Active Directory Setup

You can integrate with Active Directory by mapping Gemini Security Groups to Active Directory Groups.

The selected account for accessing AD should ideally be a service account with a non-expiring password. Syntax for AD username:

  • [domain name]\user
  • user@[domain name].[node extension]

Examples:

  • my_domain\bob
  • bob@my_domain.com

You can also choose to create new users in Gemini that exist in Active Directory.

TipIf you need to connect to more than one domain the connection strings can be double pipe (||) delimited.

Connection String

There are various ways to specify the AD connection string. Syntax:

  • dc=[domain name],dc=[node extension]
  • [domain controller]/dc=[domain name],dc=[node extension]

Examples:

  • dc=my_domain,dc=com
  • server_name/dc=my_domain,dc=com

NoteMake sure you give read "useraccountcontrol” permission to the OU for the AD user you've specified.

Validating

Once you have saved your configuration wait 5 minutes then navigate to any Group and click on the Active Directory multi-select field. If there is no error in the connection you will see a list of your AD Groups.

Import Rules

To help with Active Directory congestion and Gemini performance, Gemini is configured to only import an AD user as long as it meets the three (3) following criteria:

  • The AD account must not be disabled.
  • The AD account must have an email associated with the AD "email" field if you have enabled "Only synchronzie users with valid email" option.
  • The AD account must have logged in at least once to the domain if you have enabled "Only synchronzie users that have logged in at least once" option.

TipIf you want to force a specific domain name for new users. Just simply enter a value of domain in "AD Domain" field.

NoteThe user's email address will be imported only when the user is new in Gemini. Email address for existing users will not be upadted.

Mapping between AD user attributes to Gemini custom fields

Gemini allows you to map Active Directory user attributes to custom fields. So when you view a ticket you can see the active directory mapped information in the ticket

Configuration

From the Apps section you can set the interval between each AD sync, check for errors and even force the sync to run immediately.

Related