Skip to content

Active Directory On-Premise Agent

Users might have their application, database, or identity server deployed within their data center without public access. Hire2Retire “On-premise agent” provides a secure way to access the identity management server located behind the user's firewall without the need to open ports in the firewall or establish a VPN tunnel. On-Premise agent can be installed easily behind the firewall after which it can communicate with the workflow deployed.

Active Directory On-Premise Service Connection

Hire2Retire requires the following details to create a OnPremise Service Connection

  • Connection Name - A user defined nomenclature for your connection. By default, the connect name is "Connection-OnPremise Service", you can change the name as per your preferences.
  • Host - The host name is the IP address of your Active Directory Server.
  • Port - The TCP/IP port on which the Active Directory server is listening. Hire2Retire will only establish the LDAP connection with your SSL port. (The default is 636)
  • Base DN - It is a collection of objects that Hire2Retire will access within an Active Directory network. An object can be a single user, a group of users or a hardware component, such as a computer or printer. Each base DN holds a database containing object identity information. It should be given in the format "DC=example-domain,DC=com"
  • Public key of RSA key pair - User's RSA public key which will be used to encrypt the config file. To know the detailed steps to generate RSA key pair, click here.

OnPremise Service Connection

Figure 1. Active Directory On-Premise Service Connection


OnPremise Service Connection

Figure 2. Active Directory On-Premise Service Connection for Multi Domain Controller

If you are configuring a connection with multi-domain controller setup, you can provide host values for each domain controller in your AD along with their respective base DN and port. You can also provide comma separated list of IP/host addresses for each domain controller.


After filling in the credentials user needs to clicks on the "link account" button. After account is successfully linked, follow the Instructions given below to setup Active Directory On-Prem Agent.

Instructions to set up On-Prem Agent

Figure 3. Instructions to set up On-Prem Agent

Instructions to set up On-Prem Agent

  1. Install Docker, and OpenSSL, if not available.
  2. Start the docker service and download the On-Premise installation package.
  3. Unzip the installation package. It contains 3 files:-
    • config.enc
    • run.sh
    • secrets.enc
  4. All the three files listed above must be present in the same directory. Before running the script ensure, that you are in the directory containing all the files mentioned above. To start the on-premise agent, execute the script (run.sh) with the command :

    sudo bash ./run.sh [ path to private key ] [ -p passphrase ] [ -n number of onprem-agent instance ] [ --username username]

    • sudo bash ./run.sh : Starts a new bash shell for current user with the security privilege of root user.

      • path to private key (REQUIRED) -- Path to user's private key. It should always be provided first.
      • -p (OPTIONAL) : Passphrase
      • -n (OPTIONAL) : Number of onprem-agent replicas required. If not provided, number of replica by default is 1.

        If the user re-run the script (run.sh) all the running onprem-agent instances will be stopped and removed and the script will start with the new number of instances provided.

      • --username (REQUIRED) : Username to access the Active Directory server.

    • -h or --help : Help text to run the script.

      Example:

      1. sudo bash ./run.sh /Users/JohnSnow/.ssh/id_rsa --username admin@example.com

      2. With passphrase :

        sudo bash ./run.sh /Users/JohnSnow/.ssh/id_rsa secret@16548 --username admin@example.com

      3. With number of docker container :

        sudo bash ./run.sh /Users/JohnSnow/.ssh/id_rsa -n 1 --username admin@example.com

      4. With all three :

        sudo bash ./run.sh /Users/JohnSnow/.ssh/id_rsa secret@16548 -n 2 --username admin@example.com

    Some useful docker commands:

    Command Usage
    docker ps list all the running containers
    docker ps --all list all the containers, including stopped once
    docker logs [ container name ] It will fetch logs from a specified container
    docker rm [ container name ] remove a container
  5. After set up of installed package , click on the "Verify Connection" button.

verify button

Figure 4. Verify Connection button

Once the On-Premise agent is up and running with connection verification, user can continue to configure the workflow by clicking on "Configure Workflow" button.

Configure workflow

Figure 5. Configure Workflow button

How to stop the running On-Premise agent docker container

When the flow is paused or deleted, user need to stop the docker container using command given below

$ docker ps

docker command

Figure 6. Docker Command to list running container
$ docker container stop CONTAINER ID [CONTAINER...]

Example: docker stop 733e33bfe48b

Set up the delegated control on Active Directory

You can set up the delegated controls (manage user or group) under a specific OU for the service account.

Manage user

By following the steps below, you will grant the permission to the service account to manage user account under a specific OU. If the service account tries to manage the account of another OU which doesn’t have the delegated control, it will failed due to "insufficient access rights".

  • Right click on the OU that you want the service account to manage the users. Click "Delegate Control".

Connection page

  • In the Delegation of Control Wizard window, add the service account and click "next".

Connection page

  • Select the option "Create, delete and manage user accounts", and then click "Next".

Connection page

  • Click "Finish" in the summary window.

Connection page

Manage security group

By following the steps below, you will grant the permission to the service account to manage the membership of security groups under a specific OU. If the service account tries to manage the membership of security group under another OU which doesn’t have the delegated control, it will failed due to "insufficient access rights".

  • Right click on the OU that you want the service account to manage the users. Click "Delegate Control".

Connection page

  • In the Delegation of Control Wizard window, add the service account and click "next".

Connection page

  • Select the option "Create, delete and manage user accounts", and then click "Next".

Connection page

  • Click "Finish" in the summary window.

Connection page

Remove the delegate control of a user

This section tells how to remove the delegate control of the service account.

  • Right click on the OU, and click "Properties".

Connection page

  • Select the "Security" card in the pop up window. Then select the user you want to remove from the delegate control, click "Remove".

Connection page

  • Click "Apply" at the end.

Connection page