Automating User Onboarding: Linking Active Directory to CredoID
The gap between IT identity management and physical security is the largest unaddressed vulnerability in the modern enterprise. When an employee is terminated in Microsoft Active Directory (AD), but their physical badge remains active for hours—or days—the “insider threat” window opens wide. In high-security environments, manual data entry is no longer just an operational bottleneck; it is a compliance failure.
To achieve a true Zero Trust Architecture (ZTA), physical access must be treated as a dynamic signal of an identity’s lifecycle. This article provides a technical deep dive into automating user onboarding and offboarding by linking Active Directory to the CredoID access control platform. We will explore the shift from legacy Role-Based Access Control (RBAC) to Attribute-Based Access Control (ABAC), the technical requirements for LDAP/LDAPS integration, and the specific mechanics of the CredoID synchronization pipeline.
The Modern Mandate for Identity Convergence
Physical security is shifting fundamentally toward IT convergence. Industry leaders are ditching disconnected silos for Physical Identity and Access Management (PIAM) strategies. This convergence is driven by the need for automated offboarding, where disabling a user in AD revokes facility access at the next scheduled sync, preventing unauthorized entry or “tailgating.”
Beyond RBAC: The Rise of Attribute-Based Access Control (ABAC)
While legacy systems rely on simple Role-Based Access Control (RBAC), modern automation focuses on Attribute-Based Access Control (ABAC). In an ABAC model, physical access levels are granted dynamically based on specific AD attributes such as department, company, or title.
CredoID facilitates this by allowing operators to map AD security group memberships—and their internal attributes—to specific physical access levels. If an employee’s department attribute changes from Marketing to Research & Development in AD, the integration automatically updates their physical permissions, granting access to the lab while revoking access to the marketing suite.
Zero Trust and Physical Signals
In a Zero Trust environment, a user’s physical presence (detected via badge swipe) serves as a critical signal for conditional access to digital resources. Conversely, the digital identity serves as the “single source of truth” for the physical world. By linking AD to CredoID, organizations ensure a physical credential is only as valid as the digital identity supporting it.
Technical Architecture: The LDAP/LDAPS Pipeline
The Active Directory–CredoID integration runs on the Lightweight Directory Access Protocol (LDAP). To prevent credential sniffing, enterprise environments should prioritize LDAPS (LDAP over SSL/TLS), typically via port 636.
Cross-Platform Connectivity
CredoID operates in diverse IT environments, supporting both Windows-native and Linux (Docker) deployments:
Windows-native: Uses the System.DirectoryServices connector with DirectorySearcher for high-performance LDAP queries.
Linux/Docker: Utilizes a custom LinuxDirectorySearcher built on System.DirectoryServices.Protocols (LdapConnection), providing full cross-platform LDAP support without relying on Windows-only COM interop.
Crucially, the CredoID approach requires no agent or software installation on the AD domain controller. No AD schema extensions are required, ensuring the IT infrastructure remains clean and standard. The integration is a one-way data sync (AD → CredoID), not an authentication integration.
Defining the Field Bindings
Upon initiation, CredoID queries AD using the filter (&(objectClass=user)(objectClass=person)) to discover available attributes. This allows for precise data mapping. The system comes pre-configured with sensible defaults that the operator can customize:
CredoID Field Default AD Attribute Purpose
First Name givenname Basic identity
Last Name sn Basic identity
Middle Name middleName Basic identity
Email mail Contact information
Phone mobile Contact information
Employee Number employeeID Primary key for sync
Company company Organizational assignment
Department department Organizational / ABAC logic
Title title Organizational assignment
Expiration Date accountexpires Automated deprovisioning
Access Levels businessCategory Maps AD groups to physical doors
Card Number uid Links the physical credential to the user
Card Format Bits st Card format definition
Card Facility Code uidnumber Essential for multi-site card formats
Additional 1–3 (unmapped by default) Custom user-defined fields
For access level mapping, CredoID reads the memberOf attribute and uses a separate LDAP query with the filter (&(objectClass=group)) against the configured group path to discover AD security groups. The operator then maps each AD group (e.g., CN=Security-Level-3) to a specific CredoID access level.
Solving the “Orphaned Account” Problem
An “orphaned account” exists in the physical access control database but no longer in the IT directory. These accounts are primary targets for security audits like SOC2 and ISO 27001. CredoID addresses this through flexible Import Modes.
Comparison: Manual Management vs. Automated Sync
Feature Manual Onboarding CredoID Automated (Synchronize Mode)
Data Integrity High risk of human error/typos 1:1 match with AD source of truth
Offboarding Speed Hours to days (manual ticket) Near real-time (next scheduled sync)
Access Precision General roles, often over-privileged Granular ABAC based on AD attributes
Compliance Audit Manual log reconciliation required Automated reports on added/removed users
Orphaned Accounts Common; requires periodic “cleanup” Eliminated via “Synchronize” logic
The Three Import Modes
CredoID provides three import modes to suit different operational requirements:
Append — Add new users from AD. Do not modify or remove any existing CredoID users. Ideal for initial migrations or environments where local edits must be preserved.
