In This Article |
This article has the steps to connect Clearlogin to a Windows Active Directory domain controller (DC), and to configure delegated permissions for password changes and account unlocks.
The steps in this article require you to expose an Active Directory domain controller to the Internet. If you are syncing your local Windows AD to Azure AD you should consider connecting Clearlogin to Azure AD instead. |
Identity Source Priorities A primary use case for identity source priorities is having multiple connections to the same directory. For example, you can configure Clearlogin with 2 identity sources (2 domain controllers) that are members of the same Active Directory forest. Just make the higher priority identity source a connection to your primary domain controller, and the lower priority identity source a connection to your secondary domain controller. This way Clearlogin has the ability to authenticate your users when the primary domain controller is not available. |
The following prerequisites need to be met before Clearlogin can be configured to connect to an Active Directory domain controller:
54.209.59.53
54.84.156.93
52.26.70.174
54.210.149.165
54.187.95.53
54.187.96.193
To get the service account's DN, do the following:
You can also use this PowerShell command: Get-ADUser <SAMAccountName> |
In the AD configuration page, fill in the following fields:
Display Name | EXAMPLES
|
---|---|
User Domain | EXAMPLES
|
Access Tag | < leave blank > |
Priority | When you have multiple identity sources, this number tells Clearlogin which identity source to query first when a user signs in. If two or more identity sources have the same priority number, Clearlogin will query the identity source with the oldest creation date first and the newest creation date last. 1 (highest priority) - 10 (lowest priority) |
Timeout | The amount of time Clearlogin will wait for a response from the identity source. 10 seconds (default) |
Hostname | The FQDN or Public IP of your domain controller. |
TCP Port |
|
Encryption Type |
|
Search Filter | Determines the Active Directory attribute Clearlogin will use when searching for user accounts. You can only have 1 search filter. EXAMPLES
|
Search Base (for User Accounts) | Defines the location in Active Directory where Clearlogin starts its search for user accounts. The location must be defined as a DN (Distinguished Name). You can only have 1 search base. EXAMPLES
|
Bind DN (Service Account DN) | This is the DN (Distinguished Name) of the Clearlogin service account. EXAMPLES
|
Bind Password | This is the password for the Clearlogin service account. |
Password Modification Operation | If password change/reset is enabled in Security > Passwords, this will tell Clearlogin how to perform password modifications. Reset | Change |
Failover Protection Destination | This allows you to use Clearlogin's native directory as a backup for your AD user accounts. If you have an AD environment with multiple domain controllers and are also syncing your AD to Azure AD, you probably don't need to enable this feature. |
Remove FQDN from Username | You can have Clearlogin remove the domain portion of a User Principal Name (UPN) or Email Address when a user signs in. For example, "user@domain.com" becomes "user". |
Click Update Active Directory Identity Source to save the configuration.
You can test the configuration with the test box at the bottom of the AD Identity Source edit page.
For Clearlogin to be able to change a user's password, or unlock a user account, you need to delegate permissions to the Clearlogin Active Directory bind/service account. You would only perform these steps to give Clearlogin the permissions to change a user's account password, or unlock a user's account.
Depending on your requirements and how you have configured delegated permissions in AD, you may need to modify Clearlogin's Password & Lockout settings. To do so, follow the steps in the Password and Lockout Settings article.
You cannot recover from this process. When you delete this configuration, it cannot be restored. |
You cannot recover from this process. When you delete this configuration, it cannot be restored. |