Managing the AD Sync Tool in zoom App
You can run the AD Sync Tool from a command line on a Windows, Linux, or macOS system if you wish
Active Directory (AD) and Zoom can be synced. Zoom can sync with AD.
Your Zoom account can automatically manage users when your LDAP/AD system for those users changes.
Neither a GUI nor web interface are included with the tool, which runs in the console. Settings are configured through a properties file, and you can check the log files to see the details of any changes or troubleshoot
Problems.
The AD Sync Tool allows you to create, update, and deactivate/delete users in your LDAP/AD server, update the Zoom user’s email (the new email domain must be in the associated domain), and sign out users after their password has been changed, deleted, or disabled.
These attributes are supported by the AD Sync Tool:
- The name of the first person
- is LastName
- YourEmail
- TheDepartment
- YourJob
- Contact Information
- Employer
- Contact Center
- Identifier
Prerequisites for the AD Sync Tool
- The following features are enabled in a Zoom account:
- URL vanity
- URL
- Activate Directory
- is configured with single sign on in Zoom
- (contact Zoom support for more information).
- LDAP services, such as Active Directory Federation Services (ADFS), can be used as well.
- If you have access to the username and password of an LDAP (or Microsoft AD) administrator account
Quick start
- Run the following command to make sure Java is properly installed after installing Oracle JDK version 8:
install java.
- Click here to download zoomadsynctool.zip: http://cdn.zoom.us/prod/tools/zoomadsynctool.zip
- The ad-tool-$[version].zip file should be unzipped.
- As described in Configuration, update the config.properties file. Next, copy the config.properties file to the same folder where the adtool-$[version].jar file is located.
- Make sure the tool configuration files are protected with a secret code. This code must be entered every time the tool is run.
- Run the following command to start the tool:
start /bin/adtool.cmd
If your Zoom account does not have users in Active Directory, running the start command can delete or deactivate existing users. For more information, see Zoom account configuration:
zoom.allow.delete.missing.user
Notes:
- Launch AD Sync Tool as a daemon. It will runIn the beginning, a full synchronization will be run, followed by incremental synchronizations every 40 minutes. So Password changes will also be monitored. synchronization result before applying any changes to your Zoom account, run the following command:
-
preview
- If any command fails to run, check the log file.
Configuration
Configuration.properties contains a number of parameters that determine how synchronization is performed by the tool.
Synchronization can be performed in two ways:
- Synchronizes all AD users with Zoom users that have different attributes.
- Does not sync newly created AD users.
Below are the sections of the file that need to be updated.
This file should not contain credentials.
Zoom setting (updated values optional)
- You can find your vanity URL by going to www.zoom.vanity.url.
Sync options (updated values required)
- When creating a new Zoom user, Zoom.default.user.type is applied. The three types of users are Basic, Licensed, and On-Premise. By default, there are two users.
- When Zoom.allow.create.user is set to true, you can create new Zoom users if these users already exist in your AD. When set to false, you cannot create new users.
- The Zoom.allow.update.user property determines if Zoom users should be updated when they are different from your Active Directory users. When true, Zoom users are updated; when false, Zoom users are not updated.
- Zoom.allow.delete.user: Determine whether you want to delete Zoom users when they are removed from your AD. If true, they will be deleted. If false, they won’t be deleted.
- When performing a “delete” action, determine if you wish to delete or deactivate the user from Zoom. Choose either one. Zoom defaults to 1. Zoom.allow.delete.user or zoom.allow.delete.missing.user determine whether the user can be deleted.
- Zoom.allow.delete.missing.user: Determine whether you want to delete users from Zoom if these users don’t exist in AD when a full synchronization is run (the first time this tool is run). False: does not delete missing users from Zoom. True: does not delete missing users from Zoom. Failed: does not delete missing users from Zoom. To avoid affecting existing Zoom users, choose false.
- Zoom.monitor.job.interval.minutes: Exercising the monitor job at a specified interval. It defaults to 15 minutes.
- Zooom.incremental.sync.job.interval.minutes: The interval in which the incremental sync job is executed. 40 minutes is the default interval.
LDAP/AD settings (updated values required)
With this tool, LDAP/AD connections can be made. The value “n” identifies an LDAP server’s index. The index starts at zero.
- The URL associated with an LDAP or Active Directory server (LDAP.servers[n].url).
- Users can be located using LDAP.servers[n].base.
- Ldap.servers[n].groups[m] is the full DN for a user group. If this value is empty, all groups will be synchronized. Members of a specified group will only be synced if a DN is specified. By setting it to empty, you won’t filter users by group. Each group is identified by the index “m” on a single server. “m” is normally blank.
- ldap.servers[n].deletedBase is the location where deleted items are searched. CN=Deleted Objects (optional). The values can be changed depending on your environment.
- With ldap.default.query.pageSize, an LDAP server returns the maximum number of users per page/query.
Attribute mapping (updated values optional)
- LDAP.user.email is the name of the email field in AD. The default value is userPrincipalName.
- The first name field in Active Directory is LDAP.user.firstname. The default value is LDAP.user.firstname.
- LDAP.user.lastname is the AD field for last names. It defaults to LDAP.user.department in AD. AD’s telephone number field name is ldap.user.phoneNumber (disabled by default)Defaults to Defaults to in AD’s job title field name is ldap.user.jobTitle (disabled by default)Defaults toin AD. By default, title is selected.
- It is the default value to use Ldap.user.company (disabled).deFAAD field name for employee unique identifier.user.employee (disabled by default).ID By default, employeeID is used.alThe name of the cost center field in AD (disabled by default). field name in AD. There is no default value. You must choose the attribute.
Logging setting
- Log.dir: Sets the log files’ base directory. Relative paths can be used. You can also use C: or D:, or an absolute path. By default, the .jar file is located at . (current adtool-$[version].)
Sync commands
An example of an execution script is: bin/adtool.cmd. Examples include:
- The following steps apply to Windows systems:
run bin/adtool.cmd
- For a Linux or macOS system:
bin/adtool.sh setup
setup
Configure the Zoom account and LDAP authentication credentials. Change any of the credentials as needed.
To update the credentials, run the setup command. Once the command has been run, the credentials will be updated.
You will be asked to enter Zoom API keys, API secrets, and AD usernames and passwords.
Flow of setup:
- The secret code must be entered.
- Ensure it is correct.
- Zoom API key must be entered.
- Zoom API secret must be entered.
- Enter the distinguished name of the LDAP server user.
- Input the LDAP user password.
Editors cannot see the secret code, API secret, or password.
Start
The AD Sync Tool should be started as a service. After the first synchronization, an incremental synchronization will be run every 40 minutes until you shut down the tool. The tool will also monitor password changes. This command eliminates the need to install Task Scheduler or CRON.
Preview
Make changes to your Zoom account without affecting the synchronization result. You can use this to ensure that options in the tool are working properly.
Reset
This tool should be reset to its default settings. The tool will clean all local configurations and cached data. The reset command can be used if you are unable to run the tool for any reason.
Sync
Zoom and LDAP should be synchronized once, either in full or incrementally. It is recommended to run a preview before running the full sync to ensure that After a full synchronization is completed, an incremental synchronization will run. The sync command should be appended with “–all” if you want to do a full sync.r the sync command.
Monitor
When the password in LDAP/AD changes, monitor the password change event and log out Zoom users from all devices. If the password of an LDAP or AD user has been changed, this tool monitors the event, but it cannot obtain the password.
Migrate
Upgrade the legacy configuration file (less than version 1.0) to the latest format. You can configure the settings manually if the migration fails.
Test
Make sure the configuration works. LDAP/AD server and Zoom will be connected and authenticated by the credential.
Log files
Log files can be used to find out more about the synchronized records as well as to troubleshoot any sync failures. A maximum of one log file per type is generated each day. Zoom AD Sync will append the information from that run to the file that was previously generated for the same day if you run it more than once in the same day.
- This is zoomadtool-sync.yyyy-MM–dd.[num].log, which the tool uses to check for errors.
Security
Enabling SSL/TLS connection for ADFS
When using LDAPS via port 636 to connect to an Active Directory server via SSL, you must retrieve the SSL certificate and install it, otherwise the following errors may occur:
If SSL/TLS are not already active on the connection, the server requires bind to turn on integrity checking…”
or
“sun.security.provider.certpath.SunCertPathBuilderException: Could not locate valid certification paths to requested targets.”
Retrieving and installing the SSL certificate
Connect the AD Sync tool via TLS by importing the SSL certificate:
- Launch the Windows Management Server Manager.
- Open the Certification Authority under Tools.
- Right-click the desired certificate under Issued Certifications.
- Select Properties.
- In the Details section, click the OK button.
- To export the x.509 (.cer) file, click Copy to File and choose the Base-64 encoded version.
- Once the certificate has been exported, click Finish.
- The exported certification should be copied to your local device storage (ex. D:\ca.cert).
- You can access the Java JDK bin location by running the following command in the Command Console:
Set up Java JDK 1.8.0_201 in C:/Program Files/Java
If the actual path to the folder differs from the above path, you will need to modify the command.
- To copy the certificate, use the following command:
keytool.exe -importcert -keystore ..\jre\lib\security\cacerts -storepass changeit -file D:\ca.cer -alias myca
The command structure consists of the following:
- keystore: The location of the new certification. This does not need to be changed.
- keystorepass: The certification’s password.
- -file: The location where you exported the certification.
- -alias: The alias of the new certification.
- After the certificate has been imported, it will be installed. LDAP/AD URL should be updated to ldaps://[address]:636.