Synchronize With Active Directory¶

This guide explains how to get Active Directory (LDAP) integration up and running with Totalview.

The most central thing regarding integration between Totalview and Active Directory is the AD Group.

Totalview can only synchronize with AD Groups.

That means that Totalview must be told which AD Groups to synchronise and only members (AD users) or sub-groups of those groups will be synchronized.

Here follows an example/strategy of how Totalview can be configured to synchronize with AD.

AD Structure Case Example¶

The AD can be structured different ways. We don’t provide guidance or suggestions on how to do it, but the assumption in this document is that you have an Organizational Unit (OU) with name “Employees”.

Under “Employees” OU there is assumed to be a number of organization units, each coresponding to a division. If the company is very large, there might be a hierarchy of organizational units.

For our example we have a company with 22 employees, working in six different divisions. Each division is created as an Organizational Unit in Active Directory:

In addition to the company divisions, there are two more Organizational Units:

Other Users
Groups

The Other Users organizational unit, is for users that are not part of a division.

The Groups organizational unit, is for Active Directory groups.

As a minimum, there should be an AD Group for each division:

Preparations in Totalview¶

Create the Totalview Groups, in Totalview Admin, corresponding to the AD Groups.

This must be done under “Custom Fields” tab.

Checkboxes (Active, Visible in client, Use as division, and Synchronize AD) must be checked as shown in screenshot, for the synchronization to work properly.

Create the AD connector in Totalview Admin:

To create an AD connector, category must be set to “System extensions”, and Subtype must be “ActiveDirectory”.

The most important AD connector specific values are highlighted and will be explained in the following sections.

OBS: Changing any of the values in the AD Connector configuration, requires a restart of the connector, to be effective.

1. LDAP address¶

This should contain the public DNS name for the LDAP server for the Active Directory. It should be a Secure LDAP, if it is exposed to public internet.

The address should also contain, in the URL, the Distinguished Name for the node in the tree, where all the groups (including nested/member groups) are in.

In this guide, all groups (including nested/member groups) are under Organizational Unit OU=Groups,OU=Employees,DC=totalview,DC=cloud

If no distinguished name is included in URL, the entire Active Directory will be searched. That is probably not a problem if there are not many AD objects in the AD, but if the AD is large, it can give performance problems.

That results in the following LDAP address:

LDAP://ldaps.totalview.cloud:636/OU=Groups,OU=Employees,DC=totalview,DC=cloud

2. User Name¶

Must be a domain user that has read access to the Active Directory.

3. Mapping Parameters (Optional)¶

It is suggested that Custom Field “Division” is mapped to AD User’s Department AD property.

That will make it easier for co-worker to find each other in Totalview, using the built in filters in PC and mobile clients.

Create the Totalview Groups in AD¶

Create two AD groups named “Totalview Users” and “Totalview Switchboard”, under “OU=Groups,OU=Employees,DC=example,DC=local”:

Group types should be “Distribution”.

Under “Totalview Users” group, add all the relevant employee groups:

Under “Totalview Switchboard” group, add all the relevant employee groups and/or employees:

Select AD Groups to Synchronize in Totalview¶

Make sure the AD connector is running:

Open “Select AD Users” from Function menu under Users tab:

If everything goes well, the following diaglog box should show up. In case of very large Active Directories, it might take some time for the dialog to show up.

Select and add Totalview Users and Totalview Switchboard groups to Synchronized Groups:

Select Ok.

Press Save.

Set Rights for Groups¶

It is possible to set which rights should be enabled or disabled by default, for each group.

For example it would be common that all Totalview Users group should be able to use Totalview in mobile app (IPhone or Android). This can be configured by enabling the “Smart Phone Access” setting, under “Enable Settings”:

After pressing ok, the setting will show up when selecting the group. Changing the value will affect all users that are members of the group - and also users that are added in the future. They will inherrit the selected value by default.

Manually Synchronize with AD¶

Select Users->Functions->Refresh AD Synchronization

Changes will not be saved automatically - press Save to make the changes permanent.

Configure Schedule for Synchronization in Totalview¶

Open the AD Connector configuration under Connectors->AD Connector:

Set checkbox “Sync with AD” under “Active directory sync settings” and set value in “Sync every day at x hours”.

Setting this value to 4, will result in the AD synchronization being performed automatically every day at 04:00.

It will do exacly the same thing as manually selecting to synchronize.

We suggest always doing synchronization manually first, before enabling automatic synchronization, just to make sure that everything works as expected.