UID - Manage an Active Directory Integration

This article describes how UID administrators can enable and configure Directory Integration to use their Active Directory credentials for user login and import users currently active in the directory. 

Install and configure an Active Directory integration on UID

To set up the Directory Integration on UID:

  1. Go to your UniFi OS Console dashboard and launch the UID Agent application. Click the Set Up button to set up the Directory Integration.


    If you do not see the option to set up the Directory Integration, it means it is not included in your plan and you must request the feature.

    Need help requesting the Directory Integration feature?

    1. Navigate to the UID Manager Portal > Settings > Plan and click Apply for Plan Quota under the Workspace Plan header. 

    2. Select Active Directory Integration as an additional feature and click Submit Application.

    3. Once your submission is accepted and your plan request granted, you must update your UID Agent token:

        a. Go to Workspace Settings > UniFi OS Consoles > UID Agent Token to create a new token.

        b. Go to UniFi OS Console > UID Agent to update the UID Agent token.

  2. Select the Active Directory option and fill in the fields with your AD server’s information. If you don't have an AD server, please refer to Microsoft's documentation to Create and configure an Azure Active Directory Domain Services managed domain.


  3. Click Done and navigate to the UID Manager Portal > Users > Directory Integration to complete the integration. Select your directory.


  4. In the Set Up Active Directory step fill in the fields with the appropriate information and select the Organizational Units (OU) from which you will be importing users.

    If this page doesn’t launch automatically during setup, or if at any time you wish to configure the user-importing experience, you can do so in your configured directory’s Settings tab. 

    Need help understanding the Directory Integration Settings fields?
    • User OUs connected to UID: Select which users under the Organizational Units will be imported to UID.
    • Allow partial match on first and last name: When the imported user email does not match the existing UID user’s email, but their first name and last name match the existing UID user’s first name and last name, partial matching is allowed.
    • Auto-confirm exact matched users: The user will be imported to UID automatically if the emails are an exact match. 
    • Auto-confirm new users: The new user will be imported to UID automatically, without needing to await confirmation.
    • Auto-activate new users: After the Auto-confirm new user is enabled, this option will be displayed. Enable it to activate new users as soon as they’ve been imported without needing to be manually activated. 


Configuring Azure AD in UID

Please first refer here for instructions to to configure Azure’s Active Directory Domain Services.

  1. Log into https://portal.azure.com and select Azure AD Domain Services under Azure services.
  2. Select the domain to enter the details pages.
  3. Click Properties in the Settings page and you will see Secure LDAP external IP address.


Enter the following information:

  • Username: Azure admin account 
  • Password: Azure admin password 
  • Base DN: dc=example,dc=com (Corresponding to the domain service, such as example.com)

Import your directory users to UID

You can import users more efficiently by creating rules that will customize the task and schedule importing runs to automatically scan for users that need to be imported at periodic intervals. If you wish to import your users right away without configuring rules, skip to the manual importation instructions.

Create user importing rules

  1. Go to UID > Users > Directory Integration and select your configured directory.
  2. Navigate to Rules > Add Rule.


  3. Name your rule, and determine which UID group users will be added to when they meet the rule’s conditions. If there are multiple conditions, the user will have to meet all of them in order to be imported.

Note: Conditions stated in the rule must be exact matches. Verify in your Active Directory server the exact names of values you are using as conditions.


Manually import users

  1. Go to UID Manager Portal > Users > Directory Integration and select your configured directory. If needed, adjust your configuration choices in the Settings and Integration sections.
  2. Go to Import and click Import Now.
  3. Make your import method selection and click Import.


  4. The resulting list of users will display the match level between the directory user and its UID counterpart. An exact match means the emails matched perfectly. A partial match means the email did not match, but both first and last name matched perfectly.


  5. Set the actions for each user, select them by ticking the checkbox and click Confirm Assignments.

Note: The action behavior will vary depending on the selections made in Settings.

  • Create New User: If the Auto-activate users after confirmation option is enabled in Settings, the user’s status will be pending while the system sends them an activation email. If it is not enabled, the user's status will remain in Staged and no email will be sent until an administrator manually triggers it.
  • Merge: If either Partial Match or Exact Match are enabled in Settings, the merge action is supported. After successfully importing, the original directory user data will overwrite the existing UID user data.
  • Specify: Select this option to manually select an existing UID user to be this imported user’s match.
  • Ignore: When there are users in the Import list that do not need to be imported into UID, select the user and Ignore action to skip importing this user.



Schedule an import task

You can set the Import Schedule and Schedule import mode to import users into the UID system regularly according to the configuration. Select Never for Schedule Import to prevent automatically importing users.

To schedule an importation task go to the directory’s Settings > Schedule import mode and select the importing method from the drop-down list. These scheduled tasks will run according to the rules you configured (if any).


Troubleshooting Active Directory issues

Failed to import users into UID.

1. Go to UID > Users > Directory Integration and select your configured directory.

2. Navigate to Settings > User OUs connected to UID and make sure the appropriate selection has been made for the importing task you are trying to complete.

3. Verify that your Directory Integration is set up for the correct type of directory: Active Directory and not LDAP.

4. Check your directory’s server to verify the Organizational Units (OU) you’re targeting have the users you expect as well as the necessary values attributed to them:


Verify that the users in the directory have their emails. If they don’t, add them.


Check that the Organizational Unit (OU) has the correct values assigned to the appropriate attributes. The following attributes should be verified:

  • ObjectClass
  • OU
  • DistinguishedName
  • objectGUID


Check that the users have the correct values assigned to the appropriate attributes. The following attributes should be verified:

  •  objectClass
  •  cn
  •  displayName
  •  distinguishedName
  •  givenName
  •  mail
  •  memberOf
  •  name
  • objectGUID


I have updated the Organization Unit (OU) section on the AD Server page, but UID failed to synchronize the information.

Go to your Directory Integration’s Import section and click Import Now to update the list.


How do I remove a configured directory from UID?

  1. Deactivate it first by going to UID Manager Portal > Users > Directory Integration.
  2. Select your directory and change its status to Deactivated using the dropdown underneath its name.
  3. Now when you go back to the Directory Integration page, you can hover over the configured directory’s three-dot menu and select Delete.

I’m seeing an “Test Fails” error.

To troubleshoot the AD configuration and network connection:

  1. Use this command to test the connection: telnet istemp.net 389
    • If it results in a “Connected to xxxx” message, it means the connection works normally. 
    • If it keeps attempting to connect, it means there is a connectivity problem.
  2. If you are facing connectivity problems, check that the correct ports are open. The standard LDAP protocol is by default on TCP and UDP port 389, or on port 636 for LDAPs (LDAP over TLS/SSL).
  3. If the issue persists, check your network configuration settings. If there is a port forwarding configured, verify that it is working properly.
  4. Use the tool http://www.ldapadmin.org/ to try and connect.
Was this article helpful?
7 out of 8 found this helpful