Friday, July 6, 2012

Syncthru LDAP to 2008 active directory

I had the opportunity recently to work with one of the newer large multifunction Samsung copiers this month.  The Syncthru web interface is fairly feature rich but the documentation really could use more examples in some places.  My bane for 2 hours was figuring out how to populate the address book inside it by doing an LDAP pull from Active Directory.
The initial setup of the LDAP connector went through pretty quickly.  I just went to Security -> Network Security and then down to LDAP Server on the left menu.  I then clicked Add to enter in my LDAP server.  I added in the IP address of one of my domain controllers and then used Port number 3268 to start with because you want to keep it simple initially and introduction SSL LDAP would just add one more thing to troubleshoot.  Fill in your AD Domain name in DC=yourdomain,DC=com format.  Choose simple and enter in your username in DOMAINNAME\username format.  Note that this is the first oddity in that we're mixing netbios/domain name\username format and LDAP convention on the same form.

On the second half of that window, don't check the LDAPS yet!!!  

Click on the TEST button at the very bottom and make sure you get all OK/Success. 

Once that works, then click the Apply button at the top to save these settings.

So now we're halfway done and ready for the twists.  Go to the Address book and then click on the LDAP button at the top right.

Now for the GOTCHAS!   
a)  I couldn't get it to search recursively
b)  It only worked when the user account I used to authentication against AD was in the same ORG that I was searching.  (My AD is set to not allow anonymous searching so I have to use authentication)
c)  The login ID is in CN=firstname lastname format.  This is different than the domainname\username from the other LDAP screen.
d)  The search root is the full path to the exact ORG that you want to pull from. (note the OU=test, OU=US prepended)

To keep it simple, I used (mail=*) for my search filter.  Click on the Search button when done and IF you are successful, a list of people will show up.  Just click the Apply button to pull them all into the Address book (you can always delete the ones you don't want later from inside the copier).  If you botched it, you'll get Incorrect Filter errors.

Repeat for your other ORG units, remembering to use an account inside each one for the Login ID.  If you make it past the inconsistencies of the interface and the limitations of the AD implementation of LDAP you're home free.  Once you're done you'll have a fully functional Scan to Email function that works great.