User Sync

Overview

The AuthControl Sentry Core can be configured to sync user information into its database to create user accounts. This is done by mapping and syncing user groups that exist on external LDAP-based data sources (repositories), the most popular repository type being Active Directory.

For the most part, the supported repositories have a read-only relationship. No repository passwords are stored in the AuthControl Sentry database; they are verified during authentication directly against the repository via the LDAP connection.

Supported Repositories:

Repository

Relationship

ADAM (AD LDS)

Read/Write

Active Directory

Read Only

Database

Read Only

LDAP Writeable

Read/Write

Simple LDAP

Read Only

XML

Read/Write

User Rights and Groups

The user groups dictate the authentication method rights, messaging transport configuration, and administrative rights that users have within the AuthControl Sentry application.

Pre-defined Group Name

Purpose

SwivelAdmin

Full administrative rights to AuthControl Sentry

SwivelHelpDesk

Reduced administrative rights to AuthControl Sentry

SwivelImage

Image based authentication rights, e.g. Turing image, Pinpad, Picpad

SwivelMobile

Mobile app authentication rights

SwivelSMS

SMS authentication rights

SwivelSMTP

SMTP messaging transport rights (to receive account related emails)

SwivelToken

Hard token authentication rights

Prerequisites

General Requirements

  • Messaging Transport: Configure a Messaging Transport first if you intend to send account creation emails or mobile app provision emails to user accounts when they are synced.

  • Connectivity: Ensure connectivity to the repository (e.g., TCP port 389 or 636).

  • Service Account: A “bind user” setup on the Repository with read access.

Active Directory Connectivity

Ensure that AuthControl Sentry has the necessary connectivity according to your chosen Port:

Source

Destination

Port

Protocol

Description

AuthControl Sentry

Domain Controller

389

TCP

LDAP

AuthControl Sentry

Domain Controller

636

TCP

LDAPS

AuthControl Sentry

Domain Controller

3268

TCP

Global Catalog LDAP

AuthControl Sentry

Domain Controller

3269

TCP

Global Catalog LDAPS

Warning

It is recommended that you choose Secure LDAP (LDAPS) when communicating with LDAP based repositories such as Active Directory. For this you will need to import the Root Certificate from your Internal certificate authority into the Java System Wide Keystore of the AuthControl Sentry appliance.

Phase 1: Active Directory Preparation

Before configuring the Swivel appliance, you must prepare the Active Directory environment. Swivel reads users from Groups, not directly from Organisational Units (OUs).

1. Setup a Bind User

A bind user is required to provide read-only access to the Active Directory.

  • Dedication: Create a bind user dedicated purely to AuthControl Sentry (e.g., swivel_bind).

  • Password Policy: Set the password never to expire to avoid losing sync ability and deselect the option to force the user to change password on first login.

_images/2020-05-05_09-53-21.gif

2. Create the Groups

Create the necessary groups within Active Directory. You must create Security or Distribution groups to manage Swivel users.

Recommended Group Structure:

  • SwivelAdmin: Global Security Group.

  • SwivelUsers (or specific auth groups): Global Security Groups (e.g., SwivelImage, SwivelMobile, SwivelSMS).

_images/2020-05-05_10-23-56.png

Warning

Primary Groups: Swivel cannot import users from a group if that group is configured as the user’s “Primary Group” (usually “Domain Users”). Do not target the “Domain Users” group directly.

Phase 2: Repository Configuration

1. Add the Repository

  1. Login to the AuthControl Sentry Core web GUI.

  2. Click Repository -> Servers.

  3. Select New Active Directory from the drop-down list.

  4. Give the repository a name (typically the AD Domain name).

  5. Click Apply.

_images/2020-05-05_10-43-16.png

2. Configure Connection Details

Click the new repository entry in the left-hand menu to configure it further.

  • Hostname/IP: IP or FQDN of the Domain Controller.

  • Username: The bind user username (e.g., domain\swivel_bind or UPN swivel@domain.com).

  • Password: The bind user password.

  • Port: Select the appropriate port (389, 636, 3268, or 3269).

  • Allow self-signed certificates: Set to Yes if using SSL with internal CAs.

