Configuring LDAP servers

Ivanti EPMM is designed to interact with LDAP servers. Beginning with the Ivanti EPMM 11.7.0.0 release, Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS) (port 636) is recommended. Networks running Ivanti EPMM 11.6.0.0 and earlier are allowed to use regular LDAP, but Ivanti recommends that you adopt LDAPS as soon as practical. See LDAP Server window fields for Directory URL information.

Before you begin 

  • You can configure multiple LDAP servers, but each server must contain a unique configuration.

  • If you are using distributed LDAP Directory Connections (DC) in a round-robin configuration, you must use Services > LDAP to configure a primary DC and a failover (secondary) DC, or risk loss of group associations resulting in removal of apps and configurations. See the descriptions of the Directory URL and Directory Failover URL fields in this topic.

    Alternatively, you could configure all DCs behind an F5 load balancer with persistent sessions, also known as sticky sessions, enabled. Ivanti has not fully tested this approach.

  • The Ivanti EPMM Enterprise Connector does not support certificate-based authentication. This means that once you enable Connector service, the Upload X509 Certificate option in LDAP preferences is not available.

Procedure 

  1. From the Admin Portal, go to Services > LDAP.
  2. Click Add New to open the New LDAP Setting page.
  3. Edit the fields as necessary. Refer to LDAP Server window fields for details.

  4. Scroll to the LDAP Groups setting to specify the set of LDAP groups that Ivanti EPMM gets from the LDAP server. Only these groups are available throughout the Admin Portal for viewing or selection.

    1. Go to Search By LDAP Groups, enter the first characters of an LDAP Group that you want to select.
    2. Click the search icon. The LDAP Groups in the LDAP server that match the search request appear in the Available section.
    3. Click the right arrow to move one or more LDAP groups to the Selected section.
  5. Repeat steps a through c for other LDAP Groups.

  6. Click Advance Options to configure LDAP v3 properties.

    Configurations in the Advanced Options pane apply only to LDAP v3 servers.

  7. Select the authentication method between the client and server used in the SASL exchange.

    • Bind (default): This method uses the directory DN for authentication.
    • Kerberos v5 (SASL): This method uses mutual authentication.

  8. Select the user ID format from the Authentication User ID Format drop-down list.

    • User Principal
    • User UPN (user principal name)
    • User DN (distinguished name)
    • User DN with RFC2829 prefix
    • User Principal with RFC2829 prefix

  9. Select the group member format from the Group Member Format drop-down list.

    • DN - Distinguished name
    • UID - Unique Identifier

  10. Select the parameter for negotiating the authentication from the Quality of Protection drop-down list.

    LDAP v3 supports the Quality of Protection feature, which is not an LDAP v2-supported feature.

    • Authentication only is used for authenticating a user to a server.
    • Authentication with integrity protection is used to ensure that subsequent LDAP requests and responses are protected against tampering.
    • Authentication with integrity and privacy protection is used to ensure that subsequent LDAP requests and responses are encrypted and therefore protected against unintended monitoring. Privacy protection automatically entails integrity protection.

  11. Select the LDAP authentication method.

    • Use Client TLS Certificate: Select this to use the X509 certificate for authentication.
    • Go to Services > LDAP > Preferences to upload the client X509 certificate that Ivanti presents to the LDAP server
    • Request Mutual Authentication: Select this to verify both the identity of the user that is requesting authentication as well as server providing the requested authentication.
  12. Select Enable Detailed Debug to enable JNDI debugging for LDAP communication.
  13. Enter additional (and optional) properties in the Additional JNDI Context Properties field.

  14. Most environment properties are predefined but some, such as language, security.credentials, security.principle, are implementation-specific. Properties defined here replace any values that are previously defined, and will take effect the next time the property is invoked. If a context does not have a particular environment property, it behaves as if it has that environment property with its default value. For example,

    • To set the language for Japanese, enter Context.LANGUAGE, “ja-JP”
    • To set the credentials to the string "secret", enter Context.SECURITY_CREDENTIALS, "secret"
    • To set the principal name to the distinguished name "cn=admin, o=MI, c=us," enter Context.SECURITY_PRINCIPAL, "cn=admin, o=MI, c=us"
  15. Click View LDAP Browser to view the LDAP server directory tree structure.
  16. Click Test to open the LDAP Test window
  17. Enter user or group identifier in the appropriate field.
  18. Click Submit. A result page displays if the user was configured on the LDAP server.
  19. Return to the LDAP page and click Save. A dialog appears informing of traffic disruption and asks to proceed.
  20. Click Yes. A dialog appears informing the status.
  21. Click OK. The server you created appears on the LDAP page.

LDAP Server window fields

This field determines whether you use regular LDAP or LDAP over Secure Sockets Layer (LDAPS). LDAPS is recommended for Ivanti EPMM 11.7.0.0 and later releases.

When using LDAPS

  • You need an X509 certificate for LDAPS authentication.

    If the certificate has a SAN field, Ivanti EPMM ignores the CN value and seeks a match in the SAN list. Using the CN field is deprecated. Therefore, Ivanti EPMM checks the CN only if the SAN is not present.

  • These certificate fields presented by the LDAPS server to Ivanti EPMM must match the URL:

    • Common Name (CN)
    • Subject Alternative Name (SAN)
    • Domain Name System (DNS) name

    If no match exists, the connection request fails.

  • You do not need to specify the ports when you use these default ports:

    • 389 for LDAP - Not recommended. Available for Ivanti EPMM releases 11.6.0.0 and earlier.
    • 636 for LDAPS - Recommended for Ivanti EPMM releases 11.7.0.0 and later.

The following table summarizes fields and descriptions in the LDAP Server window:

Table 6.   LDAP server Fields
Fields Description

Directory URL

 Enter the URL to the LDAP server. Make sure to start with ldap:// or ldaps://.

Directory Failover URL

Enter a secondary URL, if available.

Directory UserID

Enter the primary user ID, for example, [email protected]. Make sure to include the domain, for example, @local.domain, with the user ID.

Directory Password

Enter the password for the user ID set above.

Search Results Timeout

Do not change default of 30 seconds unless you get connection errors.

Chase Referrals

Select Enable if you are using a multi-forested domain. This indicates you want to use alternate domain controllers when the targeted domain controller does not have a copy of the requested object.

Select Disable if you do not use alternate domain controllers.

Enabling the Chase Referrals option delays LDAP authentication.

Admin State

Select Enable to put the server to service. Make sure to enable the Admin state or the LDAP server will be invisible.

Directory Type

Select Domino for the IBM Lotus Domino server platform. The default DN and other LDAP search filters are automatically changed to the Domino server.

Select Active Directory for the Microsoft Windows server platform.

Domain

Enter the domain name for the Active Directory. This information will automatically traverse all levels of the tree and use to populate Base DN, parent entry.

Changing the LDAP Server Sync Interval

The default interval for synchronization between Ivanti EPMM and the LDAP server is 24 hours. You can change this interval for all configured LDAP servers. You might want to change the interval to ensure updated information when the LDAP server data is changing frequently.

For LDAP groups, each synchronization syncs only the LDAP groups that you specified in the LDAP Setting page for each LDAP server at Services > LDAP.

To change the LDAP sync interval:

Procedure 

  1. From the Admin Portal, go to Services > LDAP > Preferences.
  2. Select the preferred interval from the drop-down. Intervals range from 15 minutes to 24 hours.
  3. Click Save.