×

Want to Search?

Go here

Switch Language

English Nederlands

Contact Us

Get Help Give feedback

I am a Zivver admin

Configure and manage Zivver

07a. Synctool LDAP sources

Introduction

LDAP sources are commonly used to create Zivver user accounts based on Microsoft Active Directory (AD) user accounts.

Synchronization is one-way: from AD to Zivver, not the other way around. You can determine which accounts are synchronized from AD to Zivver using filters. Filters can, for example, be an AD Organizational Unit (OU) or Security Group (SG).

It is not recommended to create Zivver user accounts for (suspended) AD user accounts that belong to an Exchange shared mailbox. See Configure Exchange sources to synchronize Exchange shared mailboxes with Zivver.

Source details

  1. Enter a Source name.
    For example: “Microsoft Active Directory” or the Active Directory forest name.
  2. Enter a Source description.
    For example: the name of the administrator who configured this LDAP source.
  3. Select a Default phone number region.
    This allows the Synctool to easily recognize mobile phone numbers with a country code prefix.

Connection

These settings allow the Synctool to connect to a server that hosts your Active Directory.

  • Host name
    This is the host name of the Domain Controller, for example ad.example.org, or the IP address of that server. This is a mandatory field.

  • Port
    This port will be used for the LDAP connection. Enter 636 and check Use implicit TLS. This is a mandatory field.

  • Authorized user
    Enter the username of the (service) account with read-only rights in Active Directory, as mentioned in the Synctool prerequisites. Usually, this must be provided along with the domain name — for example company\svc_account. This is a mandatory field.

  • Password
    Enter the password for the service account. This is a mandatory field.

  • Base DN
    From your Active Directory, enter the distinguished name of the Organizational Unit that contains all your users. This is a mandatory field.

    Note
    Choose a Base DN high in your AD forest
    Users that are not in the OU entered at Base DN will not be synchronized to Zivver, despite applied filters. Conversely, Zivver accounts will be suspended or deleted in Zivver if they do not fall under the OU entered at Base DN.

    1. Open Active Directory Users and Computers.
    2. Right-click the Active Directory Organizational Unit that contains all your users (i.e. the parent OU).
    3. Select Properties.
    4. Select the Attribute Editor tab.
      In the Attribute Editor you can find the distinguished name.
    5. Copy the distinguished name.
    6. In the Synctool, paste the distinguished name in Base DN.
Tip
Not finding all users in Data Preview?
Try choosing a Base DN higher in the AD domain hierarchy, such as DC=company,DC=org. Don’t worry about getting too many results — you can filter them later.

  • Paging
    Increase paging to a value greater than 1,000 if the result set might contain more than 1,000 users.

    Tip
    Still not finding all users in Data Preview?
    Queries in AD without paging are limited to the first 1,000 users. When you enable paging in the Synctool, it retrieves multiple sets of the configured amount and displays them as one large set. If not all accounts are shown, gradually increase the paging number in steps of 1,000 until all users appear. You can increase the number up to 100,000.
    Read more about paging in AD.

  • LDAP query (replaces the Base DN)
    You can use LDAP queries to directly query Active Directory. Leave this field empty if you’re not familiar with LDAP queries.
    For more information, visit Microsoft’s Wiki page for LDAP filters.

  • Test connection
    Click to verify that the Synctool can establish an LDAP connection with the configuration provided.
    If the connection is refused, it means that the Synctool cannot connect to the AD server via LDAP using the supplied credentials. Common causes include:

    • The host name is incorrect.
      The IP address can also be used instead of the FQDN.
    • The port entered is blocked by a firewall.
      Try both 636 with Use implicit TLS enabled, and 389 with it disabled.
    • The authorized user does not have read permissions on this Active Directory.
    • The authorized user requires or does not require the domain prefix.
      Try both company\svc_account and svc_account.
    • The password is incorrect.
      Try entering the password again.

Users

User Field Mapping (LDAP) maps Active Directory user attributes to Zivver user attributes, allowing Zivver users to be automatically generated based on the information provided from Active Directory.

For each Zivver attribute (in bold) in the Synctool, you can select an Active Directory attribute from the drop-down menu.

Tip
Use default Microsoft AD attributes
You can use the default AD attributes by clicking to quickly fill in the best-practice AD attributes.

