Active Directory Integration

NormShield includes built-in user repository where users can be created and managed explained in Users & Groups. However, for enterprises Active Directory integration is also supported for simple and integrated user management.

In order to configure Active Directory integration, under Admin->Active Directory sub menu Configuration button should be clicked as shown in Figure 1.

Figure 1 - Active Directory integration and search for users

Figure 2 shows the configuration parameters for Active Directory integration. After entering the appropriate values Save Configuration button should be clicked to make the configuration effective.


Figure 2 - Active Directory configuration interface

The input names and their explanation are shown in Table 1.

Input Name



Assuming the machine that NormShield is installed is not attached to the domain. The server URL of the domain, such as ad1.example.domain


The username to be used for binding


The password to be used for binding

Authentication Type

There are three options of binding to an Active Directory server;

SSLSecure: All traffic is encrypted with SSL. Requires AD certificate server to be installed.
KerberosSecure: All traffic is encrypted with Kerberos. Requires Kerberos enabled AD.
Secure: Username/password are encrypted. The rest of the traffic isn't.

Important Note: In none of the above authentication types the username/password is sent unencrypted! The Default value is KerberosSecure.


The LDAP filter utilizing usernames (such as jdoe) or display names (John Doe) as the search criteria

Username Attribute

Active Directory username attribute (default value: SAMAccountName)

Name Attribute

Active Directory full name attribute (default value: displayName)

ManagerDN Attribute

Active Directory manager DN attribute (default value: manager)

Title Attribute

Active Directory title attribute (default value: title)

TeamMailGroup Attribute

Group alias attribute of a user object, such as TEAM-NORMSHIELD-IS

InactiveUserSpecifier Attribute

Attribute of a user object whose non-existence mean inactive user

Email Attribute

Active Directory email attribute (default value: email)

Department Attribute

Active Directory department attribute (default value: department)

DN Attribute

Active Directory distinguished name attribute (default value: DN)

Team Attribute

Active Directory team name attribute (default value: extensionAttribute2)

Unit Attribute

Active Directory unit name attribute (default value: extensionAttribute1)

Mobile Attribute

Active Directory phone number attribute (default value: mobile)

Table 1 - The input listing of Active Directory configuration

Most of the time the machine that the NormShield portal is installed would be a server that is not attached to the domain. Before integration there are two things to know in advance;

  • The domain name, such as or
  • The service account credentials, in order to connect and query AD

Figure 3 shows how to find the AD Domain Controller for the integration.

Figure 3 - Two ways of finding the Active Directory server

Finding the appropriate Active Directory property names is the key part of a successful NormShield & AD integration. Figure 4 shows the connection details through SysInternals Active Directory Explorer tool.

Figure 4 - Using SysInternals Active Directory Explorer tool to connect to AD

Figure 5 shows properties of a single user for analyzing extension attributes.

Figure 5 - Active Directory user properties. Attributes such as team/unit names come with MS Exchange extension attributes and this is not always available.


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk