Setting user directory information

Security Manager Help | Web, Data, and Email Protection Solutions | v8.4.x

Use the Global Settings > General > User Directory page to configure directory communication for administrators using their network accounts. The same directory must be used to authenticate all administrative users.

A user directory stores information about a network's users and resources.

To allow administrators to use their network accounts to log on to the Security Manager, configure the Security Manager to retrieve information from a user directory.


	Note User directory configuration for administrators is performed separately from directory service configuration for end users. Set up end user directory service configuration within each Security Manager module.

The Security Manager can communicate with the following LDAP (Lightweight Directory Access Protocol) directories:

Windows Active Directory (Native Mode)

Novell eDirectory

Oracle Directory Service

Lotus Notes/Domino

It can also communicate with other generic LDAP-based directories.

Note that:

Duplicate user names are not supported in an LDAP-based directory service. Ensure that the same user name does not appear in multiple domains.

With Windows Active Directory or Oracle Directory Service, user names with blank passwords are not supported. Make sure that all users have passwords assigned.

To enable administrators to log on to the Security Manager using a network account:

Select a user directory type from the User directory server list.

Enter the IP address or host name to identify the directory server.

Enter the communication Port for the directory.

Specify a User distinguished name and Password for the administrative account the software should use to retrieve user name and path information from the directory.

The account must be able to query and read from the directory, but does not need to be able to make changes to the directory, or be a domain administrator.

Enter the account details as a single string in the User distinguished name field. You can use the format "CN=user, DC=domain" or, if your organization uses Active Directory, "domain\username".

Click Test Connection to confirm that the directory exists at the specified IP address or name and port number, and that the specified account can connect to it.

Enter the Root naming context that the Security Manager should use to search for user information. This is required for generic LDAP directories, Lotus Notes/Domino, and Oracle Directory Service, and optional for Active Directory and Novell eDirectory. If you supply a value, it must be a valid context in the domain.

If the Root naming context field is left blank, the software begins searching at the top level of the directory service.


	Note Avoid having the same user name in multiple domains. If the software finds duplicate account names for a user, the user cannot be identified transparently.

If the LDAP schema includes nested groups, mark Perform additional nested group search.

To encrypt communication with the directory service, mark Use SSL encryption.

If the directory service uses LDAP referrals, indicate whether the software should follow the referrals.

10.

For Generic Directory, also configure the following settings:

Email attribute: The attribute name used to locate a user's email address in LDAP entries. The default is mail.

User logon ID attribute: The attribute name used to locate a user's logon ID in LDAP entries.

User logon filter: The filter to apply when searching for user details at logon. This string must contain the %uid token, which is then replaced with the user name entered by the user when logging on.

User lookup filter: The filter used to find users for import on the Add Network Account page. You can enter %query in this field as a placeholder, and then click Refine search on the Add Network Account page to enter a new context for finding network users.

Group object class (optional): The LDAP object class that represents a group. The default is group.

Group Properties: Specify whether your directory schema uses the memberOf attribute. If it does, in the Group attribute field enter the attribute used to reference the groups that the user is a member of.

If it does not, in the User group filter field enter the query used to resolve groups containing the specific user. You can enter %dn, which will be replaced by the distinguished name of the user.

11.

Click OK.


	Note If you change your user directory settings at a later date, existing administrators become invalid unless you are pointing to an exact mirror of the user directory server. If the new server is not a mirror, you may not be able to distinguish between your new and existing users.