How to integrate Bitrix24 and Active Directory, Problems and solutions
This article is a guide for integrating Bitrix24 on-premise with Active Directory and LDAP.
Active Directory and Bitrix24 integration is a common task. The tools needed for it are available in Bitrix24, but some additional setups are required.
In this article, we will show you how to implement this task, and how to solve problems related to it..
Let's consider a specific example:
Our customer is a large production company. They have a configured domain controller and Active Directory with a list of users.They want to import users from active Directory to Bitrix24 and set up synchronization.
For the purpose of importing data from user fields, we deactivate those fields in Bitrix24.
Bitrix24 on-premise has a standard module for this task - “AD/LDAP integration”. This module has to be installed or updated before you begin the integration process.
While setting up Bitrix24, and synchronizing it with AD, we set automatic data synchronization to once every hour.
After the set up process is complete, we set it to once every 24 hours since data in Active Directory rarely changes.
NOTE!
User synchronization will only occur after user authentication in Bitrix24 i.e, when the user logs into Bitrix24.
If the user has not yet logged in to Bitrix24, Then, you need to manually ‘Activate’ this user from Bitrix24 admin panel to "force" synchronization.
Otherwise, this user will not be synchronized until they log into Bitrix24.
The AD/LDAP module in Bitrix24 can also import company structure from Active Directory. You can see this option in the server settings of Bitrix24 admin panel.
If the company structure in Active Directory is not correct or has features which are not needed in Bitrix24, then, our advise is. - do not import it.
In our client's case,The existing company structure in Active Directory was incorrect, so we didn't import it.
We created 2 new structures - one in Bitrix24 and the other in Active Directory.
NOTE!
Bitrix24 considers Active Directory data to be priority data.
So, If there are different values in the same data field in Active Directory and Bitrix24, during data importation, the value in the Bitrix24 field will be replaced by the value in Active Directory.
Bitrix24 and Active Directory Integration problems
- Joint setup of filters ‘Field Setup -> User Filter’ and ‘Groups -> Groups marked below do not take part in user import’.
- Synchronizing the Active Directory server time and Bitrix24 time.
- Conflict between two copies of the same user.
- Only Upper folders in Active Directory are imported to Bitrix24
- Synchronizing a First Name and Surname copy in a different language.
- Transferring large images from Active Directory to Bitrix24.
1. Joint setup of filters ‘Field Setup -> User Filter’ and ‘Groups -> Groups marked below do not take part in user import’.
These two parameters are in conflict:
Field Setup -> User Filter:
Groups -> Groups marked below do not take part in user import:
Configuring both fields results in a conflict, and users will not be imported from Active Directory to Bitrix24.
Solution:
Use the user group filter only.
When the active filter from Active Directory was put into the user filter field, the user importation process started to work. (&(&(objectClass=user)(objectCategory=PERSON))(memberof=CN=BitrixCorpUser,CN=Builtin,DC=department1,DC=loc))
2. Synchronizing the Active Directory server time and Bitrix24 time.
When our client's server was created, no time was assigned in the settings, so imported users remained inactive without manual activation. There is no synchronization date in the list of users. Without manual editing, these users have no rights and can neither log into Bitrix24 nor be synchronized. This is all due to the server settings.
Solution:
-
Change the value of the MySQL parameter ‘explicit_defaults_for_timestamp’ to ‘Off’.
- Perform website check.
3. Conflict between two copies of the same user.
If the login and email of a user from Active Directory are not the same as the login of that user, who registered manually in Bitrix24 earlier, there will be two account copies for the same person in Bitrix24. It is necessary to deactivate the Bitrix24 account registered earlier and transfer all their tasks to the user account imported from Active Directory.
Solution:
make the user imported from Active Directory the main user and transfer all current tasks to that user, then fire the ‘copy’.
Correct synchronization was only possible for the upper folder of Active Directory, whereas the subfolders were ignored.
The subfolders were ignored because we had not imported the company structure into Bitrix24. If company structure is imported, synchronization will work for subfolders too.
If company structure is not imported, only upper folder synchronization is possible.
Solution:
All users were transferred to one folder, and synchronization was performed from that folder. Since we had decided against transferring the structure, that was the only solution.
5. Synchronizing a First Name and Surname copy in a different language.
Since our client was an international company, the main first name and surname were given in English. But inside Bitrix24, it would be convenient to see names in the local languages of the employees – English, Spanish, French, German, etc.
Solution:
Additional First Name (RU) and Surname (RU) were added and synchronized using the "ExtensionAttribute1" and "ExtensionAttribute2" attributes. It is not recommended to use standard Bitrix24 fields to solve this problem, as they are used in quite unexpected places. For example, it is impossible to use a patronymic as standard Full Name in Russian, because when being synchronized with iPhone the iPhone user became Ivanov Ivanov Ivan Ivanovich Ivan.
6. Transferring large images from Active Directory to Bitrix24.
The problem is caused by AD limitations. The image size is limited to 95x95 pixels and 100 kilobytes maximum.
Solution:
An additional ‘jpegPhoto’ field was added to Active Directory. The size is also limited to 100 kilobytes, but the jpg type will ensure maximum compression. It is not recommended to upload photos larger than 300x300 pixels because Bitrix24 has a limitation of 300x300 pixels for output profile photos, so photos with greater resolution will be oversized.
