Follow

AD Import

Introduction

The Pronestor AD Integration is used for importing users into Pronestor Room & Catering from an Active Directory. Users are maintained in the Active Directory as always and Pronestor reads all user information from here.

The following steps take you through the installation and configuration of the Pronestor AD Integration.

  1. Create a Service Account
  2. Create Active Directory structure
  3. Install and configure the AD-integration

On-premises or hosted

If you run an on-premises solution the AD-integration module is already integrated in Pronestor Room.

If you run a hosted solution you need to install the AD-integration module in your own environment.


Create a Service Account in Active Directory

On-premises

Pronestor uses this Service Account in the AD integration. Set the Service Account’s password to never expire.

  • Create a Service Account with permissions to read from the Active Directory.

Hosted

Pronestor uses this Service Account in the AD integration. Set the Service Account’s password to never expire.

  • Create a Service Account with permissions to 1: read from the Active Directory and 2: run a scheduled task.
    Please note: We recommend to use the same Service Account as when creating the Pronestor database. 

Active Directory groups and structure

Groups

Users in Pronestor can be associated roles, departments and/VIP groups. Each group can be linked to a group in Active Directory. A relation between groups in Active Directory and Pronestor groups, will allow user management to be maintained within Active Directory.

The membership of an Active Directory group gives users a role in Pronestor, what departments a user is a member of and what VIP groups they are granted permission to as well.

Here follows a definition of the overall groups in Pronestor.

Roles

A role is a permission as administrator, secretary, catering manager, facility manager.
A role can be set as a global permission or on one, and only one, location.

Departments

In Pronestor, a department gives a user access to a set of billing accounts and/or reservation types.
A user can also be associated with a department as a secretary, thus giving the user secretary permissions on the users in the department.

VIP Groups

In Pronestor, VIP groups can be created. Membership of a VIP group gives the user the permissions that have been set for the group in Pronestor. 

 

Structure

  • Create an OU (Organizational Unit) (referred to here in the guide as ”PronestorOU”) in your Active Directory (AD)

Next step is to create a group per role in Pronestor. A role represents a permission in Pronestor for each of the following roles : secretary, facility manager, catering manager or booker.

One location only - if Pronestor is configured to manage resources on one location only:

Create, in AD, the following groups within the PronestorOU: 

  • Local_secretary
  • Local_facility_manager
  • Local_catering_manager
  • Local_booker

Groups in AD can be either user or security groups.
The naming of each group is not fixed - we do however recommend a naming convention that makes it easy to read/understand the groups with maintained in AD.

Multiple locations - if Pronestor is configured to manage resource at multiple locations:

Create, in AD, a set of groups for each role per location.

Ex. If Pronestor is configured with resources on two locations - London and Copenhagen - then the following groups must be created within the PronestorOU:

  • London_secretary
  • London_facility_manager
  • London_catering_manager
  • London_booker
  • Copenhagen_secretary
  • Copenhagen_facility_manager
  • Copenhagen_catering_manager
  • Copenhagen_booker

When using Pronestor with multiple locations - a superset of groups should also be created to handle overall permissions:

  • Administrator
  • Global_secretary
  • Global_facility_manager
  • Global_catering_manger
  • Global_booker

NOTE - a user can ONLY be allowed permission on local group!

 

NOTE : Make a note of the path to PronestorOU since we will need that for configuration of the AD Integration module 

Please note: You can either create a dedicated OU for Pronestor or reuse an existing OU – it just has to contain a set of required user groups.

An OU can be located anywhere in the Active Directory. Each user group required in Pronestor must be created in the Active Directory as a distribution list or a security group. These groups have to be populated with the respective users, or you can add existing groups into the Pronestor groups, that contain these users.


Install and configure AD integration

On-premises

When running an on-premises solution the AD Integration is an integrated part of the Administration Module in Pronestor Room & Catering. No additional software is to be installed.

