If you are experiencing problems with Active Directory (AD) integration, this article may help you to understand how AD integration was implemented in Triofox and may help you to diagnose AD issues.
Triofox integrates with Active Directory (AD) by allowing you to import AD users through the web portal. Once you have a successful link between Triofox and an AD, you will be able to select the following AD entities when defining Team Folder Collaborators or Team Folder permissions:
- Organizational Units,
- Proxied Groups (aka. Roles. Example: Administrators, Users, Guests, etc.), and
If you import one or more users by selecting an AD group that contains the users, the users will not show up in Triofox's user management until they have logged in to Triofox for the first time. If you import an AD user directly, the user will show up immediately under Triofox's user management.
Once a user is imported into Triofox, it will remain linked to Active Directory by the following 3 AD properties. All 3 properties must match in both systems:
- userPrincipalName (aka. UPN, example: email@example.com),
- sAMAccountName (aka. SAM, example: myname), and
- email (firstname.lastname@example.org)
You can inspect these properties in AD to diagnose AD/Triofox link problems by right-clicking on a user and choosing "Properties" from the contextual menu. Then, select the "Attribute Editor" to view the property names and values. The Attribute Editor is part of AD's Advanced Features, so if you don't see this option, enable it from the View menu. In Triofox, the AD values are stored in the database and are not visible through the web portal.
Any changes made to a user in AD are not reflected back to Triofox, nor vice-versa. For example, if a person changes her last name due to marriage, the last name change has to be performed manually on both Triofox and AD. If you only change the last name in AD, then the link will still be maintained with Triofox as long as the userPrincipalName, sAMAccountName, and email don't also change. The user will be able to log in to Triofox, but the display name will be different on both systems. At the time of this writing this behavior is by design, but additional AD synchronizations may be implemented in the future.
If you change a user's password in AD, the user will immediately be able to log in to Triofox with both the new password (from AD) and the old password (from Triofox). If you wish to keep both systems with the same password, the password change will also have to be done manually in Triofox.
If you disable the user only in AD, the Triofox login will also be effectively disabled, but the user will appear as if it is enabled under the user management screen. To avoid confusion, you will also have to disable/suspend the user in Triofox.
For the reasons mentioned above, it is best not to "recycle" AD users by simply renaming the AD properties of a person who has left the organization with a new user. It is always best to create new AD users from scratch, and then import them into Triofox.
Unlike changes in users, any changes in AD Organizational Units (OU) and Groups, such as OU/Group renames or adding/removing of child entities, are reflected back immediately to Triofox. If they don't you can try clicking on the refresh button from the Tenant Dashboard->User Details (click on a user)->Groups page. If you notice that the group memberships don't update even after a group refresh, please make sure that you are connecting to AD with an administrative account. Creating service accounts for this is not recommended, since they lack the "read memberOf" LDAP setting. Without this, an AD connection can be established, but Triofox may not work properly.
If you have any questions, please don't hesitate to contact us at email@example.com.