| Date post: | 04-Jun-2018 |
| Category: |
Documents |
| Upload: | shinningamar5336 |
| View: | 217 times |
| Download: | 0 times |
of 10
8/14/2019 LDAP Syn and Attributes.doc
1/10
HOW TO: Obtain correct syntax for Base DN, Bind DN or Attributes with LDAP
for Directory Synchroniation
!uestion
Enrollment issues or issues related to Directory Synchronization can be impossible tosolve if the LDAP syntax is incorrect. This document describes some basic steps in
obtaining ase D!" ind D! and Attributes or #alues for correct usage for enrollment or
P$P policies.
This ans%er pertains to P$P &niversal Server '.x.x.
Details(f Active Directory '))) or '))* is used" the &ser Principal !ame can be entered for the ind D!
field in place of typing the entire Distinguished !ame for the +uery user. &ser Principal
!ames,&P!- often follo% the syntax of the users email address for the particular user listed in the
screenshot belo%
Section "#Definin$ Base DN and Bind DN for Directory Synchroniation
This document is geared to%ard /icrosoft Active Directory and the Softerra ldapbro%ser to obtain correct syntax for Directory Synchronization used in P$P &niversal
Server. 0o%ever" the same concepts can be applied to other ldap directories as %ell.
Starting from the basics of Active Directory.
elo% is a screenshot of a basic tree in Active Directory. This is a basic configuration"
8/14/2019 LDAP Syn and Attributes.doc
2/10
but the ind D! is derived by using ldap syntax and going up the tree starting at the user.
1or example" the user user1is contained in Users" under example.com. The
corresponding ind D! is going to be CN=user1, CN=Users,DC=example,DC=com" but
this %ill be discussed in more detail in the follo%ing steps.
An easy %ay to find the ind D! that is needed for the P$P &niversal Server can be performed by
+uerying the Active Directory of a 2indo%s '))* Server. The +uery is performed at the command
prompt of the 2indo%s '))* Server.
(n the follo%ing example" the domain is example.com in finding the Distinguished !ame ,ind D!
field for the P$P &niversal Server- for user1. After obtaining the correct Distinguished !ame"
8/14/2019 LDAP Syn and Attributes.doc
3/10
Softerra can be utilized to find users" attributes or values. The +uery is detailed belo% and can be
used %ith Active Directory '))* only.
Type the follo%ing command and press %nter
dsquery user dc=example,dc=com,-name user1*
If your user has a long name, the * will do a wildcard match for that user.
3r
dsquery user dc=example,dc=com -name "user1"
These commands %ill return the correct ind D! for Directory Synchronization on the P$P
&niversal Server.
45!6user7"5!6&sers"D56example"D56com4
&nless Active Directory '))* is being used" it %ill be necessary to find the ind D!
manually. &sing an ldap bro%ser such as Softerra ,belo%-" can help out. 2hen usingSofterra" the credentials %ill need to be entered for the user binding to the ldap directory
%hen you create a ne% profile
8/14/2019 LDAP Syn and Attributes.doc
4/10
Although Softerra will not tell you the exact Bind DN needed for PGP Universal Server, it will letyou know immediately if the lda syntax is incorrect as stated !elow and hel in your trial and
error rocess" #he fields necessary to find correct syntax is the hostname of the lda directory,the User DN $Distinguished Name%, and the assword $don&t use anonymous !ind as this will notshow you accurate 'uery results%"
8/14/2019 LDAP Syn and Attributes.doc
5/10
3nce the ldap syntax is correct" a successful bind %ill sho% you the directory similar to
ho% it appears in Active Directory
elo% is an example of the properties for the user user"and ho% the Distinguished
!ame corresponds to the ind D! in Directory Synchronization.
Below is a !reak(down of how user credentials are translated within lda $very !asic examle%"#he Bind DN is comrised of the user and the location of the user in the lda directory tree"
8/14/2019 LDAP Syn and Attributes.doc
6/10
)ach element of the Distinguished Name is ointed out" #he first art is the user *N+user"
#he second art is the container *N+Users, the third art is the domain D*+examle andD*+com"#herfore, the Bind DN is *N+user,*N+Users,D*+examle,D*+com"
-f the domain was examle"net, the syntax would !e D*+examle,D*+net" D* is used for thedomain credentials" *N is used for the User credentials"
5ompare %hat is in Softerra as in the screenshots in previous examples and %hat is inP$P &niversal Server8the credentials should match exactly. A copy and paste %ill ensure
no typos are made.
2hen bro%sing to the user as in the previous screenshot" the Distinguished !ame is %hatdefines the ind D! inside of Directory Synchronization.
8/14/2019 LDAP Syn and Attributes.doc
7/10
.nce you have defined the Bind DN inside of PGP Universal Server, you can also enter the BaseDN, which is the latter art of the Bind DN" #his will start the 'uery from the to level down, !utthis can !e configured to search lower in the tree/
8/14/2019 LDAP Syn and Attributes.doc
8/10
. /ultiple P$P Des9top policies are going to be used. 5onfiguring attributes and values
can help assign users into groups dynamically instead of creating many custom preset
policies.
Section & # Definin$ Attributes and 'a(ues for Des)to* *o(icies on the P+P
ni-ersa( Ser-er.
Defining Attri!utes would only !e used in the following scenarios/
A" PGP Universal Server in Gateway deloyment where all users0 emails will !e rocessed !y thePGP Universal Server, !ut only a certain amount of users should !e encryting" Definingattri!utes can allow only certain users to !e ena!led or disa!led so encrytion will occur for someand not for others"
B" 1ultile PGP Deskto olicies are going to !e used" *onfiguring attri!utes and values canhel assign users into grous dynamically instead of creating many custom reset olicies"
.nce you have the Base and Bind DN entered into Directory Synchroni2ation correctly, the nextste is to define Attri!utes for the Users" Secifying Attri!utes and 3alues in the individual PGPDeskto olicies will allow PGP Universal Server to assign individual users into searate oliciesthat have !een created"
8/14/2019 LDAP Syn and Attributes.doc
9/10
4or the examle !elow, a &mem!er.f& Attri!ute is secified for the user in the &israel5team& grou"#hese Attri!utes and 3alues are also secified on the PGP Universal Server" PGP UniversalServer will then 'uery AD to assign users into secific PGP Deskto Policies" #he Name in theexamle !elow is the Attri!ute within PGP Universal Server and the 3alue is in fact, the 3alueinside of PGP Universal Server/
Again" compare %hat is in Softerra and %hat is in P$P &niversal Server. The Attributes
and #alues should match exactly. A copy and paste %ill ensure no typos are made.
8/14/2019 LDAP Syn and Attributes.doc
10/10
.nce you have followed these !asic guidelines, you should !e a!le to get Users to !e assignedto your secific PGP olicies once enrollment comletes or in Gateway lacement when userssend email through the Universal server"
Note/ ldifde 6f c/7filename"txt