Matching Bitrix24 user fields and Active Directory/LDAP attributes.
Here are some details for developers and administrators:
The method used is $arSyncFields.
The following information is inserted into the Bitrix fields:
"EMAIL" => Array("NAME" => GetMessage("LDAP_FIELD_EMAIIL"), "AD"=>"mail", "LDAP"=>"email"),
At the array entrance, where the first parameter is mandatory, it is the translation of the field name called up by the GetMessage function, the second parameter is not mandatory – it is the field name from AD, the third parameter is not mandatory – it is the field name from LDAP. If the fields match, information is copied from them. If the field is empty, synchronization will not take place.
|
Bitrix24 |
Translation (RU) / Translation ID for function GetMessage |
AD |
LDAP |
Special features |
|
ACTIVE |
User active / LDAP_FIELD_ACTIVE |
UserAccountControl&2 |
UserAccountControl&2 |
|
|
|
E-Mail / LDAP_FIELD_EMAIIL |
|
|
|
|
NAME |
Name / LDAP_FIELD_NAME |
givenName |
cn |
|
|
LAST_NAME |
Surname / LDAP_FIELD_LAST_NAME |
sn |
sn |
|
|
SECOND_NAME |
Patronymic / LDAP_FIELD_SECOND_NAME |
|
|
|
|
PERSONAL_GENDER |
Sex / LDAP_FIELD_GENDER |
|
|
only M or F |
|
PERSONAL_BIRTHDAY |
Date of birth / LDAP_FIELD_BIRTHDAY |
|
|
DOB format - 01.01.1997 (day.month.year) |
|
PERSONAL_PROFESSION |
Profession / LDAP_FIELD_PROF |
|
|
|
|
PERSONAL_PHOTO |
Photo / LDAP_FIELD_PHOTO |
thumbnailPhoto |
jpegPhoto |
Image size - no more than 100 kilobytes |
|
PERSONAL_WWW |
WWW-page / LDAP_FIELD_WWW |
wWWHomePage |
|
|
|
PERSONAL_ICQ |
ICQ (no translation) |
|
|
|
|
PERSONAL_PHONE |
Phone / LDAP_FIELD_PHONE |
homePhone |
|
|
|
PERSONAL_FAX |
Fax / LDAP_FIELD_FAX |
|
|
|
|
PERSONAL_MOBILE |
Mobile / LDAP_FIELD_MOB |
mobile |
|
|
|
PERSONAL_PAGER |
Pager / LDAP_FIELD_PAGER |
|
|
|
|
PERSONAL_STREET |
Street, building / LDAP_FIELD_STREET |
streetAddress |
|
|
|
PERSONAL_MAILBOX |
Mailbox / LDAP_FIELD_MAILBOX |
postOfficeBox |
|
|
|
PERSONAL_CITY |
City / LDAP_FIELD_CITY |
l |
|
|
|
PERSONAL_STATE |
Region / Territory / LDAP_FIELD_STATE |
st |
|
|
|
PERSONAL_ZIP |
Zip code / LDAP_FIELD_ZIP |
postalCode |
|
|
|
PERSONAL_COUNTRY |
Country / LDAP_FIELD_COUNTRY |
c |
|
|
|
WORK_COMPANY |
Company name / LDAP_FIELD_COMPANY |
company |
|
|
|
WORK_DEPARTMENT |
Division / Department / LDAP_FIELD_DEP |
department |
|
|
|
WORK_POSITION |
Position / LDAP_FIELD_POS |
title |
|
|
|
WORK_PHONE |
Phone / LDAP_FIELD_WORK_PHONE |
telephoneNumber |
|
|
|
WORK_FAX |
Fax / LDAP_FIELD_WORK_FAX |
facsimileTelephoneNumber |
|
|
|
WORK_PAGER |
Pager / LDAP_FIELD_WORK_PAGER |
|
|
|
|
ADMIN_NOTES |
Administrator’s notes / LDAP_FIELD_ADMIN_NOTES |
description |
|
|
Our Conclusions on Active Directory and Bitrix24 integration
This integration is an important process for large companies.
It's very much possible to Integrate and synchronize Bitrix24 and Active Directory.
The tools necessary for the task are available in Bitrix24, but it requires additional settings and sometimes maintenance work.
There isn't sufficient information in the documentation, so your integrator will have to study problems as they arise and configure a lot of parameters (User Filter, Matching User Fields and LDAP attributes, Filter for Groups of Users, Tree Root (base DN)).
Correct operation of the basic module synchronization functionality is ensured only in case of installation on new Bitrix24. When it is to be installed on Bitrix24 which already has previously invited users, a lot of problems can arise. They can be solved, but it's better to avoid them.
INTERVOLGA recommends integrating Bitrix24 with Active Directory when setting up Bitrix24 for the first time.
We successfully integrated Active Directory with Bitrix24 to our customer’s satisfaction.
If you need to set up Bitrix24 and Active Directory integration, we will be happy to help you.
Send us a message!
- 12.07.2022
-
Anton Kolodnitskiy