Overwrite — Add new users and update existing users with current AD data. Users that no longer exist in AD are not removed. Balances freshness with safety.
Synchronize — Full reconciliation. Adds new users, updates existing ones, and deletes CredoID users that no longer exist in the target AD Organizational Unit (OU). In Synchronize mode, a terminated employee’s user record, credentials, and access rights are revoked the moment the sync job completes.
Security Standards: OSDP and Secure Communication
While the link between AD and the CredoID server is secured via LDAPS, the “last mile” of the access event—from the reader to the controller—is equally vital.
The Decline of Wiegand
The legacy Wiegand protocol is increasingly rejected in government and enterprise RFPs because it lacks encryption. To maintain the integrity of an AD-integrated environment, CredoID supports OSDP (Open Supervised Device Protocol) for secure reader-to-controller communication.
OSDP provides the encrypted, bidirectional communication required to ensure data synced from Active Directory is not compromised at the door. When a card number is mapped from the AD uid attribute and pushed to a controller, OSDP ensures communication remains secure end-to-end.
Primary Key Selection
Selecting the right primary key determines how CredoID matches incoming AD records against existing users in the database. Two options are available:
First and Last Name — Matches on the combined first + last name fields. Simple but vulnerable to duplicates if two employees share the same name.
Employee Number — Matches on the employeeID attribute. More robust, as employee numbers are typically unique across the organization.
For most enterprises, Employee Number is the recommended primary key because it remains stable even when an employee changes their name, department, or any other attribute.
Licensing and System Requirements
Active Directory integration is a licensed feature. The system uses a middleware check (CheckAdImportsEnabledMiddleware) to verify the ActiveDirImportLicensed flag before every import operation. If the license does not include this feature, the import is rejected.
Implementation Requirements
Requirement Details
CredoID Server Windows or Linux (Docker). Both platforms are supported with platform-specific AD connectors.
Service Account A dedicated AD account with read-only access to user objects and group memberships in the target OUs.
Operator Permissions Only operators with the User Admin role (UserAdminOnly policy) can configure or trigger AD imports, preventing unauthorized changes to sync logic.
Network Access Connectivity to the Domain Controller over port 389 (LDAP) or 636 (LDAPS).
What’s NOT Required
No agent or software installation on the AD domain controller
No AD schema extensions
No federation or SSO configuration
What Gets Automated
Once the AD integration is configured and scheduled, the following onboarding tasks are fully automated:
User profiles: First name, middle name, last name, email, phone, company, department, title, employee number
Account lifecycle: Activation and expiration dates (from accountexpires), enabling automated deprovisioning
Credentials: Up to 8 identification credentials per user (card numbers, facility codes, card format bits) mapped from AD attributes
Access levels: Up to 8 access levels per user, automatically assigned based on AD group membership via the configured group bindings
Location assignments: Up to 16 locations per user
Hardware sync: After each import, CredoID triggers change notifications to connected access control hardware, pushing updated credentials and access rights directly to door controllers
Implementation Playbook: Linking AD to CredoID
Follow this structured path to automate your onboarding process.
Step 1: Audit and Cleanse AD Data
Before connecting systems, ensure AD attributes (e.g., employeeID, department, accountexpires) are populated and accurate. Identify the specific OUs containing users who require physical access.
Step 2: Configure the LDAP/LDAPS Connection
In the CredoID web interface, navigate to the AD Import settings. Provide:
LDAP Path — The path to the user OU (e.g., LDAP://dc=company,dc=com)
LDAP Group Path — The path to the group OU for access level mapping
Credentials — Username and password for a dedicated read-only service account
Use LDAPS (port 636) for encrypted communication.
Step 3: Map Attributes and Group Bindings
Establish field mappings between AD attributes and CredoID user fields. The system pre-populates sensible defaults. Map the AD memberOf attribute to CredoID Access Levels to define your ABAC logic—for example, mapping the AD group CN=Security-Level-3 to a CredoID access level for the server room.
Step 4: Define the Primary Key and Import Mode
Select Employee Number or First and Last Name as your primary key. For most enterprises, Synchronize mode is recommended to ensure the CredoID database perfectly reflects Active Directory.
Step 5: Schedule and Monitor
Configure a one-time import for initial validation, or set a recurring sync schedule (e.g., every 60 minutes). Review the initial import report for validation errors, such as duplicate card numbers or missing required fields. Once verified, the system will trigger automatic change notifications to all connected hardware controllers.
Contact sales to learn more about CredoID’s automation modules.
Summary
Automating physical access via IT directory integration is no longer a luxury; it is a baseline requirement for secure facility management. By linking Active Directory to CredoID, you eliminate manual entry errors, close the window on insider threats through automated offboarding, and align physical security with Zero Trust principles.
If your organization manages physical access via spreadsheets, moving to a synchronized LDAP/LDAPS model will provide immediate ROI in administrative hours saved and risk reduced.
About UAB Midpoint Systems — provides the CredoID access control platform, an open-architecture solution designed for seamless integration with enterprise IT environments. Supporting both Windows and Linux, CredoID enables organizations to unify digital and physical security through advanced automation and support for modern protocols like OSDP.