Setting user directory information

Before you begin

Use the page Global Settings > General > User Directory to configure directory communication for administrators using their network accounts. The same directory must be used to authenticate all administrative users.

Steps

  • A user directory stores information about a network’s users and resources.
  • To allow administrators to use their network accounts to log on to the Security Manager, configure the Security Manager to retrieve information from a user directory.
    Note: User directory configuration for administrators is performed separately from directory service configuration for end users. Set up end user directory service configuration within each Security Manager module.

Next steps

The Security Manager can communicate with the following Lightweight Directory Access Protocol (LDAP) directories:

  • Windows Active Directory (Native Mode)
  • Novell eDirectory
  • Oracle Directory Service
  • Lotus Notes/Domino

It can also communicate with other generic LDAP-based directories.

  • Duplicate user names are not supported in an LDAP-based directory service. Ensure that the same user name does not appear in multiple domains.
  • With Windows Active Directory or Oracle Directory Service, user names with blank passwords are not supported. Make sure that all users have passwords assigned.

To enable administrators to log on to the Security Manager using a network account:

  1. Select a user directory type from the drop-down list User directory server; Active Directory, Generic Directory, Lotus Notes, Novell eDirectory, or Oracle Directory Server.

    Configuration options display for your selection.

  2. Enter the IP address or host name to identify the directory server.
  3. Enter the communication Port for the directory.
  4. Enter a User distinguished name and Password for the administrative account that the software should use to retrieve user name and path information from the directory.
    • The account must be able to query and read from the directory, but does not need to be able to make changes to the directory, or be a domain administrator.
    • In the field User distinguished name, enter the account details as a single string. You can use the format “CN=user, DC=domain” or, if your organization uses Active Directory, “domain\username”.
  5. To confirm that the directory exists at the specified IP address or name and port number, and that the specified account can connect to it, click Test Connection.
  6. Enter the Root naming context that the Security Manager should use to search for user information. This is required for generic LDAP directories, Lotus Notes/ Domino, and Oracle Directory Service, and optional for Active Directory and Novell eDirectory. If you supply a value, it must be a valid context in the domain.

    If the Root naming context field is left blank, the software begins searching at the top level of the directory service.

    Note: Avoid having the same user name in multiple domains. If the software finds duplicate account names for a user, the user cannot be identified transparently.
  7. If the LDAP schema includes nested groups, mark the check box Perform additional nested group search.
  8. To encrypt communication with the directory service, mark the check box Use SSL encryption.
  9. If the directory service uses LDAP referrals, mark the check box to indicate whether the software should follow the referrals.
  10. For Generic Directory, configure the following additional settings:
    • Email attribute: The attribute name used to locate a user’s email address in LDAP entries. The default is mail.
    • User logon ID attribute: The attribute name used to locate a user’s logon ID in LDAP entries.
    • User logon filter: The filter to apply when searching for user details at logon. This string must contain the %uid token, which is then replaced with the user name entered by the user when logging on.
    • User lookup filter: The filter used to find users for import on the Add Network Account page. You can enter %query in this field as a placeholder, and then click Refine search on the Add Network Account page to enter a new context for finding network users.
    • Group object class (optional): The LDAP object class that represents a group. The default is group.
    • Group Properties: Specify whether your directory schema uses the memberOf attribute. If it does, in the Group attribute field enter the attribute used to reference the groups that the user is a member of.

      If it does not, in the User group filter field enter the query used to resolve groups containing the specific user. You can enter %dn, which will be replaced by the distinguished name of the user.

  11. Click OK.

    The settings are saved.

    Note: If you change your user directory settings at a later date, existing administrators become invalid unless you are pointing to an exact mirror of the user directory server. If the new server is not a mirror, you may not be able to distinguish between your new and existing users.