Active Directory integration
If you use Active Directory to manage network access at your organization, you can use ThoughtFarmer's Employee Directory Connector (EDC) to provide easy user authentication and management on your ThoughtFarmer site. The EDC provides synchronization between Active Directory and ThoughtFarmer that keeps groups, security profiles, and employee contact information up-to-date across both systems. The EDC allows for full Active Directory integration for ThoughtFarmer Cloud and on-premise clients, and allows for integration with multiple Active Directories.
If ThoughtFarmer will be integrated with multiple Active Directories, you will need to follow the instructions below for each Active Directory.
Active Directory service account
In order for ThoughtFarmer to access an Active Directory it needs to use the credentials of an AD account that has the appropriate permissions. This is a service account that should NOT have a password expiry set. If there is a password expiry set, ThoughtFarmer authentication and other components may fail.
To use all of the Active Directory integration features of ThoughtFarmer this account needs to have read and write access. For permission information please see AD security permissions. Please also see the page Features requiring write access to Active Directory.
If you do not intend to use these features, or if your security protocols restrict this usage, then read-only access to AD is sufficient.
Add new Active Directory
- Go to the ThoughtFarmer Admin panel: Users & security section > Employee directory connector page.
- Click Add new external user store.
- Type the Active Directory name in the Name box.
- Select Active Directory in the Type box.
- Select the checkbox Enabled.
- Select the checkbox Write enabled if you want the user information in your ThoughtFarmer intranet to be able to write/override user information in your Active Directory (see the Write Access heading below for more information.)
- Select the checkbox User auto-creation if you want users created in Active Directory to automatically have accounts created for them on your intranet.
- Click Save. You will be taken to the configuration page for the Active Directory that you just created.
Configure Active Directory integration
- Go to the Admin panel > Users & security section: Employee directory connector page, and click on the Active Directory that you want to configure. (If you just followed the steps above to add a new Active Directory, you are already on the right page.)
- Click on the Configuration tab.
- Enter your domain name in the Domain field.
- Enter the AD service account name in the Username field. (See above for details about the AD service account.)
- Enter the AD service account password in the Password field.
- (Optional) Type any alternate domains in a comma separated list in the Alternate domains field. This is used for the login form only. Local machine and AD domain are included by default.
- (Optional) Under User authentication, select the checkbox Allow password changes. Once selected, select the number of days (before the password expiry date) that users are warned to change their password in the day warning period box.
- (Optional) Under User authentication, select the checkbox Check user is still active to enable TF to check if the user is still set as active in AD.
- Under Incoming mail domains, enter the Internet email domain and the LAN email domain.
- (Optional) Under Properties, enable LDAPS connection to Active Directory by selecting the LDAPS checkbox.
- Under Properties, select the Use ranged queries checkbox. (Almost all configurations will have this checkbox checked.)
- Under Cross reference lookups, the Distinguished name lookup and NetBIOS name lookup fields are highly specific to the customer environment, and are used mainly for troubleshooting when necessary. If you think you may need to use these fields, contact ThoughtFarmer Support.
- Click Save changes at the bottom of the page.
Enabling write access means that ThoughtFarmer can be the owner of various profile information fields. Information that is changed in ThoughtFarmer will update and overwrite information in Active Directory if write access is enabled and ThoughtFarmer is the Data owner for that particular field.
If write access is disabled, no information in your Active Directory will be altered by ThoughtFarmer. Please see Features requiring write access to Active Directory for more information.
To change the write access setting, go to the Admin panel > Users & security section: Employee directory connector page, and click on the Active Directory that you want to change write access for.
Under the Basic Information tab, check the Write enabled checkbox to enable write access. Uncheck the Write enabled checkbox to disable write access. Click Save.