Teem Directory Sync
Teem Directory Sync
The goal of Teem Directory Sync utility is to streamline the process of provisioning users in the Teem platform by copying users and groups out of ActiveDirectory or LDAP, creating them within Teem, then keeping them synchronized as changes in your organization occur over time.
Users logging into the Teem platform can access Employee Tools, like web booking, the Teem Mobile and Plugin applications, and can view Flightboard. In addition, users can be sent to LobbyConnect devices to provide hosts to be selected from when a visitor arrives. With Teem Directory Sync, the user list can be easily maintained in the tools you use today.
The latest version of this utility includes the following:
- Improved performance and scalability for managing large numbers of users.
- A new User Interface with improved service configurability, visibility, and logging.
- More flexible deployment options (Windows / Linux / Mac, in addition to the same server or remote options).
- New support for LDAP.
Deployment Options
Installation / Startup
Download a copy of the application here:
Open a terminal window where you have the binary saved and run it.
## Windows teemDirSync.exe ## Linux and Mac $ ./teemDirSync ## use the -h flag to see additional startup options
Usage
The application will allow you to create any Groups or Users not already in Teem. It will skip any users that are disabled or that are missing minimum information (e.g., email). On subsequent syncs, the tool will update Groups or Users if something has changed, disable users in Teem if they have been disabled in the directory, and delete users that are no longer in the sync list to account for users that have been deleted or removed from the selected groups.
Prerequisites
- This tool does require a Teem Admin account to run. On the Setup page, please ensure you are using a Teem Admin user. The Admin user’s password must be 20 characters or more.
- An AD/LDAP user account with at least READ access to the BaseDN you intend to use.
- This tool will create Teem users and groups for every selected group object (via the Setup page) within your Directory. If a group is selected it will add it to Teem and any users in that group. Groups with no users will still be added. Users that are missing minimum information will be skipped, and a log message will be generated.
First Run
- Browse to the IP or hostname (and port) configured at startup. By default, it’s http://localhost:8981/ --> redirect to /setup/admin/password
- The initial password is blank. Fill in a new password and confirm. It must be at least eight characters
- Click "Save Password"
- Click a destination in the nav bar --> redirected to /login
- Login with username and password (that was just set up)
- Click "Sign in" --> redirected to /status
Sync Setup
- Click "Setup" in the navigation bar
Select "Teem" tab
Fill in fields:
- Teem Username**
- Teem Password (must be at least 20 characters)
- Sub Domain
Select "AD / LDAP" tab
Fill in the fields:
- Directory Hostname
- Port
- Encryption
- Bind DN or username
- Bind Password
Select the "Mappings" tab Select desired options for the field names in your directory. The application supports both AD and LDAP standard fields, along with a few other vendor-specific fields.
Fill in the fields:
- Directory UUID (Unique Identifier for objects in the directory. AD supports objectGUID, LDAP and AD both support entryUUID.)
- Groups
- Group Object Class**
- Group Name**
- Users
- User Object Class
- Username
- First Name
- Last Name
- Full Name
- Phone Number
Select the “Filters” tab
Fill in field
- Base DN
Toggle Scheduled Sync
- Click on "Status" in the navigation bar
- See the "Scheduled Sync" section
- Click the switch under the "Enabled" column
Start Manual Sync
- Click on "Status" in the navigation bar
- Click the "Start Manual Sync" button on the bottom right of the page
Download Sync Logs
- Open File Explorer on the machine that the Teem Directory Sync tool is installed on.
- Find the Teem Directory Sync tool program file.
- The logs will be located here in the exe. file “teem dir sync.log”.
Update admin password
- Click on the vertical ellipsis icon --> "Change Password"
- Enter the current password (must be at least eight characters)
- Enter a new password and confirmation
- Click "Update Password"
Application Configuration
- Click on the vertical ellipsis --> "App Configuration"
- Change settings as needed. Explanations for some settings are provided in the UI
Clear local user cache
- Click on the vertical ellipsis --> "Clear User Cache"
- Follow on-screen instructions
Remove Synchronized Users From Teem
- Click on the vertical ellipsis --> "Remove Teem Users"
- Follow on-screen instructions
Change Theme
- Click on the vertical ellipsis icon
- Under the "Themes," section choose the desired theme
Security Details
Application Data
This small executable app does not install anything on the host. However, it saves some files applicable to the application's runtime.
