39509: Automatic Active Directory Account Management With MassTransit

use Google Translate

Applies to: 

Last update: 30-04-2021

Summary:

MassTransit implements the automatic Active Directory account management feature that allows setting up MassTransit contacts, forwarding privileges, and so on automatically based on existing Active Directory groups. For information about configuring automatic AD account management on MassTransit Server 7 please refer to: Active Directory Authentication.

Description:

MassTransit allows you to leverage the groups in your Active Directory tree to automatically create accounts and assign forwarding privileges. Any existing Active Directory group can be designated as a part of the MassTransit Master List or the MassTransit Distribution List or both.

MassTransit will automatically create contacts for Master List members. MassTransit will create contacts for Distribution List members when those members attempt to log in to MassTransit or when they are forwarded files. The Distribution List defines forwarding privileges - contacts who are members of an Active Directory group included in the Distribution List are automatically allowed to forward files to all other members of the same Active Directory group and all its subgroups, if any. MassTransit contacts for Distribution List members are created dynamically when they are needed and are set to expire 7 days after the creation date. Any file transfer-related operation that involves a Distribution List contact, such as files being added to that contact's mailbox or forwarded from another contact, will extend its expiration date to be at least 7 days from the time the operation occurred.

MassTransit polls Active Directory periodically to synchronize both Master and Distribution List membership. Automatically created MassTransit contacts that no longer have a membership in either of the Lists will be automatically deleted from the contacts database.

The automatic Active Directory account management feature is only available in Enterprise and Service Provider editions of MassTransit; all automatically created MassTransit contacts will be of the Web Client type. The feature is controlled by the following configuration parameters in the MassTransitEngine.cfg configuration file:

LDAP_AUTO_ACCOUNT_MANAGEMENT_ENABLED - master switch that enables or disables the whole feature. Accepted values are TRUE or FALSE; the default is FALSE. This parameter will be ignored and the feature will be disabled if the core Directory Services feature is disabled or fails to initialize.

LDAP_MML_GROUPS - semicolon separated list of valid Active Directory groups that comprise the Master List. Groups must be specified by their distinguished names, such as CN=Group Name,CN=Users,DC=domain,DC=com. Duplicate, nested, or recursively nested groups are acceptable and will not result in any issues at run time; however, only manually created Active Directory groups with explicitly defined user account membership can be designated as entries in the Master List; built-in Active Directory security principals that establish implicit group membership, such as Domain Users, will be ignored by the automatic Active Directory account management.

LDAP_MDL_GROUPS - semicolon separated list of valid Active Directory groups that comprise the Distribution List. Same requirements and limitations apply to this parameter as the Master List.

LDAP_MML_POLLING_INTERVAL - Master List polling interval specified in minutes. The default value for this parameter is 30 minutes; using shorter intervals is not recommended.

LDAP_MDL_POLLING_INTERVAL - Distribution List polling interval specified in minutes. The default value for this parameter is 30 minutes; using shorter intervals is not recommended.

LDAP_MAX_WC_ACCOUNTS - maximum number of Web Client contacts to maintain in the database at any given time. This number includes both automatically and manually created Web Client contacts. This parameter is provided to avoid accidentally creating very large numbers of contacts due to various configuration errors. The default value for this parameter is 1000.

LDAP_AUTO_ACCOUNT_PROFILE - an optional profile contact whose settings will be propagated to all automatically created contacts. This parameter should be set to the name of an existing Web Client contact; if the profile contact is not specified, does not exist, or is not a Web Client, MassTransit will use the default Web Client contact settings when automatically creating contacts. The following profile settings are overridden for automatically created contacts:

  • Authentication type (always set to Active Directory)
  • Contact information block - first name, last name, e-mail, etc. (populated from the respective Active Directory account)
  • Account expiration time (not set for Master List contacts; set to either the profile expiration time or 7 days from the current time, whichever is greater, for Distribution List contacts).
  • Accept Calls From User (always on)
  • Receive Files From User (always on)
  • Send Files To User (always on)
  • Allow Connect Via Web To Transfer Files (always on)
  • Manually assigned forwarding privileges (only propagated to Master List contacts)

LDAP_MAX_FWD_CONTACTS - maximum number of forwarding contacts to be displayed in the Web Client user interface. The default value for this parameter is 3000.

Tags: