- Overview
- Configuration
AD LDS
Streamline AD LDS access with ADSelfService Plus integration
Active Directory Lightweight Directory Services (AD LDS) is a flexible, lightweight LDAP directory service developed by Microsoft to support directory-enabled applications. Integrating ADSelfService Plus with AD LDS allows organizations to synchronize users' AD passwords with AD LDS, simplifying password management and ensuring consistent credentials across systems.
Password synchronization across AD and AD LDS
Synchronize users' passwords between Active Directory and AD LDS, ensuring consistent and up-to-date credentials across both environments for streamlined user access.
Implement strong password policies
Enforce strong password policies, including breached password protection, across both AD and AD LDS, enhancing security and reducing vulnerabilities.
Simplified access for AD LDS users
Allow users to access AD LDS and directory-enabled applications with the same AD credentials, reducing the complexity of managing multiple passwords and improving the login experience.
Configuring password synchronization with AD LDS Server
ADSelfService Plus’ real-time password synchronizer ensures that users maintain a single password across different applications, reducing password-related issues. Each time a user resets or changes their Active Directory password, the new password is automatically synced to the AD LDS server.
Steps to configure AD LDS Server with ADSelfService Plus
Important: Install the Password Sync Agent to synchronize native password changes and resets.Enabling the fUserPwdSupport flag in the dsHeuristics registry value is essential to prevent passwords from being stored in plain text when synced to AD LDS. To enable this flag, set its character value to any value other than zero or two.
- Log into the ADSelfService Plus admin console with admin credentials.
- Navigate to Configuration > Self-Service > Password Sync/Single Sign On.
- Select the ADS LDS Server application. Note: You can also find ADS LDS Server application that you need from the search bar located in the left pane or the alphabet wise navigation option in the right pane.
- Enter the Application Name and Description.
- In the Assign Policies field, select the policies for which password sync needs to be enabled. Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
- Select Enable Password Sync.
- Enter the System Name / IP Address.
- Enter the Domain Name of the AD LDS Server in distinguished name format. For example, dc=example,dc=com.
- Enter the User Name of the AD LDS Server. It may be an AD-DS (Active Directory Domain Service) user or AD-LDS user. AD-DS name could be either in sAMAccountName or NetBIOSDomainName\sAMAccountName. AD-LDS user name should only be in the distinguished name format. For example, cn=directory_manager,dc=example,dc=com.
- Enter the Password of the AD LDS Server. Note: The username and password must belong to the administrator account of the server in which AD LDS is installed.
- Enter the LDAP (default port for LDAP is 50000) and LDAP SSL (default port for LDAP SSL is 50001) port number of the AD LDS Server.
- If you have configured the User Name from AD-LDS service, SSL should be enabled in AD LDS for the password sync to work.
- Click Add Application.