Hybrid Connection¶
Hybrid identity environments that integrate Active Directory (AD) with Entra ID operate using a Lightweight Directory Access Protocol (LDAP)-based authorization model. When you link your account with Hire2Retire, you grant RoboMQ the necessary permissions to interact with your Active Directory Domain Controller, enabling automated user lifecycle management.
The Hire2Retire platform is designed to handle critical employee lifecycle operations within Active Directory, including onboarding, profile updates, termination, rehire, and leave management. To establish a successful and secure connection, the account you use must meet one of the following conditions:
- Become a member security group by the name of "Domain Admin" .
- Have delegated control configured for the relevant Organizational Units (OUs) within Active Directory
These prerequisites ensure that the connected account has adequate permissions to perform the required directory operations in compliance with organizational security standards.
Create Hybrid Connection¶
To establish a connection, Hire2Retire requires the following configuration details:
- Connection Name - This is a user-defined label for identifying your connection. By default, it is set to "Connection-Directory Service", but you are free to rename it to align with your organization’s naming conventions or preferences.
- Host - This refers to the IP address of your Active Directory (AD) server, which will be used to initiate the connection.
- Port - This is the TCP/IP port number on which your AD server is configured to listen. Hire2Retire uses LDAPS (LDAP over SSL) to ensure secure communication, and the connection will only be established through the SSL port, which by default is 636.
- Base DN - This defines the scope of the directory that Hire2Retire will interact with. A Base DN identifies a specific collection of directory objects—these could include users, groups, or hardware resources such as printers or computers. The format should follow standard LDAP naming, for example: "DC=example-domain,DC=com".
- Username - This is the user credential used to authenticate with the AD server. The account must either be part of the "Domain Admin" group or must have delegated control over the Organizational Units (OUs) that Hire2Retire will manage.
- Password - This is the corresponding password for the username provided to authenticate access to the AD server.
These parameters are essential for enabling secure and efficient communication between Hire2Retire and your Active Directory environment, ensuring that user lifecycle actions are executed accurately and with the proper level of authorization.