Configuring LDAP servers

When configured, MobileIron can interact with LDAP servers. You can configure multiple LDAP servers, but each server must contain unique configuration.

NOTE: The MobileIron Connector does not support certificate-based authentication. This means that once you enable Connector service, the "Upload X509 Certificate" option in LDAP preferences is not available.

Procedure 

  1. From the Admin Portal, go to Services > LDAP.
  2. Click Add New to open the New LDAP Setting page.

  3. Edit the fields as necessary.

    Refer to the LDAP Server window table for details.

  4. Scroll to the LDAP Groups setting to specify the set of LDAP groups that Core gets from the LDAP server. Only these groups are available throughout the Admin Portal for viewing or selection.
  5. Go to Search By LDAP Groups, enter the first characters of an LDAP Group that you want to select.

  6. Click the search icon.

    The LDAP Groups in the LDAP server that match the search request appear in the Available section.

  7. Click the right arrow to move one or more LDAP groups to the Selected section.
  8. Repeat steps 6 through 8 for other LDAP Groups.

  9. Click Advance Options to configure LDAP v3 properties.

    NOTE: Configurations in the Advanced Options pane apply only to LDAP v3 servers.

  10. Select the authentication method between the client and server used in the SASL exchange.

    • Bind (default): This method uses the directory DN for authentication.
    • Kerberos v5 (SASL): This method uses mutual authentication.

  11. Select the user ID format from the Authentication User ID Format drop-down list.

    • User Principal
    • User UPN
    • User DN
    • User DN with RFC2829 prefix
    • User Principal with RFC2829 prefix

  12. Select the group member format from the Group Member Format drop-down list.

    • DN
    • UID

  13. Select the parameter for negotiating the authentication from the Quality of Protection drop-down list.

    NOTE: LDAP v3 supports the Quality of Protection feature, which is not a LDAP v2 supported feature.
    • Authentication only is used for authenticating a user to a server.
    • Authentication with integrity protection is used to ensure that subsequent LDAP requests and responses are protected against tampering.
    • Authentication with integrity and privacy protection is used to ensure that subsequent LDAP requests and responses are encrypted and therefore protected against unintended monitoring. Privacy protection automatically entails integrity protection.

  14. Select the LDAP authentication method.

    • Use Client TLS Certificate: Select this to use the X509 certificate for authentication.
    • Go to Services > LDAP > Preferences to upload the client X509 certificate that MobileIron Core presents to the LDAP server
    • Request Mutual Authentication: Select this to verify both the identity of the user that is requesting authentication as well as server providing the requested authentication.
  15. Select Enable Detailed Debug to enable JNDI debugging for LDAP communication.
  16. Enter additional (and optional) properties in the Additional JNDI Context Properties field.

  17. Most environment properties are predefined but some, such as language, security.credentials, security.principle, are implementation-specific. Properties defined here replace any values that are previously defined, and will take effect the next time the property is invoked. If a context does not have a particular environment property, it behaves as if it has that environment property with its default value. For example,

    • To set the language for Japanese, enter Context.LANGUAGE, “ja-JP”
    • To set the credentials to the string "secret", enter Context.SECURITY_CREDENTIALS, "secret"
    • To set the principal name to the distinguished name "cn=admin, o=MI, c=us," enter Context.SECURITY_PRINCIPAL, "cn=admin, o=MI, c=us"
  18. Click View LDAP Browser to view the LDAP server directory tree structure.
  19. Click Test to open the LDAP Test window
  20. Enter user or group identifier in the appropriate field.
  21. Click Submit. A result page displays if the user was configured on the LDAP server.
  22. Return to the LDAP page and click Save. A dialog appears informing of traffic disruption and asks to proceed.
  23. Click Yes. A dialog appears informing the status.
  24. Click OK. The server you created appears on the LDAP page.

LDAP Server window

The following table summarizes fields and descriptions in the LDAP Server window:

Table 1. LDAP server Fields

Fields

Description

Directory URL

Enter the URL to the LDAP server. Make sure to start with “ldap://” or “ldaps://".

When using “ldaps://" (LDAP over SSL) :

  • You need an X509 certificate for LDAP authentication.
  • The following fields of the certificate presented by the LDAPS server to Core must match the URL:
    • the Common Name (CN)
    • the Subject Alternative Name (SAN)
    • the DNS name
  • If no match exists, the connection request fails.
NOTE: If the certificate has a SAN field, Core ignores the CN value and seeks a match in the SAN list. Using the CN field is deprecated. Therefore, Core checks the CN  only if the SAN is not present.

You do not need to specify the ports when you use these default ports: 389 (LDAP) or 636 (LDAPS).

Directory Failover URL

Enter a secondary URL, if available.

Directory UserID

Enter the primary user ID, for example, [email protected]. Make sure to include the domain, e.g., @local.domain, with the user ID.

Directory Password

Enter the password for the user ID set above.

Search Results Timeout

Do not change default of 30 seconds unless you get connection errors.

Chase Referrals

Select Enable if you are using a multi-forested domain. This indicates you want to use alternate domain controllers when the targeted domain controller does not have a copy of the requested object.

Select Disable if you do not use alternate domain controllers.

NOTE: Enabling the Chase Referrals option delays LDAP authentication.

Admin State

Select Enable to put the server to service. Make sure to enable the Admin state or the LDAP server will be invisible.

Directory Type

Select Domino for the IBM Lotus Domino server platform. The default DN and other LDAP search filters are automatically changed to the Domino server.

Select Active Directory for the Microsoft Windows server platform.

Domain

Enter the domain name for the Active Directory. This information will automatically traverse all levels of the tree and use to populate Base DN, parent entry.

Changing the LDAP Server Sync Interval

The default interval for synchronization between MobileIron Core and the LDAP server is 24 hours. You can change this interval for all configured LDAP servers. You might want to change the interval to ensure updated information when the LDAP server data is changing frequently.

NOTE: For LDAP groups, each synchronization syncs only the LDAP groups that you specified in the LDAP Setting page for each LDAP server at Services > LDAP.

To change the LDAP sync interval:

Procedure 

  1. From the Admin Portal, go to Services > LDAP > Preferences.

  2. Select the preferred interval from the drop-down.

    Intervals range from 15 minutes to 24 hours.

  3. Click Save.