Active Directory (On-Premises)

This guide will teach you how to set up the connection between your On-Premises Microsoft Active Directory and Clarity Security.

Estimated time to complete: 10 minutes

Before You Begin

You must have Clarity Connect configured for your tenant for any on-prem applications to communicate to Clarity.  

• See Configuring On-Premises Clarity Connect for getting this setup.

How to Setup the Connector

You will need an account (typically a service account) to facilitate the connection between Clarity and your on-prem Active Directory (by way of Clarity Connect).  If you have this already, skip to Step 4.

Step 1: Create an Account

Create an account using the following steps (or contact your IT department to create one).

Step 2: Configure the Account

Fill out the info following your organization's standards.  You will need the distinguishedName and password for configuration in Clarity (distinguishedName shown below).

Step 3: Delegate Control

You will need to delegate control for the newly created service account.  The following permissions are required for all features to work:

• Create, delete, and manage user accounts
• Read all user information
• Modify the membership of a group

Step 4: Retrieve the Distinguished Name

For the newly created service account, you will need to grab Distinguished Name for use during configuration.

Step 5: Log in to Clarity

Log in to your Clarity tenant using an account with Admin permissions.

Step 6: Click on Applications > Marketplace

Step 7: Find MS Active Directory > Connect

Scroll or search to find MS Active Directory and click

Step 8: Connect App

Complete the App Settings form.  Details for fields common to all applications can be found in the following article: Common App Configuration Steps

MS AD Connection Fields:

• ad_host: This can either be the IP address or Fully Qualified Domain Name for your Active Directory server.
• username: This is the distinguished name for the service account you created in Step 4.
  • Example: CN=Clarity Service,CN=Users,DC=claritysecuritydemo,DC=io
• password: This is the password for the service account you created earlier in Step 2.
• base_dn: This is the distinguished name for where you want Clarity to search for Users, Groups, etc. inside your Active Directory.
  • "DC=claritysecuritydemo,DC=io" would allow searching an entire domain for accounts, but "OU=UsersOU,DC=claritysecuritydemo,DC=io" would only allow Clarity to search inside of the "UsersOU" and anything nested inside.
• restrict_to_ous: This setting allows you to further filter out the directory objects you want to manage. This is a pipe-delimited string of DNs associated with the OUs and Containers that you want to pull directory objects from. For example, you could set the following:
  OU=Marketing,DC=claritysecuritydemo,DC=io|OU=Developers,DC=claritysecuritydemo,DC=io|OU=Users,DC=claritysecuritydemo,DC=io
  which would result in Clarity only pulling in directory objects belonging to any of those OUs (and their descendants).

Step 9: App Settings

Complete the App Settings form.  Details for each field can be found in the following article: Common App Configuration Steps

Step 10: User Settings

Complete the User Settings form, and check the table at the top to see if any features are unsupported.  Details for each field can be found in the following article: Common App Configuration Steps

Step 11: Validate Your Selections and Save

Need Help?