Forum Discussion
Synchronize LDAP with Azure AD
The requirement to synchronize a Generic LDAP system such as 389DirectoryServer/OpenLDAP, with Azure AD exist, although not often. However, guides on synchronization between LDAP and Azure AD are scarcely found and are difficult to configure in practice. So, I hope that better information related to this will be shared.
Let me share the synchronization configuration between LDAP and Azure AD that I succeeded.
First, I built an OpenLDAP server and created an account to synchronize. And I installed AzureAD Connect on the same server. Of course, it doesn't matter if the server is separated. Also, the AzureADConnect server does not need to be AD joined at all.
After component installation, stop installation at the sign-in selection phase.
When Azure AD Connect is run as LDAP mode via command, the Sign-In settings will only look like "Do not configure". That is, if OpenLDAP is used, PHS and PTA cannot be configured, and Federation must also be configured manually.
For reference, to manually create a Federation of Azure AD, the "Set-MsolDomainAuthentication" PowerShell command can be used.
Set-MsolDomainAuthentication (MSOnline) | Microsoft Docs
The Directory type was checked as LDAP(not AD), and the hostname and authentication method were selected. The authentication type can be changed if LDAP is configured with SSL/TSL.
During installation, '_distinguishedName' was specified in the "source anchor" configuration step. Unlike Active Directory, attribute such as objectGUID do not exist in OpenLDAP, so the source anchor must be specified.
At the last stage of installation, an error as shown in the figure is always checked and the installation work cannot be completed. It is an error that the 'JoinFilter' could not be configured while creating a sync rule.
I had to manually proceed with the remaining configuration. Make a note of the sync rule ID identified in the error at the last stage of wizard installation. In the picture above, it is identified as '37522~783d'.
Start the ‘Synchronization Service Manager’ tool, change the binding account, specify the location to sync to, and then perform "Full Import" to confirm that the account has been imported.
Manually create the erroneous sync rule in the last step when installing with the wizard.
There is a PowerShell script that creates a sync rule in the C:\ProgramData\AADConnet directory. Open this script, find the location where PowerShell starts and ends related to the ID recorded earlier, and copy them all.
Add the following command right before "Add-ADSyncRule" among the copied PowerShell commands. Also, I added a provisioning item from OpenLDAP's mail value to the userPrincipalName value of metaverse, and used the source anchor information (_distinguishedName) specified in the join filter.
#################################################################
Add-ADSyncAttributeFlowMapping `
-SynchronizationRule $syncRule[0] `
-Source @('mail') `
-Destination 'userPrincipalName' `
-FlowType 'Direct' `
-ValueMergeType 'Update' `
-OutVariable syncRule
New-Object `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `
-ArgumentList '_distinguishedName','sourceAnchor' `
-OutVariable condition0
Add-ADSyncJoinConditionGroup `
-SynchronizationRule $syncRule[0] `
-JoinConditions @($condition0[0]) `
-OutVariable syncRule
#################################################################
If the sync rule is normally created, it is checked in the ‘Synchronization Rules Editor’.
Perform "Full Sync" for LDAP in the Synchronization Service Manager and check the attribute information stored in the metaverse.
Create an outbound rule to synchronize information(Source) of the metaverse to Azure AD information (Target).
After performing "Export" synchronization to Azure AD, accounts synchronized in OpenLDAP finally are checked in the Azure portal.
If you know of an easier way than this or a way to complete the configuration normally in the wizard, please share.
- ak2766Copper ContributorWowza! This is an awesome write up. Thanks for sharing.
- jo-cpaCopper Contributor
PyungraeCho
Was your Azure AD tenant already pre-existing? ...before you added the OpenLDAP instance?
I cannot find a way to add an on premise DC or LDAP to an existing AAD tenant.
I'm very interested. We have an Azure AD tenant that is AAD only. No on premise. But we're finding that we would like to have an LDAP server for syncing data to AAD and other.- PyungraeChoMicrosoft
It doesn't matter if the AAD Tenant is existing or new, as long as there is no conflicting custom domain name.
- PanosVerCopper ContributorThanks for sharing. Is this a supported way to sync users from openldap to Azure AD ? The sync works fine but the configuration wizard is in error state with the message: "It appears that you are resuming a scenario which was not completed previously during installation. Please uninstall and try again."
- PyungraeChoMicrosoft
Hi.. There is also a way to modify the setting xml files used when configuring AAD Connect. This solves the configuration wizard's errors, but there is nothing that can be done in the configuration wizard. In fact, the only tools available for openldap synchronization management were "Synchronization Rule Editor" and "Synchronization Service Manager".
- mkfifaCopper ContributorHi,
I tried to follow this but my output doesn't come same with yours. After export to AAD no any user object sync to there. Could you please guide me for more step relate this post ?
Thank you.
- Ben_EBU985Copper ContributorCan you add an additional AD connect just for LDAP if you already have an AD connect for AD to Azure?
We're planning on connecting LDAP to another Azure tenant, but concerned it will interfere with our existing AD connect (which connects our AD to Azure).