Configure the Azure AD Sync Utility

ADSync Utility for Azure

This article explains what needs to be done in order to configure the ADSync utility to get data from Azure Active Directory.

The first thing to keep in mind is that Azure does not support LDAP and the ADSync utility works with the LDAP protocol, therefore the first thing is to activate the LDAP protocol or LDAPs (LDAP secure) for communication.

Initial Setup

Follow the instructions below and configure Azure Active Directory:

https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps

Configure the ADSync tool and then complete the following steps:

  1. Get the secure LDAP certificate in either .DER or .CER format

We need to import the LDAP SSL certificate same way as we do the https certificate for our ISM server.

  1. To enable an SSL environment for the ADSync Utility, perform the following steps:
    • Copy the saved certificate file to the ADSync root (ad-user-sync\) location.
    • Run the keytool command from the ADSync root (ad-user-sync\) location.
    • Import the saved certificate to the ADSync local keystore by running the following command from the ADSync root:

keytool -importcert -trustcacerts -alias aliasname -keystore si -file saved_certificate_file_name

Note: To run the keytool command from the ADSync root, you need jre/bin in your PATH environment variable.

Replace aliasname with the alias of your choice. For example, azurecert

Replace saved_certificate_file_name with the name of the saved certificate file. For example, azurecert.cer

Use itmaas when prompted for password. The command prompt asks you to confirm whether the certificate can be trusted. Enter y.

A message displays stating that the Certificate was added to keystore.

 

In the Microsoft link, you have step-by-step instructions to extract the certificate, here we give you another way to extract the certificate from the LDAP client.

To extract the certificate from LDAP client, use below, here is a pretty simple way using only with OpenSSL to extract the SSL certificate:

openssl s_client -connect <IP_address>:636 < /dev/null |

openssl x509 -out cert.pem

The first line fetches the cert from server and the second line parses the cert and allows transforming it into different formats, for example:

  • openssl x509 -noout -text: prints certificate in text format, e.g., for debugging.
  • openssl x509 -outform der -out cert.crt: saves cert in DER format

The rest of the configuration will be the same for the normal ActiveDirectory.

© 2019 Serviceaide 1-650-206-8988 http://www.serviceaide.com info@serviceaide.com