Overview
The AD/LDAP Mapping wizard allows you to create administrators by importing the administrator details from your Active Directory into the Druva Cloud Platform. This article provides detailed guidelines to create administrator mappings and seamlessly import administrators for efficient provisioning.
Before you begin
Ensure you have Installed the AD/LDAP Connector. For more information, see Download and Install AD/LDAP Connector.
Ensure the connector is configured. For more information, see Configure AD/LDAP Connector.
Ensure that the connector is registered with your AD/LDAP Account. For more information, see Register AD/LDAP Account.
Create AD/LDAP Mapping
To create an AD/LDAP mapping
From the Druva Cloud Platform console, go to the Manage Administrators Page.
Click the Deployment tab. The Mappings section appears.
Select New Mapping. The “Create New Mapping” window appears.
Enter the appropriate information for Mapping Configuration in the below fields:
AD/LDAP Configuration
AD/LDAP Mapping Name: Type a name for this AD/LDAP mapping.
AD/LDAP Server: Select the AD/LDAP server from the drop-down list, with which you want to associate this AD/LDAP mapping.
Directory Service Type: This field is auto-populated.
Base DN: Select the Base DN for which you want to view the organization units and groups.
Name used for creation: Select one of the following:
If you want to create administrator names in the first name and last name format, click Common Name (cn).
If you want to use the Universal Principal Name(UPN) as the administrator name, click Universal Principal Name(UPN).
Filter Users
📝 Note
You can use defined AD/LDAP filters or custom AD/LDAP filters.
Organizational Unit: Select the organization unit from which you want to query for administrators.
AD Group: Select the AD/LDAP group from which you want to query for administrators. Do one of the following to select administrators:
Select a group that directly contains administrators.
If you want to import administrators from groups that are outside the local domain, the group must be a universal security group.
📝 NotesBased on the Organizational Unit (OU) you have selected, groups are populated in the AD Group box. Select the appropriate group from the list to query the administrators. Administrators are mapped to the Organizational Unit based on the combination of the selected criteria.
Nested primary groups are not supported.
Department: Type the department from which you want to query for administrators. Select a department only if it has been defined in your AD/LDAP. Otherwise, leave this field blank.
📝 Note
If you select a department that does not exist in the AD/LDAP, Druva does not import any administrator.
Country: Select the country from which you want to query for administrators. Select a country only if it has been defined in the AD/LDAP. Otherwise, leave this field empty.
📝 Note
If you select a country that does not exist in the AD/LDAP, Druva does not import any administrator.
Click Next.
Select the Administrator Role for your mapping.
Druva Cloud Administrator
Product Administrator
inSync
Enterprise Workloads
Click Finish. The Mapping is now successfully created. You can view the Mapping on the Deployment page.
After your mapping is created, administrators are imported, and accounts are created in DCP based on the configured auto sync settings.
Change Priority Order
When you define multiple AD/LDAP Mappings, Druva, by default, gives priority to the oldest AD/LDAP Mapping. You can change the priority of all the available AD/LDAP Mappings and import the administrators based on the updated priority.
Druva Cloud uses all the configured mappings with your AD/LDAP account to identify administrators for import. If there are conflicts (multiple mappings for the same administrator), the mapping with the highest priority takes precedence and determines which administrator information gets imported.
To change the priority order of AD/LDAP mappings
From the Druva Cloud Platform Console, navigate to Manage Administrators > Deployment page.
From the Mappings section, select the mappings that you want to rearrange and click on the Three vertical dots icon > Change Priority Order.
The Change Priority Order window appears. You can select and drag the mappings to change their order.
Click Save. You can view the re-arranged mapping order in the Mappings section of the Deployment page.
Sync Administrators Accounts with AD/LDAP
Druva offers Auto Sync functionality for administrators, which is enabled by default with a pre-defined schedule. Druva runs the auto sync after you create your mappings and also allows you to edit this schedule.
Additionally, you can manually sync administrators for provisioning at any time using the "Sync Now" option.
Auto Sync
When you create mappings, Druva scans your AD/LDAP and imports any new administrators added to AD/LDAP that match the AD/LDAP mapping criteria and creates a new administrator in Druva. Auto-import of administrators is, by default, configured while creating the AD/LDAP mapping.
To import the administrators via Auto Sync
From the Deployment page of the Druva Cloud Platform console, click Edit in the Settings section. The Edit Settings section appears.
Set the General Settings for the following fields:
Auto sync interval: You can specify the synchronization interval of the AD/LDAP server to import the administrators. By default, this interval is set to 900 minutes. The synchronization interval must be:
Greater than or equal to 60 minutes and less than or equal to 10080 minutes.
Greater than or equal to 1 hour and less than or equal to 168 hours.
Greater than or equal to 1 day and less than or equal to 7 days.
Define imported administrators’ state: You can specify the default state of the administrators once they have been imported. By default, the administrators’ state is Active.
📝 Note
If the administrators are imported in a Disabled state, and you want to make them Active, you can change the administrator’s state to Active from the Manage Administrators page. After this the administrator receives an Account Activation email, enabling them to log in to the Druva Cloud Platform console.
Define auto-disabled admins after: You can set the frequency for the deletion of the administrators that are auto-disabled. By default, this frequency is set to 2 days.
Click Save.
For Example:
Let us consider that you have set the following parameters for auto sync:
Auto sync interval - 60 minutes
Define imported administrators’ state - Active
Define auto-disabled admins after - 2 days
This means the auto sync runs every 60 minutes to check if any user has been added/disabled/deleted in the AD/LDAP server, the state of the administrators created in Druva Cloud is Active and the auto-disabled administrators will be deleted every after 2 days from Druva Cloud. Take a look at the following scenarios to understand how auto sync works:
Scenario 1: New User added to the AD/LDAP server
Impact - If a new user is added to the AD/LDAP server and the auto sync runs, Druva creates an administrator in Druva Cloud for the newly added user and assigns the role to the administrator based on the mappings created. The state of the created administrator is Active.
Scenario 2: User disabled/deleted from AD/LDAP server
Impact - If a user is disabled/deleted in the AD/LDAP server and the auto sync runs, Druva does not create any administrator in Druva Cloud for the disabled/deleted users.
Scenario 3: Deletion of auto-disabled administrator from Druva Cloud
Impact - If an administrator is created in Druva Cloud via AD/LDAP, later, this administrator is either disabled or deleted in the AD/LDAP server and the auto sync runs, Druva initially auto-disables the administrators in Druva Cloud that were disabled/deleted in the AD/LDAP server and keep these disabled administrators in Druva Cloud for 2 days. After 2 days, these auto-disabled administrators are deleted from Druva Cloud.
Scenario 4: Deletion of auto-disabled administrator from Druva Cloud when auto sync runs
Impact - If you set the frequency of deletion of auto-disabled administrators as 0 Days, the auto-disabled administrators are deleted from Druva Cloud when the auto sync runs.
Scenario 5: Already existing administrators in the Druva Cloud
Impact - If an administrator already exists in Druva Cloud and is found in the AD/LDAP server when the auto sync runs, Druva won’t create a duplicate administrator, and the existing administrators will be skipped in the auto sync.
Sync manually
If you do not use auto-sync, it is recommended to manually sync Druva with your registered AD/LDAP. This ensures that the administrator accounts are updated with the latest account information as available in AD/LDAP.
To import the administrators via Manual Sync