11-15-2017 12:49 AM
Hi,
We have configured a sync between AD and Duo.User sync had no issues.Now a requirement is that
some Users in AD do not have Mail IDs, These users are not getting synced to Duo. Is there a way to modify
the User directory settings to populate Users into Duo?
Regards
Vig
11-17-2017 12:49 PM
Duo’s directory sync doesn’t require that AD users have the mail attribute populated. There shouldn’t be any issue importing users from AD who don’t have email addresses. I suggest you contact Duo Support for in-depth troubleshooting, as there are a number of different reasons a user may not sync (but rest assured that not having an email address isn’t one of them).
11-19-2017 10:06 PM
Thank You, Kristina.
Regards
Vignesh
11-19-2017 10:53 PM
We have the Username attribute as EMAIL, Will that be a concern?. I had tried to Sync a User without email and it failed. Once I had the mail attribute populated in AD, I was able to sync the user. Any thoughts?
11-20-2017 05:55 AM
Yes, that is your issue. The username attribute can’t have no source value, or else it’s impossible to create the user. If you create a user without the AD mail attribute populated, and your primary username attribute is email, there is no way to create the Duo user (because there is no information in the email attribute to use for the username).
You should choose an attribute that will always exist, like userPrincipalName or sAMAccountName as your primary Duo username source attribute, and then you could add the mail attribute as a username alias. Since you can’t change the primary username attribute after a sync, this would require some manual migration steps on your part. You can learn more about those migration steps in this KB guide, or contact Support.
11-28-2017 09:45 AM
Hi Kristina,
If we unsync and resync the User groups to modify the Username field, Will this have an effect on the Users who are already added to the Duo using the AD sync?.We are in Production now, so just wanted to have a confirmation.
Regards
Vignesh
Get Outlook for Android
11-28-2017 10:44 AM
As I mentioned before, you can’t change the primary username attribute after syncing a directory. If you go to edit your directory to try to change the username attribute you’ll find that option is now greyed out.
Typically, a customer deletes the synced directory to change the username attribute. This action has its own caveats and warnings!
When you delete the synced directory it doesn’t delete the user accounts or associated devices from Duo. They just become unmanaged accounts.
If you create a new directory sync and specify the same user groups from the previous directory sync config, the sync process reconnects to the existing accounts and they become managed by the sync.
HOWEVER!!!
In your case you want to choose a different username attribute, because not all your users have mail
attribute values.
The username attribute you select could create duplicate users in your directory!
Example:
AD user has sAMAccountName
set to jfoo
and mail
set to joe.foo@example.com
.
joe.foo@example.com
using the AD mail
attribute value.joe.foo@example.com
user becomes unmanaged but remains intact.sAMAccountName
as the username value and mail
as a username alias.jfoo
isn’t the same as joe.foo@example.com
, the sync won’t try to connect to the existing user and instead tries to create a new jfoo
user.joe.foo@example.com
already exists as a user, it will fail to create the new jfoo
user because it can’t assign the username alias joe.foo@example.com
. Aliases and usernames must all be unique.Since you have concerns about making this change in production, and because the implications of your choices may not be immediately clear, I encourage you to contact Duo Support for assistance with this migration.
11-28-2017 07:39 PM
Thank You,Kristina. I guess exporting the users from AD and importing them into Duo should work better for us.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide