Using Active Directory or Domino
If you selected Active Directory or Domino:
Steps
-
Under Connection Settings, enter the IP address or hostname and Port to use to connect to the user directory server.
Note:
The default port is 3268, which is the Global Catalog (GC). The GC has only a partial copy of the user attributes, which can result in failure to receive all the attributes requested during the testing or LDAP import processes.
To connect directly to the Domain Controller and receive all of the requested attributes, use port 389. Alternatively, the Global Catalog can be configured to include additional attributes.
Learn more about the Global Catalog on the Microsoft website.
-
Enter the User distinguished name and Password for an account with access to the directory server.
- For Active Directory, the format “domain\username” is supported.
- For Domino, use the format “CN=User, OU=Department, DC=DomainComponent, DC=com”.
-
Optionally, enter the Root naming context that Forcepoint DLP should use to search for user information.
- When entering a value, ensure that it is a valid context in the domain.
- If the field is left blank, the system begins searching at the top level of the directory service.
-
Mark Use SSL encryption to connect to the directory server using Secure Sockets Layer (SSL) encryption.
Important: If your Active Directory is configured for LDAP channel binding and LDAP signing communication, you must mark Use SSL encryption, otherwise the user directory import will fail and communication between the DLP manager and the LDAP server will fail.
-
Mark Follow referrals to have Forcepoint DLP follow server referrals, should they exist.
Referrals are an LDAP feature that provide the ability to build hierarchies of LDAP servers. Follow referrals with caution. If not set up properly, referred queries can take a long time and appear to be time-outs.
- Click Test Connection verify that Forcepoint DLP can connect to the directory server.
-
Under Directory Usage, mark Get user attributes to retrieve user attributes from the directory server, then:
- Enter the user Attributes to retrieve for all users (comma separated).
- If the directory includes photo attributes, use the User’s photo attribute to enter them in a comma-separated list. The default is thumnailPhoto.
- If you do not want to display a photo of the user, leave this field blank.
- If a photo does not exist for the user, an empty image displays.
- Under Test Attributes, in the Sample email address field, enter a valid email address that can be used to test whether Forcepoint DLP can retrieve the configured attributes from the user directory server.
- Click Test Attributes to retrieve user information.
-
Click OK to save your changes.
Note: If you change user directory settings at a later date, existing accounts become invalid unless you are pointing to an exact mirror of the user directory server. If the new server is not a mirror, you may not be able to distinguish between new and existing users.