Connecting to Active Directory

Active Directory is Microsoft's Directory Server that provides a LDAP-compliant database containing objects such as users, groups, and computers. Use Analytics's data connector to import your organization's Active Directory data.

Note

You cannot use this connector independently of Analytics. You can configure a DSN for the connector driver using the Windows ODBC Data Source Administrator, however you must test the DSN connection from within Analytics and not from the connector's Windows DSN configuration dialog.

Before you start

To connect to Active Directory, you must gather the following:

the domain name or IP address of the Active Directory server
the correct connection port
the connecting user account, including the distinguished name of the user and the password

For help gathering the connection prerequisites, contact the Active Directory administrator in your organization. If your administrator cannot help you, you or your administrator should contact Active Directory Support.

Create an Active Directory connection

From the Analytics main menu, select Import > Database and application.
From the New Connections tab, in the ACL Connectors section, select Active Directory.
Tip
You can filter the list of available connectors by entering a search string in the Filter connections box. Connectors are listed alphabetically.
In the Data Connection Settings panel, enter the connection settings and at the bottom of the panel, click Save and Connect.
You can accept the default Connection Name, or enter a new one.

The connection for Active Directory is saved to the Existing Connections tab. In the future, you can reconnect to Active Directory from the saved connection.

Once the connection is established, the Data Access window opens to the Staging Area and you can begin importing data. For help importing data from Active Directory, see Import data using the Data Access window .

Connection settings

Basic settings

Setting	Description	Example
User	The distinguished name of a user. Together with Password, this field is used to authenticate against the Active Directory server.	MYDOMAIN\test
Password	The password for the distinguished name of the specified user. Together with User, this field is used to authenticate against the Active Directory server. Note You may connect without providing a password if your Active Directory server permits anonymous connections. Based on your server's security configuration, anonymous connections may be able to list available tables. However, such connections may not be able to select data from some or all of the tables listed. For more information about your Active Directory security configuration, contact your organization's administrator.
Server	The domain name or IP of the Active Directory server. This does not need to include the LDAP:\\ portion, only the server domain name or IP.	10.120.1.110
Port	The port the Active Directory server is running on. The default value is 389. Together with Server, this property is used to specify the Active Directory server.	389
Base DN	The base portion of the distinguished name, used for limiting results to specific subtrees. Specifying a base DN may greatly improve performance when returning entries for large servers by limiting the number of entries that need to be examined.	DC=myConnection,DC=com
LDAP Version	The LDAP version used to connect to and communicate with the server. Valid options are 2 and 3 for LDAP versions 2 and 3.	2
Auth Mechanism	The authentication mechanism to be used when connecting to the Active Directory server: SIMPLE (default) default plaintext authentication is used to log in to the server DIGESTMD5 the more secure DIGEST-MD5 authentication is used NEGOTIATE NTLM/Negotiate authentication will be used	SIMPLE
Scope	Whether to limit the scope of the search to: WholeSubtree the whole subtree (BaseDN and all of its descendants) SingleLevel a single level (BaseDN and its direct descendants) BaseObject the base object (BaseDN only) Tip Limiting scope can greatly improve the search performance.	BaseObject

Advanced settings

Setting	Description	Example
Use Default DC	Used to connect to the default Domain Controller and authenticate using the current user credentials.	false
Convert Datetime to GMT	Converts datetime fields to GMT time zone during import. If false, the datetime value is converted to the operating system time zone of the machine running Analytics.	true
Limit Key Size	The maximum length of a primary key column. Setting the size to 0 will make the key length revert to the original length. This property makes the connector override the reported length of all the primary key columns.	255
Map to Long Varchar	Controls whether or not a column is returned as SQL_LONGVARCHAR. Use this setting to map any column larger than the specified size so they are reported as SQL_LONGVARCHAR instead of SQL_VARCHAR.	-1
Map to WVarchar	Controls whether or not string types map to SQL_WVARCHAR instead of SQL_VARCHAR. It is set by default. String columns must be mapped to SQL_WVARCHAR to accommodate various international character sets, so MapToWVarchar is set to true by default. You may set it to false to use SQL_VARCHAR instead.	true
Pseudo Columns	Indicates whether or not to include pseudo columns as columns to the table. This setting is particularly helpful in Entity Framework, which does not allow you to set a value for a pseudo column unless it is a table column. The value of this connection setting is of the format "Table1=Column1, Table1=Column2, Table2=Column3". You can use the "*" character to include all tables and all columns.	MyTable=*
Upper Case Identifiers	Report all identifiers in uppercase, including table and column names.	false
SSL Server Cert	The certificate to be accepted from the server when connecting using TLS/SSL. You can specify any of the following: full PEM certificate path to a local file containing the certificate the public key the MD5 Thumbprint (hex values can also be either space or colon separated) the SHA1 Thumbprint (hex values can also be either space or colon separated) If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine will be rejected.	C:\cert.cer
Support Enhanced SQL	Enhances SQL functionality beyond what can be supported through the API directly, by enabling in-memory client-side processing: true the connector offloads as much of the SELECT statement processing as possible to Active Directory and then processes the rest of the query in memory. In this way the driver can execute unsupported predicates, joins, and aggregation false the connector limits SQL execution to what is supported by the Active Directory API Note This setting must be false to support filtering using the where clause syntax. Execution of predicates The connector determines which of the clauses are supported by the data source and then pushes them to the source to get the smallest superset of rows that would satisfy the query. It then filters the rest of the rows locally. The filter operation is streamed, which enables the driver to filter effectively for even very large datasets. Execution of Joins The connector uses various techniques to join in memory. The driver trades off memory utilization against the requirement of reading the same table more than once. Execution of Aggregates The connector retrieves all rows necessary to process the aggregation in memory.	false

Filtering the rows returned

The Active Directory connector uses an SQL filtering syntax that aligns closely with the LDAP search syntax. Some fields contain delimited data that represents multiple object attributes. Your WHERE clause must account for each value in these delimited fields as if they are distinct values, rather than a single string.

For more information about LDAP search filters, see MSDN Search Filter Syntax.

Filtering User on ObjectCategory and ObjectClass

Scenario

You are working with the User table and you want to import records where the ObjectClass has the following attributes:

person
user

You also want to limit the records to those where the ObjectCategory has the Computer attribute, and not Person.

Connecting to the table

First, you connect to the Active Directory server, and select the User table (subset of fields shown).

Filtering the records

To limit the records to those you want to import, you apply a filter that treats each delimited value as a discrete field.

You then use SQL Mode to verify the WHERE clause that the filter constructs:

WHERE
  (
    "User"."ObjectClass" = N'person' AND
    "User"."ObjectClass" = N'user' AND
    "User"."ObjectCategory" = N'Computer'
  )

Filter results

Once the filter is applied, the table includes records that match the WHERE clause and you import the table.

Joining Active Directory tables

Due to the data model used in LDAP-compliant databases such as Active Directory, SQL joins are not recommended. Joins may yield unexpected results.

If you need to join one or more tables from an Active Directory data source, you can import multiple tables using the Data Access window and then join them in Analytics. Use filters to limit the number of records and increase efficiency.

[ Back to top ]

Analytics 14.1 Help