Admin > Infrastructure > LDAP

License: Silver

Configuring an LDAP server and a Connector enables you to import users and groups from your corporate directory. After you have installed at least one Connector, you can add one or more LDAP servers.

Adding an LDAP server means configuring:

  • the connection to the LDAP server
  • the search terms necessary to view the target directory data
  • the portion of the directory to import
  • whether to automatically invite users in the selected portion of the directory

After you have added an LDAP server, you can return to this page to edit the LDAP server information or change the LDAP users selected.

 

LDAP users must be imported after configuring an LDAP user. See Importing LDAP users.
LDAP usernames, just like local usernames, must be globally unique. Please verify that users do not already have a local account with the same username, or, for organizations with more than one tenant, that the username has not already been associated with another tenant.

Adding an LDAP server

Procedure

  1. Click +Add Server.
  2. Provide the following information:
  3. Setting

    What To Do

    Name

    Enter a name that identifies this server.

    Description

    Enter a description that clarifies the purpose of this server.

    Directory URL

    Enter the URL for the directory. Use one of the following formats:

    ldap://IP address or

    ldaps://IP address or

    Example: ldap://myserver1.mycompany.com:389

    User ID

    Enter the user ID for an account with the following characteristics:

    • managed by the LDAP server

    • can bind to the LDAP server and search the subtrees for user, group, and organizational unit

    This is generally an account with Directory Administrator Credentials (DN or Distinguished Name and password).

    Password

    Enter the password for the account.

    Confirm Password

    Re-enter the password for the account.

    Directory Type

    Select the type of directory from the list of supported directories.

    • Microsoft Active Directory

    • Open LDAP

    • Other (Open LDAP compatible)

  4. Click Test Connection and Continue.
  5. This step validates the information you have provided so far.

    • If the information proves valid, then the service retrieves the LDAP naming context, which it uses to fill in some of the fields on the next page.

    • If the LDAP URL fails to connect, you can proceed with the next steps. However, this may result in limited functionality until the connection is resolved.

  6. Complete the remaining settings:
  7. Setting

    What To Do

    Directory Failover URL

    Enter the URL for the secondary directory. Use the following format:

    ldap://IP address or

    Example: ldap://myserver2.mycompany.com:389

    Sync Interval

    Enter the period of time between each attempted synchronization of LDAP data from the LDAP server. The default value is 15 minutes. Consider increasing the interval after you have successfully synchronized all target LDAP data and confirmed that your LDAP setup meets your needs.

    Enable Sync Discard

    Select to automatically discard the LDAP sync data if the reloaded data set declines significantly. This option ensures that abnormal behavior on the part of the LDAP system will not result in unnecessary, disruptive updates on the service and removal of configurations from registered devices. Make sure this option is not selected if you plan to make major changes in your LDAP setup or on the LDAP server.

    Enable this LDAP Server

    Select to use this LDAP server with your service. Clear this setting if you want to retire this LDAP server or take it out of service. Though a configured failover to a second LDAP server would automatically replace this server, using this option enables you to plan ahead and avoid a brief lack of connectivity during failover.

    Automatically invite users whenever they are imported

    Select to automatically send invites to the users when they are imported from the LDAP server.

    Upload CA Certificate Click Choose File to upload the TLS certificate issued by the CA installed on this LDAP server. You can upload multiple CA certificates.

    Chase Referrals

    Applies only if you are using a multi-forested domain. This option indicates whether you want to use alternate domain controllers when the targeted domain controller does not have a copy of the requested object.

    • Select Follow if you want to use referrals.
    • Select Ignore if you do not want to use alternate domain controllers.
    • Throw currently has the same effect as Ignore.

    Selecting Follow delays LDAP authentication.

    Search Results Timeout

    Increase this timeout if you observe performance issues or incomplete results when browsing the data synchronized from the LDAP server.

    Search Results Count

    Set to the maximum number of records that should be returned from the LDAP server at one time. Scenarios that might require changing this setting to improve performance include:

    • The LDAP server is located far away or behind a high latency link. In this case, large search results will take longer to retrieve than small ones, so defining a smaller set enables you to see subsets of updated data more quickly.

