Clever district admins can set up an automated sync with the district’s Active Directory server to sync non-instructional staff and school admins to Clever as "staff” users.
This sync between Active Directory and Clever will supplement any existing syncs between the district’s SIS and Clever and will only be used to sync non-instructional staff users (i.e. non-teaching staff).
What are the requirements?
- Your district utilizes an Active Directory server to manage non-instructional staff and school admins.
- The Active Directory Sync toggle has been enabled from your district dashboard > Sync > Staff tab.
How do I prepare for the Active Directory staff sync?
Staff sharing rules in Clever
If you already have non-instructional staff in Clever, make sure your staff and school admin sharing permissions are in a good place for all of your district’s connected applications, so we’re not unintentionally sharing new users en masse.
For additional information about staff sharing permissions, please visit: How do I share staff with applications?
Existing staff in Clever
If your district has already synced staff to Clever via a staff.csv or admins.csv file, please make sure their 'Staff_id' stays the same if you'd like to preserve their historical data in Clever. This field is the key identifier for staff members in Clever so, if an existing user is synced from Active Directory with a different 'Staff_id', a new account will be created for them in Clever.
Create a new bind account
Create a new bind account with read-only permissions that Clever can use to query your LDAP server. Once created, take note of the account's userDN (i.e. users distinguishedName) and password found in the Attribute Editor - you’ll need that for setup!
Review your OU structure in Active Directory
Identify whether classroom teachers are grouped in Organizational Units (OUs) together with non-instructional staff members.
- If not, that’s great! Take note of the OU names that includes only non-instructional staff.
- If so, there’s risk of creating duplicate user accounts in Clever for those who are already in Clever as teachers! To counter this:
- We suggest bulk adding an extension attribute to staff member’s profiles that would distinguish these two staff types from one another in your server (e.g. extensionAttribute = 'staff' if non-instructional and 'teacher' if instructional)
- Once the extension attribute is added, the attribute can be used in an LDAP filter during step 5 of the setup below - The staff query.
Create a one-time school mapping CSV file
We need a one-time upload to map existing schools in Clever to school names in Active Directory. The file should have two columns:
- School_sis_id (as it appears in Clever)
How do I set up the sync in Clever?
- Navigate to your district dashboard > Sync >Staff tab
- Toggle on 'Active Directory Sync' to reveal a new setup tab
- Select 'set up active directory sync' to configure the Active Directory sync in 4 steps
- Step 1: Configure the connection between Clever and your district’s Active Directory server by entering your district’s LDAP URL and port, certificate fingerprints, and the users DN and password for the read-only bind account set up in preparation. All of these steps are required to establish the connection.
- Step 2: Add staff queries to designate the OUs from which Clever should sync staff user accounts. Districts can set up multiple queries if needed, as well as set up filters to scope down the information pulled. For help writing your LDAP filter, see this article. An example is shown below:
During this step, you’ll also indicate which Active Directory user attributes should map to the available Clever staff fields.
- Step 3: Optionally configure a sync for staff extension/custom fields such as security group, building code, etc. The Clever extension field will always begin with ‘ext.’
- Step 4: Upload your prepared school mapping CSV so we will be able to link the existing school sis_ids in your district’s Clever account with the appropriate school names in Active Directory.
After the sync is configured and a first sync runs, you can view the results on the Sync > Active Directory tab. Syncs will run automatically every 24 hours, but can be triggered from the Active Directory tab as needed. Like your normal SIS Sync report, you can track staff account creations, updates, deletions, and errors from this tab.