Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

SafeNet Synchronization Agent

LDAP synchronization server

search
printsuggest an editpdf paneldownload

LDAP synchronization server

For an on-premises configuration, you configure the port for the SAS PCE LDAP sync server. SafeNet Synchronization Agent transmits to this port. In a cloud configuration, this setting is already configured by the STA administrator.

For both the SAS PCE on-premises and STA cloud LDAP sync servers, download the encryption key file that SAS PCE or STA generates. SafeNet Synchronization Agent needs that file to encrypt data that is transmitted between itself and the STA LDAP sync server.

alt_text

copy link to clipboardIdentify the host names and port

After you install SafeNet Synchronization Agent, identify the STA or SAS PCE LDAP sync server host and port number to which the agent can transmit user and group records:

  1. On the STA Token Management or SAS PCE console, select the account.

    note

    Note

    For STA, you need only the encryption key and can skip to Configure record removal and generate an encryption key.

  2. For a SAS PCE configuration, select Comms > Communications > LDAP Sync Server Settings.

  3. Select Custom and enter the names of the primary and (if configured) secondary SAS PCE LDAP sync servers, and the SAS PCE port (e.g. 8456) to which SAS PCE can transmit user and group records. These values are transmitted with the encryption key that is used to configure SafeNet Synchronization Agent.

  4. Select Apply.

copy link to clipboardConfigure record removal and generate an encryption key

  1. Select Comms > Authentication Processing > LDAP Sync Agent Settings.

    alt_text

  2. (Optional) Set the following options to determine how STA and SAS PCE handle user records under certain conditions:

    • Persist Operators Against Sync By default, synchronized user records are removed from STA or SAS PCE when they are removed from a synchronized group in your external LDAP/AD. If this option is unchecked, users that have been promoted to operator are also removed.

      Selecting this option ensures that unintended changes to the LDAP/AD do not prevent the operator from logging into the STA or SAS PCE console. If checked, operator records must be manually removed.

    • Use Delayed Sync Removal By default, this option delays the removal of synchronized LDAP user records that are flagged for deletion from STA or SAS PCE for 24 hours. Conversely, if this option is disabled, records deleted in the LDAP directory, along with all user/token associations, are removed immediately and permanently from STA or SAS PCE upon synchronization.

      When this option is enabled, it protects against accidental deletions and saves the time and effort of re-establishing valid user accounts. The deleted user accounts are marked as disabled during the 24-hour period, and these users are not able to authenticate. However, operators have the ability to re-enable the account if they add the user back to the set of synchronized users within the 24-hour period.

      When used in conjunction with this option, enabling sync notifications provides the operators with the opportunity to review synchronization activities and determine the validity of user record changes. (Refer to Alert management.) If a sync event is detected, STA or SAS PCE sends an alert to operators indicating that all detected changes will occur in 24 hours unless they intervene.

    • Resolve Duplicate Usernames During Sync By default, this option is disabled.

      When this option is enabled, duplicate username conflicts are automatically resolved during an LDAP sync. Duplicate username conflicts can occur if Use Delayed Sync Removal is enabled and a username is removed and then re-added to the AD between LDAP sync cycles.

      note

      Note

      All tokens previously assigned to users with duplicate usernames are automatically revoked during this process.

  3. Select Download to save the SASSyncConfigFile.bmc key file.

    You need this file when you configure SafeNet Synchronization Agent.

On this page