Active Directory synchronization
The goal is to use Active Directory as an identity provider for Trustelem.
To do so, a connector, ADConnect, is installed on an Active Directory domain controller.
Using this connector, Trustelem synchronizes the users defined by Trustelem administrators.
1/ During the setup, ADConnect opens a websocket to Trustelem services using port 443.
Note: with the websocket, information is encrypted by TLS protocol and with an additional symmetric encryption.
2/ Trustelem sends the request of Active Directory users to ADConnect using the websocket.
3/ ADConnect asks the users to Active Directory using LDAPS.
4/ Active Directory sends the users to ADConnect using LDAPS.
5/ ADConnect sends the users to Trustelem services using the websocket
Note: the connector also does the authentication of Active Directory users:
an AD user tries to authenticate on Trustelem
Trustelem sends the user and his password to ADConnect using the websocket (encrypted with TLS and the additional symmetric encryption)
ADConnect sends the user and his password to Active Directory (encrypted with LDAPS)
Active Directory sends a validation to ADConnect
ADConnect sends the validation to Trustelem
Trustelem authenticates the user
Trustelem does not store any Active Directory password.
On your Windows Server, in « Active Directory Users and Groups »
- Create a technical user (ex.
email@example.com) with default privileges (read only) and a strong password, with no password update on next login and which never expires.
On Trustelem admin dashboard, « Directory » tab
Give a name to the new directory, and optionally a description.
Ensure « Use a connector » is checked.
On each AD domain controller (typically 2 or 3)
Download the last version of the connector installer: https://dl.trustelem.com/adconnect/