AD Import Service

   —   

Please allow me to introduce you another open-source project called AD Import Service. A tool that keeps your Kentico users and roles in sync with Active Directory. It's a lightweight but very powerful alternative to AD Import Utility.

About Active Directory Synchronization

One of the most common things developers working with Kentico are asked to do is to arrange the synchronization of users and roles between Active Directory and Kentico. To meet this need, we introduced AD Import Utility in Kentico version 5. This utility is designed for on-demand use and scheduled import of the identified objects and the relationships between them. This it is especially handy in corporate environments where Kentico is often configured to use Windows Authentication. With AD Import Utility, system administrators don't have to manually replicate changes they've done in the AD to Kentico (typically these are membership changes when employees change their positions in the organization structure).

Though the AD Import Utility has been tuned over the years to support most of the scenarios users have asked for, it doesn't support PUSH synchronization. In other words, the utility cannot be configured to receive notifications from an Active Directory when objects change, and thus react to them. This is where AD Import Service comes into play. One of our colleagues devoted his bachelor's thesis to solving this problem. He researched three different approaches of tracking changes in AD (Change Notifications control, DirSync control, and uSNChanged-based LDAP search). The first of these turned out to be a clear winner, as it was the only true push-like method while the other two techniques rely on polling.

AD Import Service

AD Import Service is a Windows service that uses push notifications from Active Directory to perform one-way incremental synchronization of Users, Roles, and User-Role relations through the Kentico REST service.

AD Import Service schema

How does it work?

When you first run the synchronization, it will perform a full sync. When it's done, the synchronization occurs whenever a change is made in Active Directory. The service can also recover from any downtime because it automatically detects and synchronizes all changes that have been done to the AD at the time the service wasn't running.

Installation

Configuration is accomplished via XML file and is very simple. Simply provide correct credentials both for AD and Kentico, make sure users have the correct permissions, specify field mappings, and install the service via InstallUtil.exe to complete the configuration. More details about installation and configuration can be found here.

Features of AD Import Service include:

  • Reduced performance demands because of incremental synchronization.
  • Security because AD Import Service supports SSL, and process rights can be easily managed through the user account under which the service has been configured to run.
  • Support for mapping custom schema attributes for both Users and Groups.
  • AD Import Service is not dependent on a particular Kentico version because it uses Kentico REST service.
  • Important messages are logged to the Windows Event log (and Kentico Event log).
  • The service can be started when a machine starts, without requiring a user to log in every time, because it's windows service.
  • It's open-source so anyone can make it better.

We are open to contributions

AD Import Service is hosted on GitHub

As well as KInspector, which I talked about in the previous blog post, this project is hosted on GitHub. Kentico will be happy to collaborate with you on its development. Check out our Home repository to find out how to contribute.

AD Import Service on GitHub Download from GitHub Read the thesis

Disclaimer

Kentico Software does not provide support or testing for open-source software unless expressly stated otherwise. It is developed by volunteers and maintained by Kentico employees in their free time. The software is distributed as it is without any guarantees or warranties of any sort, Kentico is not liable for any damage as a result of your use of this or any other open-source software in conjunction with Kentico. For more information, see the license in each repository before you start using it.

Share this article on   LinkedIn

Petr Svihlik

I listen to the voice of community and act in its interest.

Comments