postini that are not on in your Active Directory.  It is here that you would enter rules to exclude those users from being deleted.  The 2 rules you see below are in the Sync Tool by default.  I left those rules in place and did not enter any others.  You may choose to do differently.

    Step 6

  7. Here you will enter the information to allow the Sync Tool to pull the data from your Active Directory server.  Connection Type for Microsoft’s Active Directory will be “Standard LDAP”.  Host name can be either the fully qualified domain name or IP address of your Active Directory Domain Controller.  Port # should be 389.  Finally, the Base DN is where you store your user information in Active Directory.  I have an OU called GFC_Staff, hence the data input in this field.  If you have your users spread over multiple OU’s, you’ll need to create a container OU and then relocate your User OU’s into the container OU.  The Container OU will then become the OU that is entered in the Base DN field.
  8. Authentication type for Microsoft Active Directory is Simple.  The Authorized User and Password will be a username that has Admin Rights to your Active Directory.  Notice the format of the Authorized User field:  domain\username.  That format is important – you will not authenticate unless you enter the information in this format.
  9. By clicking on the “Test Connection” button you will then test your connection to your Active Directory Domain Controller.  If you have configured everything correctly up to this point, your test should succeed.

    Steps 7-9

  10. This is where you tell the Sync Tool what user attributes to push up to Postini.  Server Type will be MS Active Directory.  Email Address Attribute will be mail (the attributes are Case Sensitive).  If you have an Exchange Server and have email Alias’ that you would like to upload to Postini, you’ll add the proxyAddress attribute in the Alias Address Attributes field.  Since we don’t have an Exchange Server, I cannot access this field in my Active Directory to add email alias’.  I’ll have to add those manually to Postini.
  11. This is where you’ll tell Postini to upload any mailing lists you may have such as an All-Staff list.  The attribute you’ll enter here is called mail. (again – case sensitive)

    Steps 10 - 11

  12. This is where we are going to tell the Sync Tool which users to push up to Postini.  To make a rule for that, you’ll click on the “Add Rule” button.
  13. Here you are telling the Sync Tool in which Organization you would like to place your users.  Be sure to type this EXACTLY as your Organization is named within Postini.
  14. Now you need to give the Sync Tool direction as to which users to pull over.  I used the rule (objectclass=user) to bring push ALL USERS within the Base DN specified in step 7 up to Postini.

    Steps 12 - 14

  15. If you want to exclude any users from being pushed to Postini, you may do so here by adding rules to exclude them.  I am not excluding any users, thus I have no rules here.

    Step 15

  16. Mailing Lists – I am not using any right now, therefore I have left his area blank and not added any rules.

    Step 16

  17. Enter an address you would like Sync Tool notifications to come from.
  18. Enter any email addresses you would like to have notifications sent to.
  19. Complete the necessary credentials to authenticate to your SMTP Email Relay Host.  You may also test this connection by clicking on the “Test Notification” button at the bottom of the page.

    Steps 17 - 19

  20. THIS IS A MUST!!! It exists to protect you from deleting your whole organization from Postini at one time.  The default is set to delete no more than 5% of your users at one time.  If more than 5% of your users are to be deleted during a sync – the sync will fail.  THIS IS A GOOD THING!  Choose your settings here according to the amount of risk you are willing to assume.

    Step 20

  21. Set where you would like your log files to be stored, the Level of the log, and the Size of the log.  Again this is your choice and your preference.  Set it as you’d like.

    Step 21

  22. The Sync Tool allows you to simulate a sync or test it before actually syncing.  This is a good thing.  Click on “Simulate Sync” to see of your sync would be successful.  You’ll get a full readout of what happens during your sync.
  23. Now – click on File, Save.  Make note of where you save the xml file.  You’ll need to know the location of this file in ordre to make changes in the future, and also to run the REAL sync.
  24. To run the real sync, I wrote a batch file that is attached to a Schedule Task on my Domain Controller.  The syntax of the Batch file is as follows:
    cd “c:\Program Files (x86)\Postini Directory Sync”
    Start sync-cmd.exe -a -c c:\PostiniDirSync.xml

Now, anytime I add a user to the Active Directory I will run the Scheduled Task to push the new user up to Postini.  I’ve also scheduled that task to run automatically, once a week.

I hope this helps.  If you see any errors or would like to make suggestions for improvement, let me know!

Advertisements

Google Apps Directory Sync and AD Passwords

I’ve been working on our Google Apps deployment today and thought I’d share some of what I’ve learned along the way.

Google Apps Directory Sync

The Google Apps Directory Sync tool allows you to sync all of your Users, Groups, Profiles, and Contacts in your LDAP with Google Apps.  The latest revision of this tool also says it will do sync passwords from Microsoft Active Directory.  That’s true  – kinda.  Stay tuned for that…

The Google Apps Directory Sync tool is pretty self explanatory in it’s setup.  It is helpful to know a little bit about LDAP and Active Directory but with a little sleuthing, I was able to figure everything out.  Following are 10 screenshots of my setup in the tool.  The Yellow Highlighted text at the left of each screen shot shows where I am in the configuration and if a screen is skipped, the fields there have been left blank.

Password Sync

Active Directory doesn’t actually keep the user passwords in the LDAP, therefore when trying to sync the passwords – they don’t sync.  You have to get the passwords into an attribute field within Active Directory for this to work.  I found this link that helped explain why the passwords would not sync.  Near the end of the thread, you’ll see a tool referenced.  The tool can be found here.

This tool is basically a dll file that catches the password before it is hidden away, puts it in SHA1 hash format, and then inserts it into the “division” attribute field in Active Directory.  After following the installation directions and then changing my password, I saw the SHA1 hash of my password populate into the “division” LDAP attribute field.  In order to get this field to populate, YOU MUST initiate a password change for the user.  I plan on doing that as I migrate my users over the next few weeks.

Updates

So now, how does Google Apps stay synchronized with Active Directory?  Setup a Scheduled Task on your server to launch at whatever frequency you feel is necessary.  If you need to update in a more timely manor, just manually launch that scheduled task. On the Run line in the Scheduled Task I have the following:

“c:\Program Files\Google Apps Directory Sync\sync-cmd.exe -a -c c:\Documents and Settings\Administrator\My Documents\GAppsDirSync.xml”

I created an old fashioned MS-DOS batch file to launch the Google Apps Directory Sync from the command line.  This batch file is then attached to a Scheduled Task.  In the Batch file my commands are as follows:

cd “c:\Program Files\Google Apps Directory Sync”

Start sync-cmd.exe -a -c c:\GAppsDirSync.xml

Hopefully this helps you get started on syncing your Microsoft Active Directory with Google Apps.  If you see items that need to be clarified, please let me know so that I can make this easier for everyone!

%d bloggers like this: