Active Directory
Overview
The On-premises Active Directory connector enables seamless integration with Microsoft Active Directory for user and group management. This connector allows Leena AI Agents to search, retrieve, create, update, and delete user accounts and groups within your on-premises AD environment, making it ideal for identity management and authentication workflows.
Leena AI utilizes an LDAP connector, seamlessly integrated within the same infrastructure as Active Directory.
API Details
Leena AI integrates with Active Directory via LDAP protocol.
Documentation link:
Setup
On-premises Active Directory connections require secure domain credentials to access directory information.
Prerequisites
Before setting up the Active Directory connector, ensure you have:
Server Requirements for Deploying AD Connector:
- 2vCPUs
- 4 GB RAM
- Ubuntu
- Outbound internet access from the server (Initial setup & maintenance)
- SSL certificate
Active Directory Requirements:
- List of all the AD forests, domains and subdomains and their Private IPs and DN
- Credentials to authenticate/bind with the AD (need separate credentials if there are multiple forests and credentials vary for each forest), along with appropriate permissions to perform the listed actions
- Ability to connect to the server from Leena AI's side (either via IP whitelisting or via site-to-site VPN)
- Test users, groups etc to test the privileges
Get credentials
Add connection
Here is how to add a connection on Leena AI:
- Log in to your Leena AI workspace
- Navigate to Settings > Integrations
- Search for "Active Directory" and select it from the list to add its new connector
- Start configuring the connector
- Domain Controller: The hostname or IP address of the AD domain controller
- Port: The port number for the AD server (typically 389 for LDAP or 636 for LDAPS)
- Domain: The Active Directory domain name (e.g., "company.local")
- Username: The username with appropriate permissions to access AD
- Password: The password for the user account
- Use SSL: Boolean to indicate whether to use LDAPS (LDAP over SSL)
- Save the connector configuration
Actions
The following actions are supported for the Active Directory connector:
Search Users
This action searches for user accounts based on specified criteria. The Agent can leverage this action to find users in the Active Directory environment.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Search Base | The base Organizational Unit (OU) from which to start the search |
Optional
| Name | Description |
|---|---|
| Search Filter | AD search filter expression (e.g., "(&(objectClass=user)(objectCategory=person))") |
| Search Scope | The scope of the search: Base, One Level, or Subtree |
| Attributes | List of attributes to return (leave empty for default user attributes) |
| Page Size | Number of results per page (for large result sets) |
Here is a sample JSON input:
{
"Search Base": "OU=Users,DC=example,DC=com",
"Search Filter": "(&(objectClass=user)(objectCategory=person))",
"Search Scope": "Subtree",
"Attributes": ["sAMAccountName", "displayName", "mail"],
"Page Size": 100
}Response
The action returns an array of matching users with their requested attributes.
Create User
Create a new user in Active Directory. The Agent can leverage the skill (workflow), which has been designed to create a new user account in AD, once the appropriate approvals are obtained.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Forest | The AD forest name |
| Parent DN | Distinguished name of the parent container |
| RDN | Relative Distinguished Name for the new user |
| Entry | User attributes in JSON format |
Optional
Common User Attributes that can be included in the Entry field:
| Name | Description |
|---|---|
| sAMAccountName | User login name |
| userPrincipalName | User principal name |
| displayName | Display name |
| givenName | First name |
| sn | Last name |
| Email address | |
| description | User description |
Here is a sample JSON input:
{
"Forest": "production.local",
"Parent DN": "OU=Users,DC=example,DC=com",
"RDN": "CN=John Doe",
"Entry": {
"sAMAccountName": "jdoe",
"userPrincipalName": "[email protected]",
"displayName": "John Doe",
"givenName": "John",
"sn": "Doe",
"mail": "[email protected]",
"description": "Sales Manager"
}
}Response
Upon successful creation, the action returns confirmation of user creation with the user's distinguished name.
Update/Modify User
Update an existing user's attributes. Orchestrator can leverage this action to allow users to update details under AD.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Forest | The AD forest name |
| Distinguished name | DN of the user to modify |
Optional
| Name | Description |
|---|---|
| Replace | List of attributes to replace |
| Add | List of attributes to add |
| Delete | List of attributes to delete |
Here is a sample JSON input:
{
"Forest": "production.local",
"Distinguished name": "CN=John Doe,OU=Users,DC=example,DC=com",
"Replace": [
{"attribute": "title", "value": "Senior Manager"}
],
"Add": [
{"attribute": "proxyAddresses", "value": "[email protected]"}
],
"Delete": [
{"attribute": "description"}
]
}Response
Upon successful update, the action returns confirmation of user modification.
