Active Directory Integration

The Active Directory (AD) Integration in Timus Manager enables seamless synchronization of your on-premises AD users and groups with your cloud environment. This allows centralized identity management, site-based access control, and automated user provisioning—making it ideal for enterprise and hybrid deployments.


Important Note – LDAP Signing Configuration

Please follow the steps below carefully to review or modify the LDAP signing configuration on a Domain Controller:

1. Open Group Policy Management

  • Log in to the Domain Controller using a Domain Admin account.
  • Open Group Policy Management:
    • Press Win + R
    • Type gpmc.msc
    • Press Enter

2. Edit the Domain Controllers Policy

  • In the left pane, navigate to:
Forest
 └ Domains
    └ yourdomain.local
       └ Domain Controllers
  • Right-click Default Domain Controllers Policy
  • Select Edit

Alternatively, a new GPO can be created and linked to the Domain Controllers OU instead of modifying the default policy.

3. Locate the LDAP Signing Policy

In the Group Policy Management Editor, navigate to:

Computer Configuration
 └ Policies
    └ Windows Settings
       └ Security Settings
          └ Local Policies
             └ Security Options
  • Find the following policy:

Domain controller: LDAP server signing requirements

  • Set the value to:
    • Disabled

⚠️ Important Note (Windows Server 2025+)

On Windows Server 2025 and later versions, proper SSL/TLS configuration for LDAP/LDAPS is mandatory for secure communication.

In these environments, LDAP communication is expected to operate with encryption enabled (LDAPS or StartTLS). Therefore, disabling strict LDAP signing requirements may be required in certain integration scenarios to ensure compatibility with legacy or non-TLS-aware applications.

However, the recommended and secure approach is to ensure all directory communication uses LDAPS (port 636) with valid SSL certificates instead of relying on unsecured LDAP connections.

 

What This Integration Enables

  • Synchronize AD users and groups directly into Timus
  • Automatically assign synced users to the AD Users team
  • Define access to specific sites based on group membership
  • Enable or restrict Remote Access per site
  • Schedule recurring sync operations via the lightweight Directory Connector agent

Prerequisites

Before getting started, ensure:

  • You have access to a domain-joined Windows Server for installing the Directory Connector
  • Outbound HTTPS (TCP 443) is allowed on the server
  • An API credential has been created in the Timus Manager portal for this integration

Need help generating API credentials?

Go to API Access Guide

Install the Directory Connector Agent

  1. Navigate to Settings → Integrations
  2. Find the Active Directory card and click ⚙️ → Manage
  3. Click Download Agent to download the Directory Connector
  4. Install the agent on your Active Directory Domain Controller

The agent runs as a background service and communicates securely with Timus Cloud.

Create API Credentials in Timus Manager

  1. Navigate to Settings → Configurations → API Access
  2. Click Create New
  3. Enter a Title and choose Application Type = Active Directory
  4. Save the form to receive your credentials:
    • Client ID → Used as the Key
    • Client Secret → Used as the Secret

These credentials are used to authenticate the Directory Connector. Store them securely and never share publicly.

Authenticate the Directory Connector

  1. Launch the installed Directory Connector application
  2. Enter the Key and Secret from the API Access screen
  3. Click Sign In

Upon successful login, the agent will initialize and display:

  • A Synchronization tab for configuring your AD connection
  • A Logs tab for tracking sync status, errors, and activity history

Fill in the required AD domain and bind credentials to proceed.

Enable Synchronization

  1. Return to Settings → Integrations → Manage Active Directory
  2. Toggle Synchronization Status to ON
  3. Confirm the Last Sync timestamp to verify that data is syncing correctly

🔄 Synchronization will continue periodically while the agent remains active and authorized.

Sync Frequency, Sign-In, and Sync Eligibility

Once synchronization is enabled, the Directory Connector initiates a periodic sync every 15 minutes to fetch the latest users and group data from Active Directory.

  • If you add users or groups in AD, these changes will automatically reflect in Timus after the next sync cycle.
  • You don’t have to wait for the next interval — simply open the Directory Connector application and click Sync Now button to trigger immediate synchronization.
  • This is especially useful when new users need access without delay or when testing new group mappings.

Sign-In Behavior

Synchronized users can sign in using their Active Directory email and password.

  • No password setup email will be sent by Timus.
  • If the password changes in AD, the user’s Timus login will automatically reflect the new password.
  • Authentication fully relies on the user’s AD credentials.

Sync Eligibility Rules

Only users with valid Name and Email attributes in Active Directory are eligible for synchronization.

  • If either field is missing, the user will be excluded from the sync process.
  • This ensures that all users imported into Timus meet minimum identity requirements for sign-in and policy enforcement.

Important: The Synchronization Status must be remain ON for periodic or manual sync to function properly.

Note: You can sync one SDN with one Active Directory.

Map Groups & Configure Access

In the Mapping section:

  1. Select AD groups from the list
  2. Under Allowed Sites, define which site they can access
  3. Optionally, enable Remote Access for VPN-style connectivity

Site permissions apply immediately and can be adjusted later under Users or via Bulk Actions.

Post-Sync Behavior

  • Synced users appear under Users & Teams → Users
  • By default, users are added to the AD Users team
  • AD group memberships are re-evaluated during each sync
  • Manual team assignments remain unless overridden by future sync mappings

Disable the Integration

To deactivate:

  1. Navigate to Settings → Integrations.
  2. Click the ⚙️ → Disable on the Active Directory card.

Disabling the integration will:

  • Stop all future synchronization events
  • Preserve existing users and teams
  • Unlink group mappings
  • Allow you to re-enable the connection later if needed

🔐 Security & Data Considerations

  • All sync operations use encrypted connections
  • API credentials are securely stored and scoped to read-only user/group data
  • Timus never alters your AD environment—only reads necessary data for provisioning

Updated

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.