This article allows company administrators to synchronize the company directory in Rainbow with the Active Directory located in company premises. Synchronization is unidirectional (one-way) from Active Directory to Rainbow.
After synchronization is successful:
- Company members in Active Directory are automatically created in Rainbow with a company subscription (i.e. the Rainbow license assigned to new members in company).
Company member creation fails when there are no more Rainbow licenses available for the company. - Company member settings for which an AD/Rainbow mapping has been defined are automatically updated in Rainbow.
Note: The company member e-mail cannot be updated from Active Directory to Rainbow.
- Company members deleted in Active Directory are automatically set to 'pending deletion' in Rainbow, and permanently deleted after a grace period (i.e. 10 days). During this period, the deletion of company members can be cancelled from the Members panel of Rainbow administration interface.
- Optionally (if configured in Rainbow), contacts in Active Directory are automatically created in Rainbow.
Synchronization is performed by the Rainbow LDAP Connector deployed on a computer, and configured using the Rainbow application and company management menu. Only one Rainbow LDAP Connector can be configured at the same time for the company.
Before you start
- You must have an administrator account in the company with a Business or Enterprise license.
- You must have subscribed enough Business and/or Enterprise licenses to create/update all expected users at synchronization.
Warning: If there aren't enough licenses, you'll see the following error message in the synchronization report "No default licence managed or no available default licences to create/update user ".
Deployment and configuration overview
The Rainbow LDAP Connector deployment and configuration in company premises consists in:
- From the Rainbow application and company management menu, declaring the access settings to Active Directory
- Selecting the Active Directory users and/or contacts to be synchronized
- From a computer with connection to Active Directory, installing the Rainbow LDAP Connector (*.exe file).
A Rainbow shortcut and icon are available on the computer. - Starting the Rainbow LDAP Connector via the Rainbow shortcut or icon, and login in with your administrator account.
After login, a local status of the Rainbow LDAP Connector is available, see Monitoring the Rainbow LDAP Connector running status.Note: The Single Sign-On (SSO) service must be enabled for the company. - From the Rainbow application and company management menu, optionally, modifying the predefined attribute mapping between Active Directory and Rainbow
- Verifying configuration (dry run process), and launching a manual synchronization with Active Directory
Note: Manual synchronization is only available after successful dry run.
- Configuring a periodic synchronization with Active Directory
- Enabling/disabling enrollment email to new users created in Rainbow
The scheduled and manual synchronizations automatically generate reports available for download: see Monitoring synchronization reports from Rainbow.
Accessing the management window
- From the Rainbow administration interface, click on Manage your company in the left panel.
- In the MY COMPANY panel, click on the company name , then Members.
- Click on Import.
- Click on icon .
The Rainbow LDAP Connector management page opens.
Connection information with Rainbow LDAP Connector are displayed at the top of the window. Status is Running when Rainbow LDAP Connector is connected to Active Directory.
Example:
Available actions are:
- To refresh connection status: click on icon in the Status column.
- To generate activity report: click on icon to the right of the Status column. The reports are available in the Reports panel of Rainbow administration interface.
- To remove connection: click on icon to the right of the Status column. This allows to connect and register a new Rainbow LDAP Connector to Rainbow (e.g. after a host computer change).
Configuring access to Active Directory
- From the Rainbow LDAP Connector management window, in the LDAP connector section, configure the following fields:
- Login and Password: enter the LDAP authentication credentials used by the Rainbow LDAP Connector to access the Active Directory server (use LDAP syntax for Login entry).
-
Hostname or IP address: enter the IP address or URL to access the Active Directory server.
If a URL is entered, syntax is: ldap://<hostname of the Active Directory server>:[port] where :[port] is used to specify a non-standard port number.
- Complete access to Active Directory by selecting the Active Directory objects to be synchronized, see Selecting the Active Directory objects to be synchronized.
Selecting the Active Directory objects to be synchronized
The selected objects can be Active Directory users and/or contacts.
Selecting the users to be synchronized
- From the Rainbow LDAP Connector management window, in the Users Selector section, select the Active Directory users to be synchronized:
- Base DN: enter the root domain where the Active Directory users are located (use LDAP syntax).
- Filter: optionally, apply a filter to synchronize only a subset of Active Directory users (use LDAP syntax for filter definition). By default, all users in Active Directory (person objects) are synchronized.
- Select Users deletion enabled to enable the users deleted in Active Directory to be also deleted in Rainbow.
- Select Delete missing LDAP records if any previously found Active Directory users, which are no more found after new search, must be considered as 'to be deleted'. If Delete missing LDAP records is unselected, only records found with a new search using Base DN for deletion and Filter for deletion will be considered as "to be deleted" in Rainbow.
- In the Base DN for deletion field, enter the location on Active Directory where the deleted Active Directory users have been moved (use LDAP syntax).
- Optionally, in the Filter for deletion field, apply a filter to select only a subset of Active Directory users (use LDAP syntax for filter definition).
- Click on Update.
Selecting the contacts to be synchronized
- From the Rainbow LDAP Connector management window, in the Business Directory Selector section, select the Active Directory contacts to be synchronized:
- Base DN: enter the root domain where the Active Directory contacts are located (use LDAP syntax).