Reset User Password
Reset a user's password in Active Directory. The Agent can leverage this action when users request password resets.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Distinguished name | DN of user whose password to reset |
| Password | New password for the user |
Here is a sample JSON input:
{
"Distinguished name": "CN=John Doe,OU=Users,DC=example,DC=com",
"Password": "SecureP@ssw0rd123"
}Response
Upon successful password reset, the action returns confirmation of password reset.
Delete User
Remove a user from Active Directory. This action can be used as a part of off boarding journey.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Distinguished name | DN of the user to delete |
Here is a sample JSON input:
{
"Distinguished name": "CN=John Doe,OU=Users,DC=example,DC=com"
}Response
Upon successful deletion, the action returns confirmation of user deletion.
Search Groups
Search for groups in Active Directory. This action is primarily a supporting action leveraged by Orchestrator to fulfill an overall request around addition of users to a specific group or a list of groups.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Base | Search base DN |
Optional
| Name | Description |
|---|---|
| Query Planner | Use query planner for search |
| Filter String | LDAP filter string |
| Filter Object | Filter configuration |
Here is a sample JSON input:
{
"Base": "OU=Groups,DC=example,DC=com",
"Query Planner": true,
"Filter String": "(&(objectClass=group)(name=Sales))"
}Response
The action returns an array of matching groups.
Create Group
Create a new group in Active Directory. This action can be leveraged specifically by admins/managers whenever a new Group (Security group) needs to be created in AD. This action would work in tandem with addition of users in an existing group.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Forest | The AD forest name |
| Parent DN | Distinguished name of the parent container |
| RDN | Relative Distinguished Name for the new group |
| Entry | Group attributes in JSON format |
Optional
Common Group Attributes that can be included in the Entry field:
| Name | Description |
|---|---|
| sAMAccountName | Group login name |
| description | Group description |
| groupType | Type of group |
| Group email |
Here is a sample JSON input:
{
"Forest": "production.local",
"Parent DN": "OU=Groups,DC=example,DC=com",
"RDN": "CN=Sales Team",
"Entry": {
"sAMAccountName": "sales-team",
"description": "Sales department security group",
"groupType": -2147483646,
"mail": "[email protected]"
}
}Response
Upon successful creation, the action returns confirmation of group creation.
Modify Group
Update an existing group's attributes. The Agent can leverage this action to modify group properties as needed.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Forest | The AD forest name |
| Distinguished name | DN of the group to modify |
Optional
| Name | Description |
|---|---|
| Replace | List of attributes to replace |
| Add | List of attributes to add |
| Delete | List of attributes to delete |
Here is a sample JSON input:
{
"Forest": "production.local",
"Distinguished name": "CN=Sales Team,OU=Groups,DC=example,DC=com",
"Replace": [
{"attribute": "description", "value": "Updated description"}
],
"Add": [
{"attribute": "managedBy", "value": "CN=Manager,OU=Users,DC=example,DC=com"}
],
"Delete": [
{"attribute": "mail"}
]
}Response
Upon successful modification, the action returns confirmation of group modification.
Delete Group
Remove a group from Active Directory. This action can be specifically leveraged by admins/managers to delete existing dormant groups which as a part of cleanup activity.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Distinguished name | DN of the group to delete |
Here is a sample JSON input:
{
"Distinguished name": "CN=Sales Team,OU=Groups,DC=example,DC=com"
}Response
Upon successful deletion, the action returns confirmation of group deletion.
Add Members to Group
Add users to an Active Directory group. This action can be used by Onboarding Agent to add newly onboarded candidates to specific groups (which would grant them certain accesses), as governed by rules and logics.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Distinguished name | DN of the target group |
| Members | List of member DNs to add |
Here is a sample JSON input:
{
"Distinguished name": "CN=Sales Team,OU=Groups,DC=example,DC=com",
"Members": [
"CN=John Doe,OU=Users,DC=example,DC=com"
]
}Response
Upon successful addition, the action returns confirmation of members added to the group.
Remove Members from Group
Remove users from an Active Directory group. This action can be used by Off-boarding Agent to remove employees/users from specific groups on or before last working day (which would revoke accesses), as governed by rules and logics.
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Distinguished name | DN of the target group |
| Members | List of member DNs to remove |
Here is a sample JSON input:
{
"Distinguished name": "CN=Sales Team,OU=Groups,DC=example,DC=com",
"Members": [
"CN=John Doe,OU=Users,DC=example,DC=com"
]
}Response
Upon successful removal, the action returns confirmation of members removed from the group.
Updated about 20 hours ago