How to - Using Active Directory as user database in Clavister Cloud Services

Last modified on 28 Feb, 2025. Revision 17


This guide walks you through the process of configuring Active Directory and Clavister Cloud Services to establish seamless integration between the two systems. To achieve this, you will need to perform specific configuration steps in both Active Directory and Clavister Cloud Services. This guide provides two separate sets of instructions, each dedicated to its respective platform, ensuring a successful setup.

The guide uses our example companyShieldIT as<company_name> through the different steps

Please note the following assumptions:

  • This guide assumes that you already have an existing Active Directory setup with LDAPS exposed on port 636 in place.
  • Additionally, it is assumed that you have an active instance of Clavister Cloud Services deployed and are enrolled in the service, with access to the Clavister Cloud Services web user interface.

(See related articles below for enrolling to the service)

Creating a user and setting the appropriate permissions in Active Directory

To enable the Active Directory client in the Clavister Cloud Services to function properly, a dedicated AD user account with minimal permissions is required. This user should have read-only access to user and group information within the directory. It is necessary for querying and retrieving users and group memberships without making modifications.

Requirements for User properties in Active Directory

Active Directory users who wish to enroll in the Clavister Cloud Services must have the following attributes configured:

  • Mobile Phone Number – Stored in the "mobile" field.
  • Email Address – Stored in the "mail" field.

During enrolment, users will provide their sAMAccountName as their username.

Setting up Active Directory in Clavister Cloud Services

  1. Access Clavister Cloud Services, example using ShieldIT: https://shieldit.sase.eu/
  2. Navigate to "Users" and select the "User directories" tab.
  3. Click on the "Add new" button and choose Active Directory. Input the following:
    1. LDAP_URL - The URL to your Active Directory server, example: ldaps://ad.company.com:636
    2. BASE_DN - The starting point of directory searches,  example: cn=Users,dc=company,dc=com to restrict searches to "Users",  dc=company,dc=com to search in the entire directory tree
    3. BIND_DN - The identity used to connect and authenticate to Active Directory, example: cn=ClavisterUser,cn=Users,dc=company,dc=com
    4. secret - The password for the provided BIND_DN
    5. CA Certificate (Optional) – The Root CA that issued the Active Directory server's certificate. Upload this certificate if the server's certificate was not signed by a trusted Certificate Authority (CA).
  4. Active Directory users should now have the ability to enroll using their sAMAccountName.

Please note:

Once you have successfully completed the steps outlined above, the configuration process is considered complete. Further configuration within Active Directory and Clavister Cloud Services may not be necessary at this stage. Users who are part of the Active Directory setup will now have the ability to enroll in the service using their sAMAccountName, note that they will need to have a mobile phone number and email configured in to be able to enroll and that they will not show up in the Clavister Cloud Services console until enrolled using the normal enrollment link. If needed, additional actions and configurations can be performed by users within the Azure AD environment to facilitate their enrollment in Clavister Cloud Services.


Related articles