How can I synchronize Active Directory (AD) groups with Telligent Community roles?

Grant Pankonien — Thu, 18 Jul 2019 17:27:47 GMT

Current Revision posted to User Documentation by Grant Pankonien on 07/18/2019 17:27:47

This guide assumes that [[How can I enable authentication via Windows / Active Directory (AD)?|Active Directory / Windows Authentication and LDAP integration]] is already properly enabled and configured for your Telligent Community site.

Active Directory users can be synchronized with Telligent Community site-level roles. As members are added to Active Directory groups, they will be added to the corresponding role in Telligent Community. As members are removed from Active Directory groups, they will be removed from the corresponding role in Telligent Community.

[toc]

Add a synchronized Telligent Community role

An Active Directory group's membership can easily be synchronized with a Telligent Community role.

First, a few notes:

For Active Directory groups smaller than 500, the accounts will be created immediately. User will not receive an email after their account has been created. The creation of individual accounts for groups with 500 or more members will begin when the LDAP synchronization job runs next.
When adding an Active Directory group that contains other Active Directory groups, only the users of the parent group will be added to the community. The child group and its users will not be added. This is for security purposes. The only way to add the child group is to perform a separate import operation.
AD groups of any combination of group scope and group type may be used.
Active Directory users must have valid email addresses in their Active Directory records for Telligent Community to create an account for the community.
The default configuration maps the Active Directory Administrators group to the Telligent Community Administrators role. To change this:
1. Navigate to the web folder.
2. Edit communityserver.config:
  1. Find the line starting with 'adminWindowsGroup="Administrators"'.
  2. Change 'Administrators' to the name of whatever Active Directory group you would like to map as site administrators on your Telligent site.

To setup a synchronized role:

As an Administrator, navigate to Management > Administration > Membership > Roles.
Click Create an LDAP mapped role.
Type your LDAP group name in the input panel.
Click Create role. This will create a new site role for your community. Additional permissions can be granted to this site role if desired. Note: The name and description for the Active Directory roles may not be changed.

Remove a synchronized Telligent Community role

Active Directory group synchronization can be disabled by deleting the associated site role:

As an Administrator, navigate to Administration > Membeship > Roles.
Select the role in the drop-down list.
Click Delete.

If you delete the site role to remove the Active Directory group, the individual Telligent Community accounts will continue to be active. The users will be able to access the community, but all of their memberships related to the Active Directory group synchronized role will be removed.

Removing a member from a synchronized Telligent Community role

Because the role membership is synchronized with Active Directory and Active Directory is the source of the membership information, the user must be removed from the Active Directory group in Active Directory.

Synchronization frequency

The default configuration for the LDAP synchronization job is to run every morning at 4 a.m. The time can be changed in Administration:

Navigate to Management > Administration > Jobs > Job Status.
Click Jobs.
Locate the LDAP Sync job.
Change the run frequency or time.
Click Save.

Active Directory groups with more than 500 users will be updated every 24 hours. Following our recommended configuration, you can add Active Directory groups with up to 10,000 members. For Active Directory groups with more than 10,000 users, please contact Customer Support.