District administrators with the Clever Admin user role can set up an automated sync with the district’s Active Directory server to sync non-instructional staff and school administrators to Clever as “staff” users.
This sync between Active Directory and Clever will supplement the existing sync between the district’s SIS and Clever and will only be used to sync staff users.
What are the requirements?
- Your district utilizes an Active Directory server to manage non-instructional staff and school administrators
- The Active Directory Sync toggle has been enabled on the Sync Settings page of the Clever dashboard
How do I prepare for the sync in Active Directory?
Staff sharing rules in Clever
Your district should make sure your staff and school admin sharing rules are in a good place for all of your district’s connected applications, so we’re not unintentionally sharing new users en masse.
Please set up staff sharing rules for your applications using the instructions under section 2 here: How can staff and school admins use the Portal and access applications?
Existing staff in Clever
If your district has already synced staff to Clever via a staff.csv or admins.csv file, please make sure their 'Staff_id' stays the same if you'd like to preserve their historical data in Clever. As this field is the key identifier for staff members in Clever, if an existing user is synced from Active Directory with a different 'Staff_id,' they'll get a brand new account in Clever.
Create a new bind account
Create a new bind account with read-only permissions that Clever can use to query the LDAP server. Once created, take note of the account's userDN (i.e. users distinguishedName) found in the Attribute Editor and the password - you’ll need that for setup!
Review your OU structure in Active Directory
Identify whether classroom teachers are grouped in Organizational Units (OUs) together with non-instructional staff members.
- If not, that’s great! Take note of the OU names for just the non-instructional staff members.
- If so, there’s risk of creating duplicate user accounts in Clever for those that are already in our system as teachers. To counter this:
- We suggest bulk adding an extension attribute to staff member’s profiles that would distinguish these two staff types from each other in your server (e.g. extensionAttribute = 'staff' if non-instructional and 'teacher' if instructional)
- Once the extension attribute is added, the attribute can be used in an LDAP filter during step 5 of the setup below: the staff query.
Create a one-time school mapping CSV file
We’ll need a one-time upload to map existing schools in Clever to school names in Active Directory. The file should have two columns: ‘School_sis_id’ (as it appears in Clever) and ‘Active_directory_name’. Example below:
How do I set up the sync in Clever?
- Navigate to the Sync Settings page in the Clever dashboard
- Toggle on “Active Directory Sync” at the bottom of the page to reveal a new setup tab
- Maneuver to the “Active Directory” tab that now appears at the top of the page and click the blue ‘Get started’ button:
- Configure the connection between Clever and your district’s Active Directory server by entering your district’s LDAP URL and port, certificate fingerprints, and the users DN and password for the read-only bind account set up in preparation. All of these steps are required to establish the connection.
- Add staff queries to designate the OUs from which Clever should sync staff user accounts. Districts can set up multiple queries if needed, as well as set up filters to scope down the information pulled. For help writing your LDAP filter, see this article. An example is shown below:
During this step, you’ll also indicate which Active Directory user attributes should map to the available Clever staff fields.
- Optionally configure a sync for staff extension fields such as security group, building code, etc. The Clever extension field will always begin with ‘ext.’
- Upload your prepared school mapping CSV so our system knows what existing School_sis_ids in the district’s Clever account are associated with what school names in Active Directory.
After the sync is configured and a first sync runs, you can view the results on the Sync > Active Directory tab. Syncs will run automatically every 24 hours, but can be triggered on the aforementioned Active Directory tab. Like your normal SIS sync report, you can track staff account creations, updates, deletions, and errors here.