ControlSuite: Equitrac Directory Services Synchronization: Can the LDAP Settings be used to Synchronize users in Active Directory
Can the LDAP option be used to Synchronize users with Active Directory in Equitrac Directory Synchronization?
LDAP sync settings cannot be used for Active Directory Synchronization, it needs to use its own menu for a reason. So what is the difference?
In Active Directory, Users have a field called USNchanged and this is updated every time any user is updated with a new incrementally higher value.
AD sync is performed by the Equitrac Scheduler, it uses an internal database entry in CAS called mostRecentUSN, this starts on first sync at 0 and is updated with the highest USNchanged field it finds when the sync is completed. Every user with a USNchanged field greater than mostRecentUSN is checked for update based on Adds, Changes and Deletes settings:
Adds - if this is checked the user is added and fields synchronized
Changes - If USNchanged is higher then user details are changed including Locking accounts when inactivated
Deletes - If access to the deleted users container - user is marked in Equitrac as deleted and disappears from view.
This run on a frequency setting - as Scheduler forces communication on a timely basis. If new containers are added then the users may have a lower USNChanged than mostRecentUSN, in which case 'Synchronize on Save' resets mostRecentUSN to 0 so all users are checked.
LDAP is completely different.
It works by creating a Persistent connection. When Scheduler is started, a connection is made to the LDAP server and it is held open. Each time a user is edited in LDAP then the connection updates Equitrac immediately, this is why there is no Sync timer.
If connecting to Active Directory, the LDAP cannot be used. The reason for this is that Active Directory does not support Persistent Searches and therefore the connection cannot be made and held open.
Testing will work, the reason for this is because it is doing a one off query, and this is how Embedded clients work, the user chooses a search criteria and the DCE then communicates with CAS to query the LDAP server for a list of matching email addresses. This is not a persistent search.
A common mistake is to try to use LDAP to force a secure communication with the DC, however this is not necessary for Active Directory Sync and there are no settings because domain policy for LDAP channel binding determines whether connection is Secure or not
See 2020 LDAP channel binding and LDAP signing requirements for Windows (microsoft.com)