Skip to content

Hybrid Connection

Under the hood Hybrid (Active Directory + Azure Active Directory) uses a Lightweight Directory Access Protocol (LDAP) based authorization. By linking your account with Hire2Retire, you can authorize RoboMQ to perform operations to your Active Directory Domain Controller.

Hire2Retire product supports employee operations of onboarding, updating, termination, rehire and leave in Active Directory. Thus, the user account you use to establish the connection must satisfy one of the following criteria:

  • Belong to the security group "Domain Admin".
  • Set up delegate control of this user under the target Organization Units (OU).

Create Hybrid Connection

Hire2Retire requires the following details to create a connection.

  • Connection Name - A user defined nomenclature for your connection. By default, the connect name is "Connection-Directory Service", you can change the name as per your preferences.
  • Host - The host name is the IP address of your Active Directory Server. User can add more then one host for the same account.
  • Port - The TCP/IP port on which the Active Directory server is listening. Hire2Retire will only establish the LDAP connection with your SSL port. (The default is 636)
  • Base DN - It is a collection of objects that Hire2Retire will access within an Active Directory network. An object can be a single user, a group of users or a hardware component, such as a computer or printer. Each base DN holds a database containing object identity information. It should be given in the format "DC=example-domain,DC=com"
  • Username - The username to access the Active Directory server. Please make sure it belongs to the security group "Domain Admin" and has delegated control to target Organization Units (OU).
  • Password - The Password to access the Active Directory server.

Connection page

Figure 1. Hybrid Connection Set Up Page


Connection page

Figure 2. Hybrid Connection Set Up Page for Multi Domain Controller

If you are configuring a connection with multi-domain controller setup, you can provide host values for each domain controller in your AD along with their respective base DN and port. You can also provide comma separated list of IP/host addresses for each domain controller.

Set up the delegated control on Active Directory

You can set up the delegated controls (manage user or group) under a specific OU for the service account.

Manage user

By following the steps below, you will grant the permission to the service account to manage user account under a specific OU. If the service account tries to manage the account of another OU which doesn’t have the delegated control, it will failed due to "insufficient access rights".

  • Right click on the OU that you want the service account to manage the users. Click "Delegate Control".

Connection page

  • In the Delegation of Control Wizard window, add the service account and click "next".

Connection page

  • Select the option "Create, delete and manage user accounts", and then click "Next".

Connection page

  • Click "Finish" in the summary window.

Connection page

Manage security group

By following the steps below, you will grant the permission to the service account to manage the membership of security groups under a specific OU. If the service account tries to manage the membership of security group under another OU which doesn’t have the delegated control, it will failed due to "insufficient access rights".

  • Right click on the OU that you want the service account to manage the users. Click "Delegate Control".

Connection page

  • In the Delegation of Control Wizard window, add the service account and click "next".

Connection page

  • Select the option "Create, delete and manage user accounts", and then click "Next".

Connection page

  • Click "Finish" in the summary window.

Connection page

Remove the delegate control of a user

This section tells how to remove the delegate control of the service account.

  • Right click on the OU, and click "Properties".

Connection page

  • Select the "Security" card in the pop up window. Then select the user you want to remove from the delegate control, click "Remove".

Connection page

  • Click "Apply" at the end.

Connection page