Synchronize Computers in Active Directory Groups to Agent Configuration Groups

The PerformanceGuard integration with Active Directory (AD) makes it possible to automatically synchronize computers in AD groups to PerformanceGuard Manage Agent Configuration Groups.

Caution

The synchronization of computers will always take place from AD to PerformanceGuard, not the other way.

Caution

You can only do this if you’re a PerformanceGuard administrator.

To enable synchronization with AD:

1. Set up communication between the PerformanceGuard backend server and your AD server
2. Set up agent configuration group synchronization in PerformanceGuard

Set Up AD Synchronization

Edit the file

[PerformanceGuard installation folder]\notification\conf\config.properties

and supply these parameters:

Parameter	Value
backend.ldap.url	Defines the hostname and port of the AD server.
backend.ldap.principal	Specifies a user identity’s distinguished name (DN), and is used to authenticate the LDAP service. ⚠️ The user must be able to browse AD groups.
backend.ldap.password	Encoded password for principal.
backend.ldap.basedn.computers	The computer base distinguished name (DN) indicates the starting point for searches in the LDAP directory server for computer groups.
backend.ldap.groupNameFilter	Filter to find all computer groups.
backend.ldap.computerNameFilter	Filter to find all computers.
backend.ldap.syncFrequencyInSeconds	Specifies how often (in seconds) the server should synchronize AD computer groups. The default is 3600 seconds (that is one hour). In order to avoid continuous server requests, everything below 60 seconds won’t affect the configuration.

AD Connection Parameters

Caution

Use either the combination organizationalUnit/computer or group/member as groupNameFilter/computerNameFilter. Select the combination that fits your current AD structure (see the example illustrations in the following to find out how to set up the filters).

Tip

If you want to use SSL for your LDAP connections, you must import your certificates into Java Keystore and then use some specific connection parameters. See LDAP via SSL at the end of this section.

backend.ldap.url=ldap://ourcompany:389
backend.ldap.principal=CN=aduser,OU=R & D,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.password=XXXX
backend.ldap.basedn.computers=OU=Computers,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.groupNameFilter=organizationalUnit
backend.ldap.computerNameFilter=computer
backend.ldap.syncFrequencyInSeconds=3600

or

backend.ldap.url=ldap://ourcompany:389
backend.ldap.principal=CN=aduser,OU=R & D,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.password=XXXXX
backend.ldap.basedn.computers=OU=Computers,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.groupNameFilter=group
backend.ldap.computerNameFilter=member
backend.ldap.syncFrequencyInSeconds=3600

It’s also possible to add multiple domains to synchronize computers from different domains. Follow the example to set up multiple domains:

backend.ldap.url=ldap://ourcompany:389
backend.ldap.principal=CN=aduser,OU=R & D,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.password=XXXXX
backend.ldap.basedn.computers=OU=Computers,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.groupNameFilter=organizationalUnit
backend.ldap.computerNameFilter=computer
backend.ldap.syncFrequencyInSeconds=3600
backend.ldap1.url=ldap://ourcompany:389
backend.ldap1.principal=CN=LDAP Reader,OU=Service Accounts,OU=Yorkshire,DC=ourcompany,DC=com
backend.ldap1.password=XXXXX
backend.ldap1.basedn.computers=OU=London,OU=Workstations,DC=ourcompany,DC=com
backend.ldap1.groupNameFilter=group
backend.ldap1.computerNameFilter=member
backend.ldap1.syncFrequencyInSeconds=3600

Base DN for AD computer groups :

Click thumbnail to view image in full size.

Group and Computer name filter setup for organizationalUnit/computer:

Group and Computer name filter setup for group/member:

member will list all members of the group Ourcompany All:

LDAP via SSL

Prerequisites

To set up an LDAP connection via SSL you must import your certificates into Java Keystore:

1. Secure the Java certificate store, in an other location. Than Default location

   1. Default location of the Java Keystore : [PerformanceGuard installation folder]\OpenJDK\jre\lib\security\cacerts
   2. Create a Directory outside [PerformanceGuard installation folder]. Ie. D:\Certs

2. Add the root certificate to your Java Keystore by entering the following command in a command prompt window. This is the certificate that is used to authorize the LDAP server’s certificate.

   keytool -import -alias serverCert -file "RootCert.cer -keystore "%JDK_HOME%/jre/lib/security/cacerts"

3. Import Root Certificate

Important

Example:

keytool -import -alias DomainRoot -file RootCert.cer -keystore "D:\Certs\cacerts"

4. List importet Certificates

Important

Example:

keytool -list -keystore "D:\Certs\cacerts"

Then look for the alias you have specified in steps 3. 5. The default password for Java Keystore is changeit. To change the password, open up a command prompt window and use the following command.

keytool -storepasswd -keystore "%JDK_HOME%/jre/lib/security/cacerts"

Important

Example:

keytool -storepasswd -keystore "D:\Certs\cacerts"

6. Enter the current password (which is the default changeit).
7. Enter a new keystore password.
8. Re-enter new keystore password.

Configure Java to use Certificat Store

When you have imported the Certificate into the Java store. The JVM needs to load Certificat store on startup.

Locate ” [PerformanceGuard installation folder]\notification\pgbackendw.exe”. Launch Application. Open Java. Insert into Java Options, the following:

-Djavax.net.ssl.trustStore= “Path to your cacerts file”
-Djavax.net.ssl.trustStorePassword= “Password to cacerts”

Press Apply/OK restart Performanceguard Backend service. Performanceguard server will now use Java Certificate store.

LDAP/SSL AD Connection Parameters

Use the following connection parameters for LDAP via SSL.
Edit the file

[PerformanceGuard installation folder]\notification\conf\config.properties

and supply the following parameters for AD connection via SSL:

Caution

Use either the combination organizationalUnit/computer or group/member as groupNameFilter/computerNameFilter. Select the combination that fits your current AD structure.

You can define space-separated multiple Ldap servers in the Ldap.URL Ie. “ldaps://dc1.demo.local:636 ldaps://dc2.demo.local:636”

backend.ldap.url=ldaps://hostname:636
backend.ldap.principal=CN=aduser,OU=R & D,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.password=XXXXX
backend.ldap.basedn.computers=OU=Computers,OU=Ourcompany,DC=ourcompany,DC=net backend.ldap.groupNameFilter=organizationalUnit
backend.ldap.computerNameFilter=computer
backend.ldap.syncFrequencyInSeconds=3600

• or -

backend.ldap.url=ldaps://hostname:636
backend.ldap.principal=CN=aduser,OU=R & D,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.password=XXXXX
backend.ldap.basedn.computers=OU=Computers,OU=Ourcompany,DC=ourcompany,DC=net
backend.ldap.groupNameFilter=group
backend.ldap.computerNameFilter=member
backend.ldap.syncFrequencyInSeconds=3600

Set Up Agent Configuration Group Synchronization

Select ADMINISTRATION > Agent Configuration > Configurations. Click  next to the required agent configuration group, select Edit Group, and specify which AD groups the agent configuration group should be synchronized with.

View Synchronized Agent Configuration Groups

Select ADMINISTRATION > Agent Configuration > Active Directory to view synchronized agent configuration groups.