Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

SafeNet Synchronization Agent

SafeNet Synchronization Agent for LDAP

search
printsuggest an editpdf paneldownload

SafeNet Synchronization Agent for LDAP

A default LDAP schema has been provided for each of the supported LDAP directory servers. These default schemas cannot be changed but additional schemas can be created if necessary. It is recommended that the default schemas be used if possible.

note

Note

For SQL environments, see Configure SafeNet Synchronization Agent for SQL

alt_text

After you configure the LDAP sync server, configure the agent for LDAP as follows:

  1. From an administrator account, launch SafeNet Synchronization Agent by clicking Start > SafeNet > SafeNet Synchronization Agent. If necessary, right-click SafeNet Synchronization Agent and select Run as administrator.

    The SafeNet Synchronization Agent window displays.

    alt_text

  2. Click Add in the SafeNet Virtual Server section.

  3. Browse to the location of the SASSyncConfigFile.bmc key file saved in Configure record removal and generate an encryption key and then select Open to load the file.

    The Virtual Server Name field displays the name of your virtual server.

  4. Click the Configuration tab.

  5. Click Configure in the User Source Configuration section.

    alt_text

    The User Source Type window displays.

    alt_text

  6. Select LDAP and then select Next.

    The LDAP Configuration window displays.

    alt_text

  7. Enter the following information and then click Next.

    Field Description
    Host Name or IP Address The name or IP address of the LDAP directory server (e.g., AD).
    Port

    Typically, TCP port 389 is used for the LDAP directory server.

    Alternatively, the Global Catalog port, TCP port 3268, may be used.

    NOTE: If you use the Global Catalog port for SafeNet Synchronization Agent:

    • The agent must reside on a server that is connected to the root domain and configured to the root domain on TCP port 3268.
    • The agent must be configured to the root domain in the forest and you must configure the groups on the root domain’s Active Directory.
    • The groups must be set to type Universal Group so that they are visible to the whole forest.
    Use TLS for LDAP connection

    Select this option and use port 636, or port 3269 if you use the Global Catalog.

    NOTE: You must select this option to use SafeNet Synchronization Agent with the secure default settings that are enforced by Microsoft. See Security Advisory - ADV190023.

    This setting applies only to attributes other than the password. Password synchronization is always encrypted, regardless of this setting.
    Number of Failover Hosts

    Select the number of failover LDAP Directory Servers to which SafeNet Synchronization Agent may connect if the primary server is inaccessible.
    Connection Timeout (secs)

    The period within which an LDAP connection must be established. The default value is 60 seconds. An invalid value will display an error message at the bottom of the window.

    note

    Note

    All servers must have access to the same Base DN.

    The LDAP Schema window displays.

    alt_text

  8. Select the schema that matches your LDAP Directory Server and then click Next.

    The LDAP Credentials window displays.

    alt_text

  9. Enter the following information and then click Next.

    Field Description
    User DN

    The User DN created for the SafeNet Synchronization Agent connection to the LDAP directory server. The User DN contains the user name (and location of the user within LDAP) that is used by SafeNet Synchronization Agent to connect to the LDAP directory server. For AD environments, specifying the UPN is sufficient; for example, ldapreadonly@my.domain.
    Base DN

    Select the highest level in the directory in which SafeNet Synchronization Agent is to begin its search for users.

    For example: In the sample shown, the Base DN is DC=number, DC=sys.

    Define the User DN as <username>@number.sys

    For non-AD schemas, this value may be more complicated.

    For example: uid=<username>, ou=Administrators, dc=aecl, dc=crypto, dc=prod
    Append Base DN to User DN

    Select this option to add the Base DN to the information defined in the User DN.

    For example: If the User DN is uid=<username> and the Base DN is dc=aecl, dc=crypto, dc=prod, the following would be submitted to the LDAP directory server when connecting:

    uid=<username>, dc=aecl, dc=crypto, dc=prod
    Password

    Enter the password created for the SafeNet Synchronization Agent connection to the LDAP directory server.

  10. Depending on the LDAP schema:

    • For Active Directory LDAP schemas, the following window displays.

      alt_text

      1. Select Enable password synchronization to allow users to use their AD (domain) password to also access resources protected by STA or SAS PCE.

      2. Click Next and then skip to step 11.

        For more details, see Configure Active Directory password synchronization.

    • For other LDAP schemas, the agent searches for all containers that have users, starting from the Base DN.

      alt_text

      1. Select Override the list of containers found, to exclude or add containers.

      2. Click Next.

        The Override Container List window displays.

      3. Add or remove the containers that are to be included in searches for users.

      4. Click Next.

        The Configuration Complete window displays.

  11. Click Finish to save your changes.

  12. Click the Status tab in the SafeNet Virtual Server section.

  13. Click Details in the Synchronization Details section to display the LDAP connection details.

    The User Source Connection Details window displays.

    alt_text

    note

    Note

    Password information is not displayed.

  14. Click OK.

    SafeNet Synchronization Agent is now configured for LDAP.

  15. Repeat these steps for each virtual server that you want to add.

Next, configure groups for synchronization.

On this page