Internal Id

  • Default AD attribute: objectGUID

Zivver uses the Internal ID to identify users. Microsoft AD’s objectGUID is a reliable identifier because it never changes, even if the user is renamed or moved. Using the Internal ID allows you to automatically update the user’s email address in Zivver when it changes in Exchange.

See Account Mapping for more information about the Internal ID.

Email

  • Default AD attribute: proxyAddresses(SMTP)

Zivver accounts must have an email address as the username. proxyAddresses takes the primary email address (SMTP address) from the AD attribute proxyAddresses.

If you do not want to synchronize aliases to Zivver, or your organization does not use aliases, you can also use mail as the AD attribute. To do so, open the drop-down menu and select an alternate AD attribute.

Full name

  • Default AD attribute: name

The name of a user. This name is displayed in Zivver notification messages, so it is recommended to select an attribute that contains both the first and last name. Common alternatives include displayName, userPrincipalName, and givenName. Use one of these if name does not return the correct user name.

ZivverAccountKey

  • Default AD attribute: objectGUID

It is recommended to select an AD attribute with a long, random, and unique identifier as the value for the ZivverAccountKey. If no such identifier is available for every user in AD, use objectGUID instead.

Mobile phone

  • Default AD attribute: mobile

Mobile phone numbers are used to automatically configure 2FA via SMS for users who have a mobile number set in AD. Landline numbers should be avoided, as they often cannot receive SMS codes — meaning the user will be unable to log in when Zivver requests a second factor.

Is active

  • Default AD attribute: userAccountControl

The value in userAccountControl determines whether a Zivver account is created, suspended, or deleted. If an AD user is active and has an email address, name, and ZivverAccountKey, a Zivver account will be created if none exists for that email address. It is not recommended to change userAccountControl to a different AD attribute.

Delegates

  • Default AD attribute: MsExchDelegateListLink

Delegates get full access to the Zivver inbox of a personal account. Full access delegations configured in Exchange are automatically mapped to the MsExchDelegateListLink attribute in AD.

Note
Delegates do not work in hybrid Exchange environments
Auto-mapping does not work as expected in Office 365 hybrid environments. This Microsoft article explains that auto-mapping to MsExchDelegateListLink does not work when your organization uses Active Directory on-premises together with Exchange Online (Office 365 Hybrid). Use Exchange source synchronization instead.

Aliases

  • Default AD attribute: proxyAddresses(smtp)

Fetches SMTP addresses from the AD attribute proxyAddresses. Other address types such as SIP and X500 are ignored.

Make sure that all domains listed under SMTP addresses are either excluded by the Domain Filters or are claimed in Zivver.

Groups

Group Field Mapping (LDAP) maps suspended Active Directory user accounts associated with Exchange shared mailboxes to Zivver functional account attributes, allowing Zivver functional accounts to be automatically generated based on the AD object linked to an Exchange shared mailbox.

Note
Group Field Mapping (LDAP) is not recommended
This is a legacy feature, and Zivver does not recommend using it. Please use Exchange source synchronizations to synchronize shared mailboxes to Zivver.

Enable Get Active Directory groups from LDAP to synchronize Active Directory mail-enabled security groups to Zivver as functional accounts.

Enable both Get Active Directory groups from LDAP and Get users with members as groups (this will disable getting users in this source) to synchronize suspended AD objects to Zivver as functional accounts.

Note
Get users with members as groups (this will disable getting users in this source)
If you enable this feature, you cannot synchronize AD objects associated with user mailboxes from this source. Add another LDAP source to synchronize AD objects associated with user mailboxes.

Internal Id

  • Default AD attribute: objectGUID

Zivver uses the Internal Id to identify objects. Microsoft AD’s objectGUID is a reliable identifier because it never changes, even if the object is renamed or moved. Using Internal Id allows the email address in Zivver to automatically update when it is changed in Exchange.

Visit Account Mapping for more information about the Internal Id.

E-mail

  • Default AD attribute: proxyAddresses(SMTP)

Zivver accounts must have an email address as a username. proxyAddresses takes the primary email address (SMTP address) from the AD attribute proxyAddresses.

If you do not want to synchronize aliases to Zivver or your organization does not use aliases, you can also use mail as the AD attribute. Select an alternate AD attribute from the drop-down menu.

Full name

  • Default AD attribute: displayName

The name of a shared mailbox. This name will be displayed in Zivver notifications. It is recommended to select an attribute that contains the complete name. Other commonly used attributes are displayName, userPrincipalName, or givenName. Use these alternatives if name does not provide the full name of the shared mailbox.

