Saviynt Forums

Hi @rushikeshvartak @DixshantValecha 

Another query i have w.r.t ADSI connector pre-requisite is on Service account permissions. Following are the permissions listed in document Preparing for Integration (saviyntcloud.com) :

"Provide the Least Privilege to the Service Account if the domain administrator rights are not granted to it:

• • Directory replication permissions across domains in a forest. This is only required for import.

  • Permissions to create, update, move, or delete an object and add or remove access from resources in a cross-domain environment. The account must also be a member of the Enterprise Admins group. This is only required for provisioning.

"

Is it necessary to have "Enterprise Admins" access on Service account for provisioning purpose? As we know this is one of the highest privileges in AD and we may not want to take that much risk. Do we have any alternative to this or its a must requirement from AD provisioning perspective. 

Please let me know if any questions.

Regards

Gaurav

Access to "Enterprise Admins" for a service account in ADSI is not a must. It's recommended to avoid assigning such high privileges. Explore alternative approaches like delegating specific permissions using RBAC or customizing permissions to meet AD provisioning needs with reduced security risks.

then why saviynt documentation says "The account must also be a member of the Enterprise Admins group".

Hi @rushikeshvartak i have raised a feedback on documentation for this change. Will close this post considering its not a "must" requirement.

Hi @rushikeshvartak While configuring a high availability connection, is it possible to configure multiple comm separated domain url's instead of configuring multiple comma separated Domain controllers?

elaborate with example please 

Hi @rushikeshvartak As per Saviynt documentation Preparing for Integration (saviyntcloud.com)

under heading "Configuring a High-Availability Connection" - "To support high-availability, the connector uses the domain controller (DC) locator process to locate an active domain controller. "

this is a dynamic way of finding an active domain controller where we have to configure an active AD domain. One domain can have multiple domain controllers. So, the DC locator feature used by connector will find an active domain controller and use it for establishing the connection.

So my question is, can we define multiple domain url's as comma separated so that if connector cant find an active domain controller in one domain then it will go and fetch from another domain.

secondly, another way of doing this is, we can configure multiple comma separated domain controller url's as a static list in connector. but we dont want to do this because its a static list and in future if a domain controller gets decommissioned then we will have to manually update this configuration. so, ideally its not good for setting up HA connection.

this is an important aspect and we need clarification on it.

Let me know if you require any further inputs.

You can define URL as LDAP://100.100.100.10:389,LDAP://200.100.36.31:389,LDAP://145.100.36.32:389,LDAPS://abc.me.com:636

This currently supported 

Thanks @rushikeshvartak @DixshantValecha I will try out the given suggestions and get back.

Can you also confirm on the AD certificate -  can we use root CA (certified authority) to establish secure connectivity with our AD server (LDAPS)?

Yes, you can use a root certificate authority (CA) to establish secure connectivity with your Active Directory (AD) server using LDAPS (LDAP over SSL/TLS). LDAPS provides secure communication between LDAP clients and servers by encrypting the data exchanged between them.

Do we know from which version onwards comma separated format is supported? 

5.5x

Oh ok. So AD connector URL parameter supports comma separated DC urls from 5.5 onwards!? Didn’t know. Thanks for that info