Skip to content

Active Directory

Overview

Configuring Active Directory is an essential part of any PPA deployment.

Doing so will allow you to populate PPA by importing users & groups.

Once imported, you can delegate roles & tasks to these users & groups.

Domain Configuration

Prerequisites

You will need:

  • An Active Directory domain to use for authentication
  • A domain controller with LDAP(S) enabled
  • Some Active Directory credentials (no special permissions are required)

Configuration

The Active Directory form fields are explained underneath.

Active Directory Form

Domain

The fully qualified Active Directory domain.

Host

One or more Domain Controller IP/DNS addresses.

When supplying multiple addresses, each much be comma-separated.

Protocol

The protocol PPA will use to communicate with Active Directory.

LDAPS vs LDAP

PPA supports LDAP for user authentication into the appliance.

However, all Active Directory tasks require LDAPS to be enabled on the domain controller.

This is because the tasks perform write operations which are not supported by the LDAP protocol.

For this reason we strongly recommend using LDAPS instead of LDAP.

Pinned Certificates

The certificate to use when communicating with Active Directory.

This is optional & by default PPA will accept any certificate.

Test Connection

This button tests the connection using the supplied network details.

You will be prompted for a set of one-time credentials if either:

  • Active Directory is being configured for the first time
  • You are modifying an existing configuration & group synchronisation is not enabled

Group Synchronisation

Once Domain Configuration is complete, you will be able to configure group synchronisation.

This is an optional feature used to automatically import users from certain groups into PPA.

Prerequisites

To use this feature you need to have completed the steps in Domain Configuration.

Configuration

The group synchronisation form fields are explained underneath.

Group Sync Form

Frequency

Controls how often group synchronisation will run.

This setting is required.

Credentials

This feature audits Active Directory periodically, & requires a set of credentials to do so.

These credentials do not need any special permissions in Active Directory.

They are stored in encrypted form & used whenever group synchronisation runs.

This setting is required.

Automatic Removal

Users imported by group synchronisation are set to a state called 'managed'.

If this setting is enabled, users will be removed from PPA when they are both:

  • In the 'managed' state
  • No longer found in any synchronised groups

This removal is performed by the group synchronisation event each time it runs.

To prevent certain users being removed, you can set them to 'unmanaged' on the Users page.

This setting is optional.

Usage

Once you have configured group synchronisation, see the group import section for usage details.

User & Group Import

Users

PPA uses Active Directory as the source of all users other than the built-in admin user.

Users can be directly delegate tasks & roles in PPA.

Groups

Active Directory groups are used to delegate tasks & roles to multiple users.

They can also be used to synchronise users from Active Directory into PPA.

Prerequisites

To import users & groups you need to have completed the steps in Domain Configuration.

Credentials

Searching for users & groups requires a set of Active Directory credentials.

If configured, PPA will automatically use the Active Directory group synchronisation credentials.

Otherwise you must either:

  • Supply for one-time credentials (if logged in as admin)
  • Choose to use your current PPA session credentials (if logged in as a domain user)

User Import

This can be done a couple of ways:

  1. Importing one or more users directly from Active Directory
  2. Using the Group Synchronisation feature

This section will cover option 1, use the link above for instructions if you wish to use option 2.

The Active Directory user import allows you to search for users by:

  • Name
  • Group Memberships
  • Organizational Unit

User Search

You can build up a list of users to import over multiple searches by:

  • Searching for users
  • Selecting one or more
  • Clicking 'Add' to add them to the 'Selected' table (not shown)
  • Repeating the steps above

Once you are ready to import the selected users, click 'Next'.

You can now choose the following for each user:

  • Authentication type (only available if SAML is configured)
  • Whether they can start tasks
  • Whether they must use MFA to authenticate to PPA

User Settings

You will now be able to directly delegate tasks & roles to the imported users if you wish.

Group Import

The Active Directory group import allows you to search for groups by:

  • Name
  • Organizational Unit

Group Search

You can build up a list of groups to import over multiple searches by:

  • Searching for groups
  • Selecting one or more
  • Clicking 'Add' to add them to the 'Selected' table (not shown)
  • Repeating the steps above

Once you are ready to import the selected groups, click 'Next'.

If Group Synchronisation is configured & enabled you will be able to choose whether:

  • The users in each group should be synchronised
  • The users in each group can start tasks
  • The users in each group must use MFA to authenticate to PPA

If Group Synchronisation is not configured or disabled:

  • The checkbox options in the screenshot below will not be selectable
  • You will still be able to import the groups & delegate tasks & roles to them

Group Settings