Getting Started

Want to manage access to your Active Directory server with ease? We have you covered. You can setup access management through Opal to Active Directory in minutes.

Supported Services

  • Active Directory groups: Add or remove users to any AD group within your server. Groups are imported by nesting them inside a group called Opal in your server, which Opal automatically discovers.

Notably, Opal does not yet support syncing Organizational Units (OUs) or entire OU or group sub trees automatically.

Setup

Create an Active Directory connection

To get started, head to the Connections page and click on the Active Directory Service tile.

Click on the Active Directory tile to get started.

Click on the Active Directory tile to get started.

You will see a form with multiple steps that must be completed. Opal requires multiple credentials in order to manage your Active Directory server.

Step 1 - Configure an Active Directory service account for Opal

In order for Opal to manage your Active Directory server on your behalf, we'll need you to create an Active Directory service account for your server with proper permission scopes.

  • Connect to a Domain Controller or to a computer with Active Directory Remote Server Administration Tools installed.

  • Click Start, type dsa.msc, then press Enter.

  • Navigate to the Organizational Unit where the Opal Service Account will be located.

  • Right-click the Organizational Unit, select New > User.

  • Optional: Type Opal into the First Name field and Service Account into the Last Name field.

  • Type OpalServiceAccount into the User logon name field. Click Next.

  • Configure a password based on your organization's password policy requirements, uncheck the User must change password at next logon checkbox, and check the Password never expires checkbox. Click Next. Click Finish.

  • Double click on the newly created service account user. On the Member Of tab, add the Domain Admins group (or if you're using AWS Managed AD, then add AWS Delegated Administrators instead). Then save the account and click OK.

Step 2 - Reachability

  • Ensure your Active Directory hostname is reachable from the instance that is hosting the Opal app.

Step 3 - Create Opal group

  • Create an AD group called Opal. This group can be used later to automatically import groups into Opal by adding them as members of this group.

Step 4 - Fill out Opal Connections form

  • Back in the Connections form, fill in details about your Active Directory server and service account:

  • For Server hostname and Server port, you must input the hostname and port of your Domain Controller. As mentioned above, please ensure it's discoverable from the instance hosting the Opal app.

  • For Base distinguished name, you should entered the Distinguished Name (DN) of the OU that Opal should begin directory searches from.

  • For Root username and Root password, you should enter the credentials of the AD service account that you created above.

If this step is successful, you have completed setting up the Active Directory server connection.

Step 5 - Manually import Active Directory groups

  • Click on Groups in the left sidebar.

  • In the top right, click on the + (Plus) button, then Import groups.

  • Select your Active Directory connection

  • Then select which groups you'd like to import

As mentioned above, if you'd like to automatically import groups into Opal, you can simply create them as members of the Opal group you created above.


❗️Enable Opal for access management

If you want to use Opal to manage access to Active Directory groups, you will need to enable the Manage resources and groups from Opal in the Admin page. You can read more about how to do that here.


Did this answer your question?