    • The LDAP is massive, and every search returns a huge results set. In this case, if performance is not an issue, defining a larger results set would make it possible to return all of the data with fewer searches.

  8. Click Next.
  9. Use the following guidelines to configure the integration with the LDAP server:
  10. Setting

    What To Do

    Group Member Format

    Select DN or UID to indicate whether to use the distinguished name or the user ID in your search.

    OU Search Attributes

    Specify criteria for searching at the organizational unit level.

    Base DN

    Enter the distinguished name for the starting level at which you want your search to be rooted or begin. Your selection determines defaults for several other fields, which you can change, if necessary.

    Object GUID

    If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies an organizational unit across time and across OU name changes.

    Attribute Name

    If necessary, change the default value to match your LDAP environment.

    Description

    If necessary, change the default value to match your LDAP environment.

    Attribute DN

    If necessary, change the default value to match your LDAP environment.

    Search Filter

    If necessary, change the default value to match your LDAP environment.

    Search Scope

    Select the portion of the LDAP hierarchy to target:

    • Base (only the level of the search base entry)

    • One Level (the level beneath the search base)

    • Subtree (the subtree in the directory information tree beneath the search base DN)

    User Search Attributes

    Specify criteria for searching users in a given directory level.

    Base DN

    Enter the distinguished name for the starting level you want to search.

    Attribute UID

    If necessary, change the default value to match your LDAP environment.

    Object GUID

    If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies an user across time and across user name changes.

    Attribute DN

    If necessary, change the default value to match your LDAP environment.

    First Name

    If necessary, change the default value to match your LDAP environment.

    Last Name

    If necessary, change the default value to match your LDAP environment.

    Display Name

    If necessary, change the default value to match your LDAP environment.

    Email Address

    If necessary, change the default value to match your LDAP environment.

    Principal Name

    If necessary, change the default value to match your LDAP environment.

    Locale

    If necessary, change the default value to match your LDAP environment.

    Member Of

    If necessary, change the default value to match your LDAP environment.

    Search Filter

    If necessary, change the default value to match your LDAP environment.

    Search Scope

    Select the portion of the LDAP hierarchy to target:

    • Base (only the level of the search base entry)

    • One Level (the level beneath the search base)

    • Subtree (the subtree in the directory information tree beneath the search base DN)

    Managed Apple ID

    Choose to sync Managed Apple ID for the LDAP users.

    • None
    • Pattern - User email address. Optionally, select the Include "appleid" subdomain option to avoid conflict with existing Apple IDs.

    +Add Custom Attribute

    (Optional) Specify up to 7 custom user attributes from your directory service that you want to apply to device management. Each attribute can then be referenced by ${attributeName} in configuration fields that support variables.

    Important: Use of this option requires consistent implementation of custom attributes across LDAP servers. If an LDAP server included in your implementation does not use this attribute, then features dependent on this attribute might not work as expected.

    Group Search Attributes

     

    Base DN

    Enter the distinguished name for the starting level you want to search.

    Object GUID

    If necessary, change the default value to match your LDAP environment. This is the attribute that uniquely identifies a group across time and across group name changes.

    Attribute DN

    If necessary, change the default value to match your LDAP environment.

    Attribute Name

    If necessary, change the default value to match your LDAP environment.

    Description

    If necessary, change the default value to match your LDAP environment.

    Member

    If necessary, change the default value to match your LDAP environment.

    Search Filter

    If necessary, change the default value to match your LDAP environment.

    Search Scope

    Select the portion of the LDAP hierarchy to target:

    • Base (only the level of the search base entry)

    • One Level (the level beneath the search base)

    • Subtree (the subtree in the directory information tree beneath the search base DN)

  11. Click Browse or Search.
  12. Confirm that your configuration returns the expected data.
  13. You can do this by browsing or searching for a known item in the directory.

  14. Click Next.

Deleting a custom LDAP attribute

You can delete a custom LDAP attribute and remove its values from the associated users or devices.

Procedure

  1. Go to Admin > Attributes.
  2. In the Custom Attributes section click on the Delete link next to the LDAP attribute that should be deleted. A confirmation window is displayed.
  3. Click Delete to confirm deletion.

    that the Delete button is disabled by default. You should select the check box in the I understand that deleting a Custom Attribute cannot be reversed option to enable the Delete button.

Editing the LDAP server information

Procedure

  1. Go to Admin > LDAP.
  2. In the LDAP server entry, select the Edit icon from the Actions column to view the Connect LDAP Server page.
  3. Make the necessary changes.
  4. Click Test Connection and Continue.
    If the LDAP URL fails to connect, you may proceed with the next steps. However, this may result in limited functionality until the connection is resolved.
  5. Click Browse or Search.
  6. Confirm that your configuration returns the expected data.
    You can do this by browsing or searching for a known item in the directory.
  7. Click Done.

Importing LDAP users

Procedure

  1. Go to Users.
  2. Click +Add > Invite Users from LDAP.
  3. Click Select Users in the LDAP server entry.
  4. In the Add LDAP Users page, enter the name of the user, group, or OU in the search field.
  5. To add new users or groups, click +Add next to the entry you want to add.
  6. Click Next.
  7. Choose whether or not to send the invitation:
    • Invite None
      To send the invites later, go to Users > Users and select Actions > Send Invite to send the invitations.
    • Invite All
  8. Click Done.

Updating the users, groups, or organizational units selected

Procedure

  1. Go to Admin > LDAP.
  2. In the LDAP server entry, select the Manage Users icon  from the Actions column to view the Add LDAP Users page.
  3. To add new users or groups, enter the name of the user or group in the search field.
  4. Click +Add next to the entry you want to add.
  5. To remove a user, group, or OU, click the remove icon next to the entry you want to delete.
  6. Click Done.

Enabling LDAP Sync Discard Notification

Enabling LDAP sync discard notification helps prevent outages caused by unintended large scale changes to the LDAP environment.

Procedure

  1. Go to Admin > LDAP.
  2. In the LDAP server entry, select the Edit icon from the Actions column to view the Connect LDAP Server page.
  3. Check the Enable Sync Discard check box.
  4. Enter a value for the percentage of reloaded LDAP data to trigger sync discard.
  5. Click Test Connection and Continue.
    If the LDAP URL fails to connect, you can proceed with the next steps. However, this might result in limited functionality until the connection is resolved.
  6. Click Done.
  7. Click the Sync Now icon in the LDAP server entry.
    When the change difference to be synced from LDAP to Ivanti Neurons for MDM falls above the set discard percentage, a WARNING notification is generated. When the changes are reverted to a value below the set percentage, the notification is CLEARED.
Trigger Severity Notification Type Component Type Component
LDAP Sync Discard Warn Data Sync LDAP LDAP server name
LDAP Sync Restored Info Data Sync LDAP LDAP server name

The Partial Sync Discard Notification is generated when one or more user records fail to sync from LDAP. In this case, a CSV file is included as an attachment with a list of users that failed to sync. If a user was discarded due to missing attributes, the list of missing attributes is also included in the exported CSV file.

Synchronizing changes from the LDAP server

In the LDAP page, click the Sync Now icon in the LDAP server entry.

Troubleshooting Connectivity to the LDAPS Server

If you encounter issues connecting to the LDAPS (LDAP over SSL) server, you may be experiencing an issue with the certificate.

To resolve the issue:

  • Verify that you are not using a self-signed certificate on the LDAPS server.
  • Verify that the LDAPS certificate has not expired or been revoked. Also check for a hostname mismatch.

After verifying, wait for the automatic LDAP sync, or manually sync using the Admin > LDAP > Sync Now icon in the LDAP server entry.

If you cannot see the LDAP page, it might be that you do not have the required permissions. You need one of the following roles:

  • System Management

  • System Read Only