Sync Object from AD Portlet

From Sense/Net Wiki
Jump to: navigation, search
  • 100%
  • 6.0.5
  • Enterprise
  • Community
  • Planned


Using Sync Object from AD Portlet users can synchronize a single Active Directory object to the portal by providing the LDAP path of the object. Target path is determined by the Active Directory configuration. Can be invoked using the Synchronize from Active Directory action on the /Root/IMS folder.


This portlet drives the Synchronize from Active Directory action on the /Root/IMS folder. It can synchronize the following types:

  • organizationalUnit (OrganizationalUnit)
  • container (AD Folder)
  • group (Group)
  • user (User)

The portlet executes the requested sync operation immediately when pressing the Sync Object button. It also provides means to check target portal path without connecting to the AD.

Syncing a single object from AD

LDAP path and configuration

The common format of the required path of the Active Directory object is ie.: CN=MyGroup,OU=MyOrg,DC=Nativ,DC=local (you could provide the full LDAP path of the object instead of giving its distinguished name only, like LDAP://,OU=MyOrg,DC=Nativ,DC=local, but it is not necessary). The target portal path for the object is calculated using the Active Directory configuration set up for AD->portal sync. This means that this configuration has to be present in the portal, but otherwise no special configuration is needed to sync an object from AD - besides configuring accounts for syncing correctly, see later.

Check button

By pressing the Check button some common information is displayed about the target path for the Active Directory object given. This operation does not execute any LDAP requests, it simply investigates the provided LDAP path with respect to the Active Directory configuration synctree settings, and displays the following information:

  • info whether a configured synctree can be found for the path or not
  • correspoding synctree information: LDAP server address, synctree root AD and portal paths
  • target portal path
  • info indicating if target path already exists (in this case the existing node will be updated upon syncing, and not created)
  • info indicating if target parent path exists - if it does not, syncing the object will not be successful.

A typical output of the portlet after pressing the Check button would look like this:

Configured synctree: (, OU=MyOrg,DC=Nativ,DC=local) -> (/Root/IMS/NATIV/MyOrg) (configuration)
Target portal path: /Root/IMS/NATIV/MyOrg/TestOrg/mygroup
Target path exists
Target parent path exists

A link to explore the configuration file is also provided in the output.

Sync Object button

The Active Directory object of the given path can be synced by clicking the Sync Object button. The portal will connect to the corresponding AD that is derived from the Active Directory configuration, and create or update the object in the Content Repository. The full AD sync log for the operation is displayed by the portlet after the execution. A typical output of the portlet after pressing the Sync Object button would look like this:

12:17:09 PM: AD sync started.
12:17:09 PM: Updating portal group properties (AD object: LDAP://,OU=TestOrg,OU=MyOrg,DC=Nativ,DC=local; portal object: /Root/IMS/NATIV/MyOrg/TestOrg/mygroup)
12:17:09 PM: Group contains 2 member(s). (AD object: LDAP://,OU=TestOrg,OU=MyOrg,DC=Nativ,DC=local)
12:17:10 PM: AD sync finished.
Check the results: /Root/IMS/NATIV/MyOrg/TestOrg/mygroup

A link to explore the synced object is also provided at the bottom of the output.

Account used for syncing

The portlet can use different user accounts to connect to the Active Directory:

  • use currently logged on Windows authenticated user (default),
  • use app pool user of the portal.

This can be configured with the Use Windows auth impersonation portlet property - by default it is checked, so the currently logged on user account will be used to connect to the AD. The other scenario - using app pool user account - can be set up by granting necessary permissions for the app pool user to connect to the Active Directory. This latter is however not recommended, as it may expose the Active Directory to security threats. Whenever possible stick to the Use Windows auth impersonation setting, and make sure the logged on user has sufficient permissions to connect to the AD and retrieve the object in question.


Own properties

Property Property name for embedding Possible values Description
Use Windows auth impersonation UseImpersonate true/false When checked the currently loggod on Windows user account will be used to connect to Active Directory, otherwise the app pool user account. Using the app pool user for sync exposes the AD to security threats!

Inherited properties

User interface

Property Property name for embedding Possible values Description
Portlet title Title text Sets the visible title of the current portlet. Title header visibility is controlled with Appearance property
Appearance ChromeType Default
Controls title and border visibility. By default both are visible
Custom CSS class(es) SkinPreFix text When set portlet container div appends extra css class(es)

Related links