Is active

  • Default AD attribute: <empty>

This field must always remain empty. If it shows userAccountControl, remove it and ensure the field is blank.

Aliases

  • Default AD attribute: proxyAddresses

Fetches SMTP addresses from the AD attribute proxyAddresses. Other addresses, such as SIP addresses and X500 addresses, are ignored.

Ensure that all domains listed under SMTP addresses are either filtered out by the Domain Filters or are claimed in Zivver.

Mapping of the group members User is member of group

  • Default AD attribute: memberOf

Fetches the members of mail-enabled security groups from the memberOf attribute.

Group has members

  • Default AD attribute: MsExchDelegateListLink

Delegates receive full access to the Zivver inbox of a personal account. Full access delegations configured in Exchange are automatically mapped to the MsExchDelegateListLink attribute in AD.

If users are allowed to delegate access to their mailbox via Outlook, you can also use publicDelegates as input.

Note
Delegates will not work for hybrid Exchange environments
Auto-mapping does not work as expected in Office 365 hybrid environments. This Microsoft article explains that auto-mapping to MsExchDelegateListLink does not work when your organization uses Active Directory on-premise together with Exchange Online (Office 365 Hybrid). Please use Exchange source synchronizations instead.

Find group members recursively (add members of child groups also to the parten group)

This feature only works if you synchronize mail-enabled security groups that contain other security groups in the memberOf field.

Organizational Units

Organizational Units Mapping maps users and groups from your LDAP source to organizational units (OUs) in Zivver.

If your organization does not use organizational units in Zivver, leave the default None or Excel selected.

Info
How can I check if my organization uses organizational units in Zivver?
If your organization uses organizational units in Zivver, you should have access to the Organization Units tab in Zivver. If you do not have access, either your organization does not use organizational units in Zivver, or you do not have administrator rights.

If your organization uses organizational units in Zivver, select an option based on your configuration of OUs in the Zivver admin panel.

Tip
How can I determine whether to use Domain or Custom OU Identifier?
You can check the Organizational Unit Identifier by browsing to the Organization Units tab in Zivver, clicking on one of the OUs listed, and editing edit the Organizational Unit. The identifier will be shown in a popup under Organization Unit Identifier.

Source Filter

Object Filter (LDAP) allow you to filter users based on a given Active Directory attribute value.

  1. Check Enable LDAP Source filtering.
  2. Choose an AD attribute from the drop-down table at Filter variable.
  3. Enter the filter value(s) at Filter text.
    If you want to enter more than one filter value, add each value on a separate line.
  4. Choose between a positive filter (include) or negative filter (exclude).
    You cannot include and exclude in the same filter.

View the results at Data Preview.

Example: filter on OU

  1. Check Enable LDAP Source filtering.
  2. Choose distinguishedName from the drop-down table at Filter variable.
  3. Enter the distinguishedName of the organizational units separated by a line break at Filter text.
    For example, if you have two OUs to filter on:
    OU=Example,OU=Users,DC=company,DC=org
    OU=AnotherExample,OU=Users,DC=company,DC=org
  4. Choose whether to include or exclude the results from your filter.
    Your LDAP filter is now configured.

Example: filter on SG

  1. Check Enable LDAP Source filtering.
  2. Choose MemberOf from the drop-down table at Filter variable.
  3. Enter the commonName of the SGs separated by a line break at Filter text.
    For example, if you have two SGs to filter on:
    Zivver-security-group1
    Zivver-security-group2
  4. Choose whether to include or exclude the results from your filter.
    Your LDAP filter is now configured.

Merge Settings

Use Source Merge Settings to choose what Synctool should do if distinct sources (e.g., an LDAP source and an Excel source) contain identical entries.

If this is the first source in the Source Overview, no merge settings are available.

  • Overwrite
    Objects found in the currently selected source overwrite duplicate objects from previous sources.
  • Ignore
    Objects found in the currently selected source are overwritten by duplicate objects from previous sources.
  • Conflict
    Prompt the admin to resolve duplicates before synchronizing.

Data Preview

Source Data Preview (LDAP) allows you to preview all user accounts and functional accounts found in your LDAP source. Take into account that the Synctool can only find accounts that reside within the configured Base DN and Source Filter.

Click to get a preview of all user accounts and functional accounts found in your LDAP source.

Next steps

If the data preview is returned as you would expect, you can either configure another source, or go to Syncing.

Updated on 2025-10-22