sys_connect_ldap_help
Configure LDAP settings for user-group definition, administrator privileges, or end-user quarantine authentication.
Configure multiple and mixed type LDAP servers from the Administration > IMSVA Configuration > Connections | LDAP screen. You cannot configure more than one LDAP server from the Configuration Wizard.
If more than one LDAP server is used, IMSVA synchronizes the account information from the LDAP servers to the IMSVA local cache. The time required for synchronization between the servers depends on the number of accounts on your LDAP servers. When synchronization completes, the time and date appear in the Last Synchronized column. IMSVA automatically synchronizes the accounts daily. You can manually trigger synchronization by clicking Save & Synchronize.
If more than one LDAP server is enabled , End-User Quarantine and EUQ single sign-on cannot be enabled.
If the LDAP settings on the Administration > Connections > LDAP screen are not configured, the following LDAP related features will not work:
Policy > Internal Addresses > search for LDAP groups
Policy > [any rule] > sender or recipient > search for LDAP user and groups
Administration > End-User Quarantine > User Quarantine Access select groups from LDAP search below
Administration > Admin Accounts > click Add > specify LDAP authentication
To add an LDAP server:
Administration > IMSVA Configuration
>
Connections | LDAP
Administration > IMSVA Configuration
>
Configuration Wizard | Step 6: LDAP Settings
Navigate to the LDAP tab.
Click Add. The LDAP Settings screen appears.
Type a meaningful description for the LDAP server.
Next to LDAP server type, choose the type of LDAP servers on your network:
Domino
Microsoft Active Directory
Microsoft AD Global Catalog
OpenLDAP
Sun iPlanet Directory
Next to Enable LDAP 1, select the check box.
Next to LDAP server, type the server name or IP address.
Next to Listening port number, type the port number that the LDAP server uses to listen to access requests.
Configure the settings under LDAP 2 if necessary.
Under LDAP cache expiration for policy services and EUQ services, type the Time to live in minutes.
Time To Live: Determines how long IMSVA retains the LDAP query results in the cache. Specifying a longer duration enhances LDAP query during policy execution. However, the policy server will be less responsive to changes in the LDAP server. A shorter duration means that IMSVA has to perform the LDAP query more often, thus reducing performance.
Under LDAP admin, type the administrator account, the corresponding password and the base distinguished name. Refer to the table below for assistance on what to specify under this section according to the LDAP server type:
LDAP Server Types |
LDAP Server |
LDAP Admin Account (examples) |
Base Distinguished Name (examples) |
Authentication Method |
Active Directory |
Without Kerberos: user1@domain.com (UPN) or domain\user1 With Kerberos: user1@domain.com |
dc=domain, dc=com |
Simple Advanced (with Kerberos) |
Active Directory Global Catalog |
Without Kerberos: user1@domain.com (UPN) or domain\user1 With Kerberos: user1@domain.com |
dc=domain, dc=com dc=domain1,dc=com (if mutiple unique domains exist) |
Simple Advanced (with Kerberos) |
OpenLDAP |
cn=manager, dc=test1, dc=com |
dc=test1, dc=com |
Simple |
Lotus Domino |
user1/domain |
Not applicable |
Simple |
Sun iPlanet Directory |
uid=user1, ou=people, dc=domain, dc=com |
dc=domain, dc=com |
Simple |
Select an authentication method:
Simple
Advanced: Uses Kerberos authentication for Active Directory. Configure the following:
Kerberos authentication default realm: Default Kerberos realm for the client. For Active Directory use, the Windows domain name must be upper case (Kerberos is case-sensitive).
Default domain: The Internet domain name equivalent to the realm.
KDC and admin server: Hostname or IP address of the Key Distribution Center for this realm. For Active Directory, it is usually the domain controller.
KDC port number: The associated port number.
Click Add.
If you are using the Configuration Wizard, click Next.
Only Active Directory and Active Directory Global Catalog support Kerberos Authentication.
Click Save & Synchronize.
To configure LDAP settings:
Administration > IMSVA Configuration > Connections > LDAP
Navigate to the LDAP tab.
Click a server name from the LDAP server table.
Type a meaningful description for the LDAP server.
Next to LDAP server type, choose the type of LDAP servers on your network:
Domino
Microsoft Active Directory
Microsoft AD Global Catalog
OpenLDAP
Sun iPlanet Directory
Next to Enable LDAP 1, select the check box.
Next to LDAP server, type the server name or IP address.
Next to Listening port number, type the port number that the LDAP server uses to listen to access requests.
Configure the settings under LDAP 2 if necessary.
Under LDAP cache expiration for policy services and EUQ services, type the Time to live in minutes.
Time To Live: Determines how long IMSVA retains the LDAP query results in the cache. Specifying a longer duration enhances LDAP query during policy execution. However, the policy server will be less responsive to changes in the LDAP server. A shorter duration means that IMSVA has to perform the LDAP query more often, thus reducing performance.
Under LDAP admin, type the administrator account, the corresponding password and the base distinguished name. Refer to the table below for assistance on what to specify under this section according to the LDAP server type:
LDAP Server Types |
LDAP Server |
LDAP Admin Account (examples) |
Base Distinguished Name (examples) |
Authentication Method |
Active Directory |
Without Kerberos: user1@domain.com (UPN) or domain\user1 With Kerberos: user1@domain.com |
dc=domain, dc=com |
Simple Advanced (with Kerberos) |
Active Directory Global Catalog |
Without Kerberos: user1@domain.com (UPN) or domain\user1 With Kerberos: user1@domain.com |
dc=domain, dc=com dc=domain1,dc=com (if mutiple unique domains exist) |
Simple Advanced (with Kerberos) |
OpenLDAP |
cn=manager, dc=test1, dc=com |
dc=test1, dc=com |
Simple |
Lotus Domino |
user1/domain |
Not applicable |
Simple |
Sun iPlanet Directory |
uid=user1, ou=people, dc=domain, dc=com |
dc=domain, dc=com |
Simple |
Select an authentication method:
Simple
Advanced: Uses Kerberos authentication for Active Directory. Configure the following:
Kerberos authentication default realm: Default Kerberos realm for the client. For Active Directory use, the Windows domain name must be upper case (Kerberos is case-sensitive).
Default domain: The Internet domain name equivalent to the realm.
KDC and admin server: Hostname or IP address of the Key Distribution Center for this realm. For Active Directory, it is usually the domain controller.
KDC port number: The associated port number.
Click Add.
Only Active Directory and Active Directory Global Catalog support Kerberos Authentication.
Click Save & Synchronize.