Prepare the directory
- Create a dedicated, read-only bind identity. Do not use a domain administrator account.
- Use LDAPS on port 636 or LDAP with STARTTLS on port 389.
- Use a certificate whose hostname matches the LDAP server and whose chain is trusted.
- Choose the narrowest base DN that contains all intended staff accounts.
Configure the source
- Open Directory sources and select LDAP / LDAPS.
- Enter the hostname, port, encryption mode, base DN, bind username, and password.
- Choose a group, organizational unit, domain, or advanced scope.
- Enter a user filter that requires person user objects and excludes disabled accounts where appropriate.
- Add exclusions for student OUs, service accounts, shared mailboxes, and other non-staff identities.
Example Active Directory filter
The exact filter depends on your schema. A common starting point for enabled person user objects is shown below; add an organization-specific staff group or OU restriction before production use.
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))