_images/2020-05-05_10-49-07.png

3. Configure User Attributes & Options

Configure the following parameters in the repository settings:

  • Username Attribute: The attribute Swivel uses as the unique username. Default is sAMAccountName. Alternatives include userPrincipalName or mail.

    • Warning: Changing this after initial sync will delete old users and create new ones.

  • Add domain qualifier: Automatically adds @domain.com or DOMAIN\ to the imported username.

  • Import disabled users: Import users even if disabled in AD (Default: No).

  • Mark missing users as deleted:

    • Yes: If a user is removed from the AD Group, Swivel marks them “Deleted” but keeps their data.

    • No: Swivel deletes the user record immediately.

  • Ignore FQ name changes: Keep this Yes. If a user is moved to a different OU in AD, this prevents Swivel from deleting and recreating the user.

  • Check Password with Repository: Enable if you wish Swivel to check the AD password during login.

4. Test Connection

Scroll to the bottom and click Apply, then click the Browse in window button. This launches the LDAP Repository Browser. If successful, you can browse the directory.

Hint

If you received an error, please check the credentials entered and connectivity on the chosen port.

Phase 3: Group Mapping and Transport

1. Map the Groups

You must map the groups created on the Domain Controller to the pre-defined group names in AuthControl Sentry.

  1. Click Repository -> Groups.

  2. Locate the group section you wish to map (e.g., SwivelImage).

  3. Click the Browse button next to your repository name.

  4. Browse to the group you created in AD and click Select.

_images/2020-05-05_11-31-59.gif

The Distinguished Name (DN) will populate the field. Repeat this for all relevant groups.

_images/2020-05-05_11-38-09.gif

2. Configure Messaging Attributes

To send PINs or emails, Swivel must know which AD attributes contain contact details.

  1. Go to Messaging -> Attributes.

  2. Map the fields: * email: mail * mobile: mobile (or telephoneNumber).

3. Configure Messaging Groups

See Messaging for further information on how to map groups to Messaging transports.

Phase 4: Synchronisation

1. Perform a Test Sync

Warning

If you have setup Messaging transport, this step could cause users to receive emails or security strings. Test with test users first.

  1. Click User Administration.

  2. Select your repository from the drop-down.

  3. Click User Sync.

_images/2020-05-05_13-07-51.png

2. Setup Scheduled Sync

If the test is successful, configure automatic synchronisation.

  1. Go to Repository -> <Your Repository>.

  2. Set the Synchronisation Schedule (Recommended: Once per hour).

  3. Click Apply.

_images/2020-05-05_13-16-46.png

Warning

If using High Availability (HA), each AuthControl Sentry appliance must synchronise at different times.

Advanced Architecture

High Availability (HA) Configuration

If running multiple Swivel instances: 1. Sync Timing: Ensure synchronisation occurs at different times on each instance (e.g., Primary at XX:00, Standby at XX:30) to prevent LDAP contention. 2. Credentials: Under Transport -> General, set Resend credentials if destination changes to No to prevent duplicate PINs.

Trusted Domains & Global Catalog

Standard LDAP (Port 389) cannot see users in child domains or trusted forests if the group membership crosses domain boundaries.

Solution: Use the Global Catalog. 1. Change the Repository Port to 3268 (or 3269 for SSL). 2. Point the Hostname to a Global Catalog server.

Troubleshooting

Diagnostic Tools

  • LDAP Browser: Use the “Browse in window” button in Repository settings to verify visibility.

  • Telnet: Check network connectivity via the command line: telnet <AD_Server_IP> 389.

Common Error Messages

“Repository… cannot be added… possibly already exists” You are trying to create a repository name that was used previously. Rename the repository.

“AcceptSecurityContext error, data 52e” Invalid Credentials. The service account password is wrong or expired.

“AcceptSecurityContext error, data 525” User not found. The service account username does not exist.

“LDAP: error code 49” General authentication failure. Check if the service account is locked or disabled.

“No value for username attribute sAMAccountName” A user exists in the AD Group but is in a Trusted Domain Swivel cannot access. Switch to Global Catalog (Port 3268).

“Membership of multiple alert transport group is not permitted” A user is a member of two different groups assigned to a Transport. Remove the user from one of the groups.

“Sending alert to user… failed” The user has no email/phone in AD, or the Transport Attribute map is incorrect.