SafeNet Synchronization Agent for LDAP
A default LDAP schema has been provided for each of the supported LDAP directory servers. These default schemas cannot be changed but additional schemas can be created if necessary. It is recommended that the default schemas be used if possible.
For SQL environments, see Configure SafeNet Synchronization Agent for SQL
After you configure the LDAP sync server, configure the agent for LDAP as follows:
-
From an administrator account, launch SafeNet Synchronization Agent by clicking Start > SafeNet > SafeNet Synchronization Agent. If necessary, right-click SafeNet Synchronization Agent and select Run as administrator.
The SafeNet Synchronization Agent window displays.
-
Click Add in the SafeNet Virtual Server section.
-
Browse to the location of the SASSyncConfigFile.bmc key file saved in Configure record removal and generate an encryption key and then select Open to load the file.
The Virtual Server Name field displays the name of your virtual server.
-
Click the Configuration tab.
-
Click Configure in the User Source Configuration section.
The User Source Type window displays.
-
Select LDAP and then select Next.
The LDAP Configuration window displays.
-
Enter the following information and then click Next.
Field Description Host Name or IP Address The name or IP address of the LDAP directory server (e.g., AD). Port Typically, TCP port 389 is used for the LDAP directory server.
Alternatively, the Global Catalog port, TCP port 3268, may be used.
NOTE: If you use the Global Catalog port for SafeNet Synchronization Agent:
- The agent must reside on a server that is connected to the root domain and configured to the root domain on TCP port 3268.
- The agent must be configured to the root domain in the forest and you must configure the groups on the root domain’s Active Directory.
- The groups must be set to type Universal Group so that they are visible to the whole forest.
Use TLS for LDAP connection Select this option and use port 636, or port 3269 if you use the Global Catalog.
NOTE: You must select this option to use SafeNet Synchronization Agent with the secure default settings that are enforced by Microsoft. See Security Advisory - ADV190023.
This setting applies only to attributes other than the password. Password synchronization is always encrypted, regardless of this setting.
Number of Failover Hosts Select the number of failover LDAP Directory Servers to which SafeNet Synchronization Agent may connect if the primary server is inaccessible.
Connection Timeout (secs) The period within which an LDAP connection must be established. The default value is 60 seconds. An invalid value will display an error message at the bottom of the window.
All servers must have access to the same Base DN.
The LDAP Schema window displays.
-
Select the schema that matches your LDAP Directory Server and then click Next.
The LDAP Credentials window displays.
-
Enter the following information and then click Next.
Field Description User DN The User DN created for the SafeNet Synchronization Agent connection to the LDAP directory server. The User DN contains the user name (and location of the user within LDAP) that is used by SafeNet Synchronization Agent to connect to the LDAP directory server. For AD environments, specifying the UPN is sufficient; for example, ldapreadonly@my.domain.
Base DN Select the highest level in the directory in which SafeNet Synchronization Agent is to begin its search for users.
For example: In the sample shown, the Base DN is DC=number, DC=sys.
Define the User DN as <username>@number.sys
For non-AD schemas, this value may be more complicated.
For example: uid=<username>, ou=Administrators, dc=aecl, dc=crypto, dc=prod
Append Base DN to User DN Select this option to add the Base DN to the information defined in the User DN.
For example: If the User DN is uid=<username> and the Base DN is dc=aecl, dc=crypto, dc=prod, the following would be submitted to the LDAP directory server when connecting:
uid=<username>, dc=aecl, dc=crypto, dc=prod
Password Enter the password created for the SafeNet Synchronization Agent connection to the LDAP directory server.
-
Depending on the LDAP schema:
-
For Active Directory LDAP schemas, the following window displays.
-
Select Enable password synchronization to allow users to use their AD (domain) password to also access resources protected by STA or SAS PCE.
-
Click Next and then skip to step 11.
For more details, see Configure Active Directory password synchronization.
-
-
For other LDAP schemas, the agent searches for all containers that have users, starting from the Base DN.
-
Select Override the list of containers found, to exclude or add containers.
-
Click Next.
The Override Container List window displays.
-
Add or remove the containers that are to be included in searches for users.
-
Click Next.
The Configuration Complete window displays.
-
-
-
Click Finish to save your changes.
-
Click the Status tab in the SafeNet Virtual Server section.
-
Click Details in the Synchronization Details section to display the LDAP connection details.
The User Source Connection Details window displays.
Password information is not displayed.
-
Click OK.
SafeNet Synchronization Agent is now configured for LDAP.
-
Repeat these steps for each virtual server that you want to add.