User management with CrashPlan User Directory Sync

This article applies to CrashPlan Enterprise and MSPs.png

Overview

CrashPlan User Directory Sync leverages your organization's existing directory services environment by enabling LDAP integration in CrashPlan. Every directory structure is different, so CrashPlan User Directory Sync allows you to add JavaScript to map your existing directory structure to CrashPlan organizations and roles for automated user management. 

This article gives examples of how to use JavaScipt with CrashPlan User Directory Sync. For help with CrashPlan User Directory Sync, contact your Customer Success Manager (CSM) to engage the Professional Services team.

Considerations

LDAP script capabilities

When you install CrashPlan User Directory Sync, it automatically creates basic JavaScript files in the installation directory. Configure these scripts with JavaScript functions to provision users to CrashPlan. We use three different scripts: 

Once you configure the scripts, they read user attributes and group membership information from your LDAP environment. When the scripts are run, the CrashPlan User Directory Sync places users into the correct CrashPlan organization and grants them appropriate user roles based on their LDAP attributes and group membership. 

LDAP script triggers

A synchronization executes the active, org, and role scripts each time it runs. When the scripts run, they read users' LDAP attributes and group membership, and change your CrashPlan environment to match. 

User management scope

CrashPlan User Directory Sync creates new users or assumes management of existing users in CrashPlan only if the users exist in the LDAP search results. These users are then processed by the active, org, and role scripts and updated in CrashPlan accordingly. User Directory Sync can only manage users that are returned in the LDAP search results. If users are moved outside of the scope of the filtering criteria, they cease to be managed by CrashPlan User Directory Sync.

Example use of LDAP scripts

Consider the following situation. Company X's Org Name script depends on the location LDAP attribute. If the location attribute for user jsmith changes from San Francisco to New York, then the LDAP sync process moves jsmith from the San Francisco org to the New York org.

 Script assistance

The sections below contain sample scripts. Assistance with scripts is beyond the scope of CrashPlan technical support. For further assistance:

  • See example scripts here: Example scripts for CrashPlan User Directory Sync.

  • Contact your Customer Success Manager (CSM) to engage the CrashPlan Professional Services team. They have access to a large library of existing scripts and can help tailor CrashPlan's LDAP integration as needed. 

Active script

The active script determines what state users should have in CrashPlan. For those users that are returned by your LDAP search filter, the active script either marks them active or deactivated and relays that information to CrashPlan. For example:

  • If the user does not exist in CrashPlan but is marked TRUE, the user is created in CrashPlan. 
  • If the user already exists in CrashPlan and is marked TRUE, the user is managed by User Directory Sync from that point forward. 
  • If the user does not exist in CrashPlan and is marked FALSE, the user is not created in CrashPlan.
  • If the user already exists in CrashPlan and is marked FALSE, the user is deactivated in CrashPlan.

Should your user management workflow require that users be moved outside of the search filter results before they are deactivated, the User Directory Sync does not detect this change and the users remain active in CrashPlan. If this workflow is a requirement, please contact your Customer Success Manager (CSM) to engage the Professional Services team.

Default active script

The default active script code, which handles the default active script behavior, is:


function isActive(entry) {
    return true;
}

If the user is found in LDAP, the default JavaScript function returns the value TRUE. The user is treated as active.

Active script example

But what if your company policy requires that LDAP entries for users remain permanently in LDAP, and the user's employment status is maintained via an LDAP attribute? You can use an active script to deactivate a user account based on an LDAP user attribute. This script deactivates a user if they are disabled in active directory (AD). 


function isActive(entry) {
  if (entry.userAccountControl & 0x2) {
    return false;
  } else {
    return true;
  }
}

 Expected datatype

The active script must return a Boolean (true or false).

User deactivation and reactivation

When a user is deactivated, the user's devices are automatically deactivated. However, when a user is reactivated, the user's devices are not automatically reactivated. Devices can be reactivated in two ways:

  • The administrator may activate the user's device from the CrashPlan console.
  • The reactivated user may sign in to the CrashPlan app on the deactivated device.

In either case, the device's GUID remains the same.

Data that was previously backed up is still available, if the data retention period has not expired. File selections and other settings also remain the same.

Reactivation of manually deactivated users 

If you use the CrashPlan console to directly deactivate users from an organization with directory services enabled, these users will be reactivated when User Directory Sync detects another change and syncs the user.

To make sure a user stays deactivated, do one of the following:

  • For all users and devices in CrashPlan organizations with directory services enabled, deactivate or remove the users from the directory service, rather than directly from the CrashPlan console.
  • Create a new organization that is not linked to any directory service, and move users to that organization before deactivating them. They will not be reactivated by CrashPlan User Directory Sync.
  • Change the user's username, or whatever attribute is mapped to the LDAP search filter. The user will no longer be affected by the CrashPlan User Directory Sync.

Users on legal hold cannot be deactivated

Users placed under legal hold cannot be deactivated. Their data is retained for the legal hold process. If a user is deactivated in LDAP, CrashPlan blocks the user instead. Once the user is released from legal hold, they are automatically deactivated.

Reactivating a user: If you deactivate users while they are on legal hold, and then wish to reactivate those users, you must unblock the user in the CrashPlan console. 

Org script

The org script places a user into a specific CrashPlan organization. JavaScript is used to parse the user's LDAP entry and return a single value. The user is placed into an organization that matches the return value. Target organizations do not need to exist before the script runs. If a named target organization does not exist, the org script creates an organization with that name.

Any valid parsing can be performed on the DN (distinguished name) of the user's record with JavaScript, and in this way, LDAP OUs (organizational units) can map to CrashPlan environment organizations automatically.

Org script example

The org script can place users into a CrashPlan environment organization based on the OU specified in each user's LDAP distinguished name. The script does the following:

  1. Parse the user's distinguished name.
  2. If the user is in the LDAP Staff OU, return the value “Staff” to place the user into the CrashPlan environment's Staff organization.
  3. If the user is in the LDAP Students OU, return the value “Students” to place the user into the CrashPlan environment's Students organization.
  4. If the user is in neither the Staff nor the Students OU, return the value “Default” to place the user in the Default organization.

function getOrgName(entry) {
   var ou = entry.dn;
   if (ou != null){
       if ((ou.indexOf("Staff") >= 0 )){  
           return 'Staff';
       }
       else if ((ou.indexOf("Students") >= 0 )){
           return 'Students';  
       }
       else {
           return 'Default';  
       }  
   }
   else {
       return 'Default';  
   }  
}

 Expected datatype

The org script must return a string.

Role script

The role script applies a set of user roles to a user account based on the user's LDAP attributes or security group membership. Only roles that are added to the Role Mapping list within the CrashPlan console can be managed by CrashPlan User Directory Sync. CrashPlan does not add, update, or remove roles that are not in the Role Mapping list.

Role script example

This example analyzes an LDAP environment and grants CrashPlan user roles based on LDAP memberships.

  1. Determine which LDAP groups the user is a member of.
  2. Map the appropriate CrashPlan environment roles to the account:
    • If the user is a member of the Admins LDAP group, grant the Org Security Viewer role.
    • If the user is a member of the Support LDAP group, grant the Org Admin role.
    • If the user is a member of the Managers group, grant the Org Manager role.
    • If the user is a member of the WorkstationAdmins group, grant the Org Help Desk role.

function getRoles(entry) {
   var memberof = entry.memberOf;
   // Default user roles
   var myRoles=new Array("PROe User","Desktop User");
   // Loop over LDAP groups
   for (var x = 0; x < memberof.length; ++x) {
      if (memberof[x].indexOf("Admins") > -1) {
         myRoles.push("Org Security Viewer");
      }
      if (memberof[x].indexOf("Support") > -1) {
         myRoles.push("Org Admin");
      }
      if (memberof[x].indexOf("Managers") > -1) {
         myRoles.push("Org Manager");
      }
      if (memberof[x].indexOf("WorkstationAdmins") > -1) {
         myRoles.push("Org Help Desk");
      }
   }
   return myRoles;
}

 Expected datatype

The role script must return an array.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section