By default, these files are created in the same directory in which the application is running. You can change the directory where the files will be saved at startup via the command line (use the -h option to see the options), or they can be updated in the app after it is running. Click the vertical ellipses icon at the top of any page in the app, and choose “App Configuration.” The paths are listed and editable on that page.
Details:
tds/teemDirSync.config
- General application configuration. Many values are editable in the app UI. Others are editable via the command line. All are editable in the file.
- Field information to note:
- aesKey: The encryption key for the database. It is generated on the first run of the application and is unique to your instance of the application. If you change or delete this value, you will lose access to the encrypted information in the .data file and need to set up the application again.
- appUseTLS: The application supports HTTPS. If set to true, you must provide a valid TLS/SSL certificate and key. See: “Application Browser Security” section
- tlsCertPath: file path where the tls/SSL certificate is found
- tlsKeyPath: file path where the tls/SSL key is found
tds/teemDirSync.data
- It contains a cache of AD/LDAP data to reduce network traffic to Teem when syncing your directory. It also contains the authentication information for Teem and your AD/LDAP directory.
- All sensitive information, such as passwords and access tokens, are encrypted using the aesKey in the application config. Additionally, the application contains a pepper value. By combining your unique aesKey and this secret pepper value, only the application can encrypt or decrypt your data.
- The data is not editable without the application. Doing so will render the file unusable, and you will need to set up the application again.
tds/logs/teemDirSync.log
(includes any rolling log files)- Log file for keeping runtime activity information, warnings, and errors. The logs are kept for a 30-day rolling window from the current date. Each log file is limited to 10MB. The number of rolling log files is determined by the amount of data generated in the sync. Generally, more users in a directory will result in more log data, as will perpetually unresolved errors.
- Manually deleting the log files will result in the application not being able to output downloadable logs listed in the Logs page.
- Sensitive information such as passwords and access tokens are not logged.
Application Browser Security
Almost all the interaction with the Teem Directory Sync app is done via a web browser. Even though this application will likely run inside your firewall, the application supports HTTPS, if needed. HTTPS/TLS certificates will need to be provided by you. Once in place, you can specify their location at startup via the command line. If certificates are provided, and TLS is enabled, your communication with the app via the browser will be secure**.
** Please note, this does not apply to the communication with Teem or your AD/LDAP directory. Communication with Teem is always done via HTTPS. Communication with your AD/LDAP directory is according to your specifications outlined above in the Sync Setup.
Communication with Teem
The Teem Directory Sync app does not allow Teem servers to communicate with your environment. This tool sends Teem user details by making HTTPS calls to our SCIM API, which are encrypted in transit. There are no firewall modifications needed. All traffic originates within your network to the Teem servers over port 443, and will work fine as long as the computer running the application can reach the internet.
Communication with AD / LDAP
All data access to your Directory (AD or LDAP) is read-only. The application supports TLS communication if you have proper certificates in place. See the “Sync Setup” section to enable TLS.
Troubleshooting
How can I tell that it is running regularly?
Please see the logs page in the Teem Directory Sync app. Click on “Logs” at the top of any page once you are logged in. This log page will summarize the last 30 days of sync activity. If you have “Scheduled Sync” enabled (See “Status” page), then sync logs should appear according to the Sync Interval Time set (See “App Configuration” page). You will know that the application is running at the appropriate cadence if you see sync summaries on the Logs page at the corresponding intervals.
Users are not being created anymore.
This could happen for a couple of reasons. First, check the Status page in Teem Directory Sync and ensure that the “Connection Health” section has all green lights. If some are red, ensure that the hosts are reachable and that the credentials are correct in the Setup page.
Second, check the Logs page. If the most recent log entry indicates that errors occurred, click the Download icon and review the log for any specific errors. Search the log for the word “ERROR” and note that there might be many to review. The corresponding log summary where the log file was downloaded will indicate the minimum number of errors to expect.
The sync runs forever.
This is common on the first run. We will sync all the users and groups, which could take some time. However, the Status page will show you the runtime and completion percentage. On subsequent runs, the application will only sync new users who have changed in some way or are deleted.
If network communication is slow or disrupted, the application will detect and log the errors, and the sync will be completed.
If you find that that sync runs for excessive amounts of time, especially after the first run, please send the log output from a sync run to Teem Support for further troubleshooting.