Import users from Active Directory

(Available in Enterprise Edition only)

Zoho Vault provides a user provisioning app that helps you import users into Zoho Vault from your identity provider, i.e., AD/LDAP. In addition to importing users, you can also periodically synchronize the user list and keep it up-to-date. In Windows, you can configure the provisioning app as a scheduled task to automatically add, update, disable or delete users from Zoho Vault periodically.

Prerequisites

  • Zoho Vault account with super admin credentials.
  • A verified domain name in Zoho Vault
  • Windows system with .NET Framework 2.0
  • Basic knowledge of LDAP queries

How does the synchronization happen?

The Provisioning App will query the LDAP and import users. It will also sync your organization's users from Zoho accounts. You can also exclude some users based on the various exclusion rules. The Provisioning app will then compare the users imported from LDAP queries and Zoho accounts. There are two scenarios in which the comparison takes place.

  • Users are available in LDAP but not in Zoho: These users will be added to Zoho Vault.
  • Users available in Zoho, but not in LDAP: These users will be deleted or disabled in Zoho Vault based on your sync preference selected in the tool.

LDAP Queries:

Since the Provisioning App adds or deletes users from your organization account in Zoho Vault, it is important for you to configure LDAP queries and exclusion rules in the provisioning app. First determine the set of users you want to sync between your LDAP server and Zoho Vault. You should configure LDAP queries in the Provisioning app to match only those users whom you want to import or sync. Here are few such examples:

To import /sync all users in your AD/LDAP

Base DN : DC=zillum,DC=com
Query : (objectClass=user)

To import or sync all users in an Organization Unit (OU) named Austin

Base DN : OU=Austin,DC=zillum,DC=com
Query : (objectClass=user)

To import or sync only the users in a specific ( example, “ITAdmin” ) department and belonging to Austin OU

Base DN : OU=Austin,DC=zillum,DC=com
Query : (&(objectClass=user)(department=ITAdmin))

Default password for imported user accounts

  • Zoho Vault will automatically create a new user account for every imported user from AD/LDAP
  • While importing users with the Provisioning App, you might have supplied a default password. Your organization users can use this default password to login Zoho Vault.
  • If they (organization users) wish to change the default password, they can click “Forgot Password” link in the login page to receive a mail to generate a new password.

What are the different types of synchronization available?

There are three ways in which you can sync your identity provider (AD/LDAP) with Zoho Vault.

1. Manual sync

  • You can run the provisioning app and select the sync option
  • It will display the list of users to be added or deleted/disabled.
  • You can select the users and sync them.

2. Command-line sync

Before initiating the command-line sync, follow the below steps:

ProvisioningApp.exe --action=sync 

--conf=D:\Users\Administrator\ZohoProvisioning\provisioning.conf  

--mailto=Mark@zillum.com
  • Run the provisioning app and enter all details
  • Select your sync option – whether to delete or disable users, when user is deleted in LDAP
  • You can simulate sync to see whether the tool correctly shows the list of users to be added or deleted
  • Click on “Save settings for sync”, to save all your options to a file
  • Give this file as an argument for the ProvisioningApp.exe to start the sync process
  • Execute the below command to initiate the sync process:

3. Scheduled sync

You can configure the above command in the Windows Task Scheduler for periodic syncing. An email would be sent to the given address whenever new users are added, or users are deleted/disabled.

How to import users from multiple domains?

There are three ways in which you can import users from multiple domains to Zoho Vault. They are listed below.

a. Single Forest

You should use a Global Catalog to query multiple domains in a single forest. Instead of "LDAP://", you can give "GC://" in the Provisioning tool. This way you can search the Global Catalog and do an import or sync of all the users in the same forest with Zoho Vault.

b. Multiple Forests

You need to run the Provisioning tool multiple times to import users from multiple forests. There is no option to sync users from multiple forests.

How to send us log files / Troubleshoot?

If you face any issues during import or sync users, send us the log files to fix the issue. You can generate the log files from the Windows user profiles directory. e.g., D:\Users\Admininstrator.Domain\ZohoProvisioning\logs