- Filter: optionally, apply a filter to synchronize only a subset of Active Directory contacts (use LDAP syntax for filter definition). By default, all contacts in Active Directory (contact objects) are synchronized.
- Click on Update.
Configuring AD/Rainbow attribute mapping
Attribute mapping defines the correspondence between the attributes of Active Directory and the attributes of Rainbow. Two different mapping tables must be configured for users and contacts.
Attribute mapping for users
To configure the attribute mapping table for users:
- From the Rainbow LDAP Connector management window, in the Users Selector section, click on Define Attribute Mapping.
The default mapping table is:
- For each Rainbow attribute to be mapped, enter the corresponding Active Directory attribute in the LDAP Attribute column.
User attribute LDAP attribute loginEmail This attribute is mandatory and typically set to userPrincipalName or mail
ldap_id This attribute is mandatory and typically set to objectGUID or sAMAccountName.
Ldap_ID is a hidden field allowing to identify that users have been created by AD connector. It must contain a unique ID from Active Directory always allocated to the same userfirstname This attribute is mandatory and typically set to givenName lastName This attribute is mandatory and typically set to sn pbxInternalNumber
pbxShortNumber
number
When the company is associated to a PBX equipment, and Active Directory includes PBX telephone settings, these optional attributes can be configured to retrieve PBX telephone settings:
- pbxInternalNumber to retrieve the phone set numbers
- pbxShortNumber to retrieve internal numbers
- number to retrieve the public numbers
pbxLdapId attribute When the company has multiple PBX equipment, and some PBXs have the same internal number, add this attribute in the User Attribute column and enter SiteName in the LDAP Attribute column.
For each target PBX, go to: Communication > [PBX] > Information, and in the Equipment LDAP name field, enter the name of the site hosting the PBX.
country
language
timezone
These optional attributes can be set to constant values.
Syntax is Const("x") where x is:
- A three-letter code for country (e.g. Const("ARG") for Argentina)
- A two-letter code (ISO 639-1) for language (e.g. Const("de") for German)
- An area/location string for time-zone (e.g. Const("Europe/Paris"))
tags0 to tags4
userinfo1 and userinfo2
These optional attributes can be set to constant values.
Syntax is Const("x") where x is the constant value (e.g. Const("sales"))
- Click on Apply to validate changes and close the mapping table.
- Click on Update.
Attribute mapping for contacts
To configure the attribute mapping table for contacts:
- From the Rainbow LDAP Connector management window, in the Business Directory Selector section, click on Define Attribute Mapping.
The default mapping table is:
- For each Rainbow attribute to be mapped, enter the corresponding Active Directory attribute in the LDAP Attribute column.
- Click on Apply to validate changes and close the mapping table.
- Click on Update.
Verifying configuration and launching a manual synchronization with Active Directory
From the Rainbow LDAP Connector management window, in the Users Selector section (or Business Directory Selector section for contacts), click on Dry run.
A user or contact import simulation in Rainbow is performed, and a report is displayed indicating how many users or contacts will be added/modified, detached (for users only), or deleted.
If the result is correct, you can launch a manual synchronization: select Do you want to start the import process?, click on Synchronize, and confirm by clicking on Synchronize again.
Configuring a periodic synchronization with Active Directory
Periodic synchronization can be enabled or disabled for Active Directory users only, or for contacts only.
To program a periodic synchronization:
- From the Rainbow LDAP Connector management window, in the Users Selector section (or Business Directory Selector section for contacts), select Automatic users synchronization enabled.
- At the top of the management window, in the Synchronization period (hour) field, enter the interval time (in hours) between two synchronizations.
- In the Next synchronization field, enter the date and time of the next synchronization.
- In case of large organization, in the Users Selector section, select Differential synchronization mode to reduce the response size of LDAP query. When selected, at next synchronization, LDAP query only requests the users created or modified since the last synchronization.
- Click on Update.
To interrupt a periodic synchronization, from the Rainbow LDAP Connector management window, in the Users Selector section (or Business Directory Selector section for contacts), unselect Automatic users synchronization enabled.
Enabling/disabling enrollment email to new users
- From the Rainbow LDAP Connector management window, in the Users Selector section, select or unselect Send enrollment email to new users.
If enabled, new users are notified by email they have a user account in Rainbow. - Click on Update.
Monitoring synchronization reports from Rainbow
The report of the last synchronization is directly available in the Rainbow LDAP Connector management window.
Click on the report to display all the synchronization tasks (users/contacts created, updated and deleted) and their status (success, warning, failure). To download the report, click on Save Reports, and download it in Excel format.
To delete the report, click on icon to the right of the report.
To access all the previous reports, click on Sync reports.
In Done by column, ldap connector indicates the report concerns an Active Directory synchronization.
In Description column, manual_synchro indicates a manual synchronization and auto-interval a scheduled synchronization.
Monitoring the Rainbow LDAP Connector running status
From the computer on which the Rainbow LDAP Connector is running, click on the Rainbow icon available on desktop.
A status window opens.
The status window displays:
- The Rainbow LDAP Connector software version
- The associated Rainbow company name
- The connection status to Rainbow Cloud
- The connection status to Active Directory
- A link to access Log files
- The last synchronization date/time
- The last synchronization digest report (LDAP response records/selected records)