User Synchronization
This Server Task synchronizes the Users and User Group information from a source such as Active Directory, LDAP parameters, etc.
To create a new Server Task, click Tasks > New > Server Task or select the desired task type on the left and click New > Server Task.
Basic
In the Basic section, type basic information about the task, such as a Name and Description (optional). Click Select tags to assign tags.
In the Task drop-down menu, select the task type you want to create and configure. If you have selected a specific task type before creating a new task, Task is pre-selected based on your previous choice. Task (see the list of all Tasks) defines the settings and the behavior for the task.
You can also select from the following task trigger settings:
•Run task immediately after finish - Select this option to have the task run automatically after you click Finish.
•Configure trigger - Select this option to enable the Trigger section, where you can configure trigger settings.
To set the trigger later, leave the check boxes deselected.
Settings
Common Settings
User Group Name - by default, the root for synchronized users will be used (by default, this is the All group). Alternatively, you can create a new User Group.
User Creation Collision Handling - two types of conflict that might occur:
•There are two users with the same name in the same group.
•There is an existing user with the same SID (anywhere in the system).
You can set collision handling to:
•Skip - user is not added to ESET PROTECT during synchronization with Active Directory.
•Overwrite - existing user in ESET PROTECT is overwritten by the user from Active Directory, in the case of an SID conflict the existing user in ESET PROTECT is removed from its previous location (even if the user was in a different group).
User Extinction Handling - If a user no longer exists, you can either Remove this user or Skip it.
User Group Extinction Handling - If a user group no longer exists, you can either Remove this user group or Skip it.
If you use custom attributes for a user set User Creation Collision Handling to Skip. Otherwise the user (and all details) will be overwritten with the data from Active Directory loosing custom attributes. If you want to overwrite the user, change User Extinction Handling to Skip. |
Server Connection Settings
•Server - Type the Server name or IP address of your domain controller.
•Login - Type the Username for your domain controller in the following format:
oDOMAIN\username (ESET PROTECT Server running on Windows)
ousername@FULL.DOMAIN.NAME or username (ESET PROTECT Server running on Linux).
Be sure to type the domain in capital letters, as this formatting is required to properly authenticate queries to an Active Directory server. |
•Password - Type the password used to log on to your domain controller.
ESET PROTECT Server on Windows uses the encrypted LDAPS (LDAP over SSL) protocol by default for all Active Directory (AD) connections. You can also configure LDAPS on ESET PROTECT Virtual Appliance. For a successful AD connection over LDAPS, configure the following: 1.The domain controller must have installed a machine certificate. To issue a certificate for your domain controller, follow the steps below: a)Open the Server Manager, click Manage > Add Roles and Features and install the Active Directory Certificate Services > Certification Authority. A new Certification Authority will be created in Trusted Root Certification Authorities. b)Navigate to Start > type certmgr.msc and press Enter to run the Certificates Microsoft Management Console snap-in > Certificates - Local Computer > Personal > right-click the empty pane > All Tasks > Request New Certificate > Enroll Domain Controller role. c)Verify that the issued certificate contains the FQDN of the domain controller. d)On your ESMC server, import the CA you generated to the cert store (using certmgr.msc tool) to the trusted CAs folder.
2.When providing connection settings to the AD server, type the FQDN of the domain controller (as provided in the domain controller certificate) in the Server or Host field. IP address is no longer sufficient for LDAPS. |
To enable fallback to LDAP protocol, select the check box Use LDAP instead of Active Directory and type the specific attributes to match your server. Alternatively, you can select Presets by clicking Select and the attributes will be populated automatically:
•Active Directory
•Mac OS X Server Open Directory (Computer Host Names)
•OpenLDAP with Samba computer records - setting up the parameters DNS name in Active Directory.
Synchronization Settings
•Distinguished Name - Path (Distinguished Name) to the node in the Active Directory tree. Leaving this option empty will synchronize the entire AD tree. Click Browse next to Distinguished Name. Your Active Directory tree will be displayed. Select the top entry to synchronize all groups with ESET PROTECT, or select only the specific groups that you want to add. Only computers and Organizational Units are synchronized. Click OK when you are finished.
Determine the Distinguished Name 1.Open the Active Directory Users and Computers application. 2.Click View and select Advanced Features. 3.Right-click the domain > click Properties > select the Attribute Editor tab. 4.Locate the distinguishedName line. It should look like this example: DC=ncop,DC=local. |
•User Group and User Attributes - User's default attributes are specific to the directory to which the user belongs. If you want to synchronize Active Directory attributes, select the AD parameter from the drop-down menu in the appropriate fields or type a custom name for the attribute. Next to each synchronized field is an ESET PROTECT placeholder (for example: ${display_name}) that will represent this attribute in certain ESET PROTECT policy settings.
•Advanced User Attributes - If you want to use advanced custom attributes select Add New. These fields will inherit the user's information, which can be addressed in a policy editor for iOS MDM as a placeholder.
If you get the error: Server not found in Kerberos database after clicking Browse, use the server's AD FQDN instead of the IP address. |
Trigger
The Trigger section contains information about the trigger(s) which would run a task. Each Server Task can have up to one trigger. Each trigger can run only one Server Task. If Configure trigger is not selected in the Basic section, a trigger is not created. A task can be created without trigger. Such a task can be run afterward manually or a trigger can be added later.
Advanced Settings - Throttling
By setting Throttling, you can set advanced rules for the created trigger. Setting throttling is optional.
Summary
All configured options are displayed here. Review the settings and click Finish.
You can see the progress indicator bar, status icon and details for each created task in Tasks.