sgnl-sync-service
)CN=sgnl-sync-service,CN=Users,DC=example,DC=com
)Test LDAP connectivity from a machine that can reach your Domain Controller:
ldapsearch -x -H ldap://your-dc.example.com:389 -D "CN=sgnl-sync-service,CN=Users,DC=example,DC=com" -W -b "DC=example,DC=com" "(objectClass=user)"
For LDAPS, verify SSL certificate:
openssl s_client -showcerts -connect your-dc.example.com:636
If using LDAPS for secure communication:
Run the following command to retrieve the certificate chain:
openssl s_client -showcerts -connect your-dc.example.com:636 < /dev/null
Copy all certificates from the output (including -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
)
Create a file containing all certificates in order (server certificate first, then intermediate certificates, then root CA)
Base64 encode the entire certificate chain:
base64 -w 0 certificate-chain.pem
Save this base64 encoded string for use in the SGNL configuration
Login to the SGNL Console
From the left menu, select Identity Data Fabric
Click “Add System of Record” or “Add”
The SGNL SoR Catalog will show up on the screen
Click on “Active Directory” which will open up the New System of Record screen with some configuration options pre-populated from the Active Directory SoR template
Configure the following fields:
System Configuration:
your-dc.example.com
or your-dc.example.com:389
your-dc.example.com:636
LDAP-1.0.0
Authentication:
CN=sgnl-sync-service,CN=Users,DC=example,DC=com
)Configure the Adapter Configuration. Click on the Adapter Config field and update the JSON with your Active Directory settings:
For LDAP (without SSL):
{
"baseDN": "DC=example,DC=com",
"entityConfig": {
"User": {
"query": "(&(objectCategory=user)(objectClass=user)(distinguishedName=*))"
},
"Group": {
"query": "(&(objectCategory=group)(objectClass=group)(distinguishedName=*))"
}
}
}
For LDAPS (with SSL):
{
"baseDN": "DC=example,DC=com",
"certificateChain": "LS0tLS1CRUdJTi...[your base64 encoded certificate chain]...LS0tLS0K",
"entityConfig": {
"User": {
"query": "(&(objectCategory=user)(objectClass=user)(distinguishedName=*))"
},
"Group": {
"query": "(&(objectCategory=group)(objectClass=group)(distinguishedName=*))"
}
}
}
Note: You can customize the LDAP queries to filter specific objects. For example:
(&(objectCategory=user)(objectClass=user)(distinguishedName=*OU=SpecificOU,DC=example,DC=com))
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
Click “Continue” to save your Active Directory System of Record. You will be taken to the Active Directory System of Record page.
All entities and relationships are created as defined in the Active Directory template:
If needed, you can edit an entity to modify its properties or attributes. Hover over the entity to see the Edit button.
(Optional) Create additional relationships to connect Active Directory data with other Systems of Record. For example:
Enable synchronization for each entity you want to sync. Note that synchronization is disabled by default:
Finally, enable synchronization for the entire System of Record by clicking the sync toggle at the top of the page.
After synchronization completes, you’ll see the number of objects ingested for each entity. You can then:
You can customize the LDAP queries in the adapter configuration to filter or select specific objects:
{
"entityConfig": {
"User": {
"query": "(&(objectCategory=user)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
}
}
}
This example excludes disabled user accounts by checking the userAccountControl attribute.
To sync additional Active Directory attributes not included in the default template:
employeeID
, manager
, telephoneNumber
)If your Active Directory is not directly accessible from SGNL’s cloud infrastructure:
If you encounter SSL certificate errors when using LDAPS:
echo "[your-base64-string]" | base64 -d > cert_chain.pem
openssl crl2pkcs7 -nocrl -certfile cert_chain.pem | openssl pkcs7 -print_certs -text -noout
If synchronization fails with timeout errors:
telnet your-dc.example.com 389
(or 636 for LDAPS)If entities show 0 objects after synchronization or the entity shows that ‘Sync has Failed’:
ldapsearch
with the same service account credentialsFor large Active Directory deployments:
Once your Active Directory data is successfully synchronized to SGNL: