Active Directory¶
Category: Identity | Version: 1.0.0 | Requires: Tevyra Proxy
What is this module for?¶
The Active Directory module automatically synchronizes your AD data in Tevyra: users, groups, computers, and organizational units. You can also perform actions directly from Tevyra — create a user, reset a password, manage groups.
Proxy required
This module requires a Tevyra Proxy deployed in your network to access domain controllers via LDAP/LDAPS. See the proxy installation guide.
Before you start¶
To configure this module, you will need:
- An AD service account with read rights on the directory (see guide below)
- The address of your domain controller (e.g.
dc01.company.local) - Port 636 (LDAPS) or 389 (LDAP) open from the proxy to the DC(s)
- The Tevyra Proxy installed in your network
Configuration¶
Parametres requis¶
| Parametre | Type | Description |
|---|---|---|
servers | array | Liste des serveurs LDAP/AD |
Parametres optionnels¶
| Parametre | Type | Defaut | Description |
|---|---|---|---|
verify_ssl | boolean | True | Vérifie les certificats SSL/TLS |
sync_disabled_users | boolean | False | Synchronise aussi les comptes désactivés |
Example configuration¶
{
"servers": [
{
"url": "ldaps://dc01.company.local:636",
"base_dn": "DC=company,DC=local",
"bind_user": "svc-tevyra@company.local",
"bind_password": "secure-password"
}
],
"verify_ssl": true,
"sync_disabled_users": false
}
Multi-server
You can configure multiple servers for failover or multi-domain environments.
Collected data¶
Once activated, the module automatically synchronizes the following data:
| Type d'asset | Description |
|---|---|
ad_user | Utilisateurs Active Directory |
ad_group | Groupes de sécurité et de distribution |
ad_computer | Ordinateurs et serveurs joints au domaine |
ad_ou | Unités organisationnelles (OU) |
Default sync interval: 5 minutes
Available actions¶
From the Tevyra interface, you can perform the following actions:
| Action | Description |
|---|---|
ad.create_user | Crée un utilisateur dans Active Directory |
ad.disable_user | Désactive un compte utilisateur |
ad.enable_user | Réactive un compte utilisateur |
ad.reset_password | Réinitialise le mot de passe d'un utilisateur |
ad.add_to_group | Ajoute un utilisateur à un groupe |
ad.remove_from_group | Retire un utilisateur d'un groupe |
Indicators¶
The dashboard displays the following indicators:
| Indicator | Description |
|---|---|
users_total | Total number of users |
users_enabled | Active users |
users_disabled | Disabled users |
computers_total | Total number of computers |
groups_total | Total number of groups |
Create the service account¶
Step 1: Create the account¶
- Open Active Directory Users and Computers
- Create a user in a dedicated OU (e.g.
OU=ServiceAccounts) - Name the account:
svc-tevyra - Set a strong password
- Check Password never expires
Step 2: Read permissions¶
The account must have read rights on the OUs to collect. By default, any domain user has these rights.
Step 3: Write permissions (optional)¶
To use actions (user creation, password reset...), delegate the following rights on target OUs:
- Create/delete users
- Reset passwords
- Modify group membership