Configuration

Establish the right connection between Active Directory and Pronestor by configuring the .config file:

Edit the file [sitefolder]\App_Data\Import\Active Directory\ActiveDirectory.config using Notepad.

Edit each key in the file as follows: 

  • ADAdminUserservice account with read permissions to the AD
    <add key="ADAdminUser" value="administrator"/>
  • ADAdminPasswordpassword for the service account
    <add key="ADAdminPassword" value="********"/>
  • ADFullPath – LDAP path to the AD server (here called pronestorserver
    <add key="ADFullPath" value="LDAP://pronestorserver"/>
  • PronestorOULocation – path to the created PronestorOU
    <add key="PronestorOULocation" value="/OU=pronestorOU,DC=pronestordomainr"/>
  • TestImport – set to true until everything is confirmed and ready
    <add key="TestImport" value="true"/>
  • Save file and close Notepad

Hosted

Install the Pronestor AD-Integration module. The module comes as a .zip file. Unzip it to a folder (name it Pronestor) in Program Files (x86) on the application server.

Edit the file ADIntegration.exe.config using Notepad.

Edit each key in the file as follows:

  • ADAdminUserservice account with read permissions to the AD
    <add key="ADAdminUser" value="administrator"/>
  • ADAdminPasswordpassword for the service account
    <add key="ADAdminPassword" value="********"/>
  • ADFullPath – LDAP path to the AD server (here called pronestorserver
    <add key="ADFullPath" value="LDAP://pronestorserver"/>
  • proNestorOULocation – path to the created PronestorOU
    <add key="PronestorOULocation" value="/OU=pronestorOU,DC=pronestordomainr"/>
  • TestImport – set to true until everything is confirmed and ready
    <add key="TestImport" value="true"/>
  • Save file and close Notepad

Run C:\Program files (x86)\Pronestor\ADIntegration\ADIntegration.exe (run-as to ensure administrator privileges)

Click Import in the upper left corner.

Now all groups should be found and listed.

Please note: If it fails – please check ADIntegration.exe.config settings. If necessary – check adlog.txt for error messages.


Linking Pronestor and Active Directory groups

On-premises and hosted

Go to the Administration Module under ‘Settings – Import users’. Create a New Import Job or edit an existing.

  • General: Set up automatic scheduling
  • Linking: Load AD structure and set up linking
  • Sessions: Perform import of users (manually the first time)

Do a first run of the AD Integration to look up the unique group identifiers from AD (GUID)

Edit the file [sitefolder]\App_Data\Import\Active Directory\ActiveDirectory.config using Notepad.

  • Set TestImport under AppSetting
  • TestImport – set to fals
    <add key="TestImport" value="true"/>
  • Save and close
  • Import users

 


FAQ

What is the ADintegration program ?

It is a Windows application that we suggest running as a scheduled task.
It can be configured to write data directly into the Pronestor database (onpremise Pronestor) – or be sent to Pronestor (hosted) via FTP. 
It is the customer's task to configure the export to proNestor FTP

What data is gathered/generated ?

It looks into your Active Directory (via LDAP) – reading user information and group relationships from within the OU stated in the configuration file.

The result is exported into an JSON/XML file – that can be pushed to Pronestor, ensuring creating/updating/deleting users in Pronestor and given the users in Pronestor the correct roles.

The JSON/XML file contains the following information per user object:

  • Login – ex kasper@pronestor.com
  • Last name – ex. Kasper
  • First name – ex. Ullits
  • Initial – ex. KU
  • Email – ex. kasper@mymalpronestor.com
  • LegacyExchangeDN – ex. /o=Organisation/ou=Administrative Group/cn= Recipients/cn=Username
  • Phone – ex. +4529906463
  • MobilePhone – ex. +4529906463 

What account must it run on and what permissions are required ?
Only requirement is that the service account used, can lookup

Who will hold account password ?
No – only the information listed above and group membership (roles)

What security means are used to transfer the file for the hosted solution?
FTPS

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk