What are active directory profiles?
The connection to Active Directory (AD) is established via so-called AD profiles. These profiles contain all of the information relevant for establishing a connection to AD and enable imports/synchronization of users, organisational units or roles. To connect to various different ADs, it is naturally also possible to create multiple AD profiles.
Two import modes in comparison
When importing from Active Directory, Password Safe distinguishes between two modes, which differ significantly and are explained in separate sections.
In principle, the two variants differ by the presence of the encryption mentioned above. In the solution with active end-to-end encryption (E2EE), the process may be less convenient (see table) but there is a huge benefit in terms of security. In Master Key mode, a master key is created on the server that has full permissions for all users, organisational units and roles. This represents an additional attack vector, which does not exist in end-to-end mode. In return, however, in Master Key mode, users can be updated via synchronization with the Active Directory. Memberships of organisational units and roles are also imported. In the more secure end-to-end mode, this synchronization of the changes must be carried out manually.
|Comparison of the modes||End-to-end mode||Master key mode|
|Importing user information||+||+|
|Importing assigned roles||-||+|
|Importing roles to organisational units||-||+|
|Synchronizing user information||-||+|
|Synchronizing assigned roles||-||+|
|Synchronizing roles with organisational units||-||+|
|User can be edited in Password Safe||+||-|
|Organization unit can be edited in Password Safe||+||-|
|Roles can be edited in Password Safe||+||-|
|Password can be edited in Password Safe||+||-|
|Login with domain password||-||+|
|Password Safe is the leading system||+||-|
|Active Directory is the leading system||-||+|
As can be seen E2EE offers the highest level of security. The aim is merely to import users, organisational units and roles. Those must be administered and configured in Password Safe. In contrast, a connection in Master Key mode offers the highest level of convenience. It imports not only users, organisational units and roles but also their links and assignments. Synchronization with Active Directory is possible – The AD is used as the leading system.
Users, groups and roles
When importing or synchronizing from Active Directory, users are also added as users in Password Safe. Password Safe also uses the organisational units as such.
In order for Password Safe to be quickly integrated into the given infrastructure, roles can also be directly imported from the Active Directory. Namely Active Directory Groups are used to password-safe roles.