Procedure

1. Go to one of the following to access the LDAP tab:
   • Administration → IMSS Configuration → Connections | LDAP
   • Administration → IMSS Configuration → Configuration Wizard | Step 6: LDAP Settings
2. Click Add.
   The LDAP Settings screen appears.
3. Specify a meaningful description for the LDAP server.
4. Next to LDAP server type, select the type of LDAP servers on your network:
   • Domino
   • Microsoft Active Directory
   • Microsoft AD Global Catalog
   • OpenLDAP
   • Sun iPlanet Directory
5. Next to Enable LDAP 1, select the check box.
6. Next to LDAP server, specify the server name or IP address.
7. Next to Listening port number, specify the port number that the LDAP server uses to listen to access requests.
8. Configure the settings under LDAP 2 if necessary.
9. Under LDAP cache expiration for policy services and EUQ services, specify the Time to live in minutes.
   Time To Live: Determines how long IMSS retains the LDAP query results in the cache. Specifying a longer duration enhances LDAP query during policy execution. However, the policy server will be less responsive to changes in the LDAP server. A shorter duration means that IMSS has to perform the LDAP query more often, thus reducing performance.
10. Under LDAP admin, specify the administrator account, the corresponding password and the base distinguished name.
    Refer to LDAP Server Types for assistance.
11. Select an authentication method:
    • Simple
    • Advanced: Uses Kerberos authentication for Active Directory. Configure the following:
      • Kerberos authentication default realm: Default Kerberos realm for the client. For Active Directory use, the Windows domain name must be upper case (Kerberos is case-sensitive).
      • Default domain: The Internet domain name equivalent to the realm.
      • KDC and admin server: Hostname or IP address of the Key Distribution Center for this realm. For Active Directory, it is usually the domain controller.
      • KDC port number: The associated port number.
12. Select the Enable encrypted communication between IMSS and LDAP check box and click Browse to upload a CA certificate file to verify the certificate used by the LDAP server.
13. Click Add.
    If you are using the Configuration Wizard, click Next.

    Note Only Active Directory and Active Directory Global Catalog support Kerberos Authentication.

14. Under LDAP Email Address Attribute, select the LDAP attribute from which IMSS retrieves user email addresses.
    • mail: This is the default LDAP attribute that stores email addresses.
    • proxyAddresses: This is the recommended attribute to choose if you use Microsoft Exchange Server.
    • Other attribute: Specify an LDAP attribute that stores email addresses.
15. Click Save & Synchronize.