Login
    Contents x
    Active Directory (On-Premises)
    • 24 Oct 2025
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Active Directory (On-Premises)

    • Updated on 24 Oct 2025
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    This guide will teach you how to set up the connection between your On-Premises Microsoft Active Directory and Clarity Security.

    Estimated time to complete: 10 minutes

    If you run into any problems, please contact your support team or support@claritysecurity.io.

    Before You Begin

    You must have Clarity Connect configured for your tenant for any on-prem applications to communicate to Clarity.  

    How to Connect to Active Directory

    You will need an account (typically a service account) to facilitate the connection between Clarity and your on-prem Active Directory (by way of Clarity Connect).  If you have this already, skip to Step 4.

    Note

    This connector relies on the LDAPS port running on the default port, 636, on your Active Directory Server.

    Step 1: Create an Account

    Create an account using the following steps (or contact your IT department to create one).

    Step 2: Configure the Account

    Fill out the info following your organization's standards.  You will need the distinguishedName and password for configuration in Clarity (distinguishedName shown below).

    New Object - User Configure

    Step 3: Delegate Control

    You will need to delegate control for the newly created service account.  The following permissions are required for all features to work:

    • Create, delete, and manage user accounts

    • Read all user information

    • Modify the membership of a group

    Delegation of Control Wizard

    Step 4: Retrieve the Distinguished Name

    For the newly created service account, you will need to grab Distinguished Name for use during configuration.

    Note

    To find the distinguished name you right-click on the account, go to Properties > Attribute Editor > and scroll to distinguishedName

    Object Properties - Attribute Editor - distinguishedName

    Step 5: Log in to Clarity

    Log in to your Clarity tenant using an account with Admin permissions.

    Step 6: Click on Applications > Marketplace

    Clarity - Applications > Marketplace

    Step 7: Find MS Active Directory > Connect

    Scroll or search to find MS Active Directory and click

    Step 8: Connect App

    Complete the App Settings form.  Details for fields common to all applications can be found in the following article: Common App Configuration Steps

    MS AD Connection Fields:

    • ad_host: This can either be the IP address or Fully Qualified Domain Name for your Active Directory server.

    • username (Distinguished Name format): This is the distinguished name for the service account you created in Step 4.

      • Example: CN=Clarity Service,CN=Users,DC=claritysecuritydemo,DC=io

    • password: This is the password for the service account you created earlier in Step 2.

    • base_dn: This is the distinguished name for where you want Clarity to search for Users, Groups, etc. inside your Active Directory.

      • "DC=claritysecuritydemo,DC=io" would allow searching an entire domain for accounts, but "OU=UsersOU,DC=claritysecuritydemo,DC=io" would only allow Clarity to search inside of the "UsersOU" and anything nested inside.

    • queue: Select SQS (Preferred) for the new faster syncing method, Select Api (Legacy) if you are a self hosted customer.

    • encrypt: Select Yes for Active Directory with a valid certificate (self-signed works). Select No if a certificate is not available (Write/LCM capability will not function without a secure connection).

    • restrict_to_ous: This setting allows you to further filter out the directory objects you want to manage. This is a pipe-delimited (|)string of DNs associated with the OUs and Containers that you want to pull directory objects from.

      • For example, you could set the following:
        OU=Marketing,DC=claritysecuritydemo,DC=io|OU=Developers,DC=claritysecuritydemo,DC=io|OU=Users,DC=claritysecuritydemo,DC=io
        which would result in Clarity only pulling in directory objects belonging to any of those OUs (and their descendants).

    • exclude_ous: This setting allows you to further filter out the directory objects you want to manage. This is a pipe-delimited (|) string of DNs associated with the OUs and Containers that you want to exclude from sync operations.

      • For example, you could set the following:
        OU=Marketing,DC=claritysecuritydemo,DC=io|OU=Developers,DC=claritysecuritydemo,DC=io|OU=Users,DC=claritysecuritydemo,DC=io
        which would result in Clarity ignoring those OUs and any AD objects containers within them (and their descendants).

    • Access via: Select "Clarity Connect (on-prem connector)"

    • ClarityConnect Instance: Choose the appropriate Clarity Connect instance from the list (network traffic for ldap or ldaps must be able to reach this the host system for Clarity Connect.

    Note for on-prem applications

    1. You must change the dropdown for Access via must be changed manually to "Clarity Connect (on-prem connector)"

    2. For Clarity Connect Instance, if you have not already set up Clarity Connect then you will need to return to the app settings after doing so, and adjust this option to the correct value.

    Step 9: App Settings

    Complete the App Settings form.  Details for each field can be found in the following article: Common App Configuration Steps

    Configure App Step 2 - App Settings

    Step 10: User Settings

    Complete the User Settings form, and check the table at the top to see if any features are unsupported.  Details for each field can be found in the following article: Common App Configuration Steps

    Configure App Step 3 - User Settings

    Step 11: Validate Your Selections and Save

    Save

    Clicking the Save button will trigger the first full sync for your application (even if you selected Manual Syncing).  This includes Service Users, Entitlements, Service User Entitlements, Service User Attributes.


    Need Help?

    If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.

    Was this article helpful?
    What's Next
    Identity Governance Made Easy.
    Platform
    Use Cases
    Resources
    Connect With Us
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout