Integrating a directory server

Transcription

1 Integrating a directory server Knox Manage provides a directory service that integrates a client's directory server through a Lightweight Directory Access Protocol (LDAP)-based Active Directory service in order to access intracompany data. This directory service, integrated with Knox Manage, can be used to authenticate user information, and then register users, groups, or organizations on the Knox Manager server, and/or to simplify the user registration process within the company through VPN, Microsoft Exchange, Certificate, or Account integration. The directory service in Knox Manage can be used as follows: 1. Directory server integration: Register server connection information including the directory server IP address and port number. For more information, see Adding directory server. When connecting Knox Manage installed in the cloud with a client's enterprise system, you can create a secure channel using Cloud Connector. The use of Cloud Connector is optional. You can enable Cloud Connector as described in Adding directory server. 2. Directory connector: Add search conditions for the enabled directory server including the Base DN and Filter fields. For more information, see Setting a directory connector. 3. User Authentication Settings and Search: Enable User Authentication in the profile that will use the directory connector or enable it in Configuration. Note: To learn more about how to integrate mail servers, such as Microsoft Exchange with Knox Manage, see Setting Exchange. 345

2 Adding directory server To get your company's user information through a link with the directory server, set up the directory server as follows. The directory server can be registered, modified and deleted, and can not delete the currently active directory server. To link to a directory server, follow the steps below: 1. Go to Settings > System Integration > Directory Integration. 2. Click on the top of the window. 3. Enter the information in Default Settings tab in the Add Directory window. Depending the Auth Type, enter additional information in the Authentication Detailed Setting tab. Pool Name: Enter a pool name that is up to 20 characters in length, containing letters, numbers, and special characters (only dashes and underscores allowed) to distinguish it from other directory services. Encryption Type: Select an encryption type for the internet communication protocol that will be used for communication with the directory server. - None (no encryption) - Secured Socket Layer (SSL) - Transport Layer Security (TLS) Auth Type: Select an authentication type that will be used for communication with the directory server. - None (no authentication) - Simple (Select this default value when you are not certain about the authentication type.) 346

3 - If you choose DIGEST-MD5 (SASL), CRAM-MD5 (SASL), or GSSAPI (Kerberos), then you need to configure the advanced settings in the Authentication Detailed Setting tab by referring to the information below: Auth Type Description DIGEST- MD5 (SASL) / CRAM- MD5 (SASL) GSSAPI (Kerberos) Configure the settings for Simple Authentication and Security Layer (SASL), a telnet-based protocol, as below: SASL Realm: Enter the realm value of the SASL server in domain format (e.g., sample.com). Quality of Protection: Select the quality of the data protection from the followings. - Authentication Only: Protect the data only upon authentication. - Authentication with integrity protection: Ensures integrity of all the data exchanged as well as authentication. - Authentication with integrity and privacy protection: Ensures integrity for all the data exchanges as well as authentication through data encryption. Protection Strength: Select a data protection level, and determine whether mutual authentication should be performed when exchanging data. - High: Use 128-bit encryption. - Medium: Use 56-bit encryption. - Low: Use 40-bit encryption. - Mutual Authentication: Ensures data validity by inserting the key into the data exchanged between the client and server. Kerberos Credential Configuration: Choose how to obtain a Kerberos ticket. - Use Native TGT: Select when you already have a ticket issued in Knox Manage. - Obtain TGT from KDC: Issue a new ticket using the default user ID and password. Kerberos Configuration: Select how to configure the Kerberos server. - Use Native System Configuration: Use Kerberos server information defined in the Java Property. - Use Following Configuration: Enter the Kerberos server information manually. - Realm: Enter the Realm of the Kerberos server. - KDC Host: Enter kerberos key distribution center (KDC) Host or IP address. - KDC Port: Enter KDC Port. IP/HOST: Enter the IP or HOST address of the directory address. Port: Enter the TCP port number that should be used for communication with the directory server. The default port number used for unencrypted communication with the directory server is 389. User ID and Password: Enter the User ID and Password that have read access to the directory server as the administrator account for accessing the directory server. 347

4 - It can be input in various forms such as domain\administrator ID, administrator or CN=administrator ID,CN=Users,DC=domain,DC=com. Maximum Active: The maximum number of connections that can be activated, select the number of connections to activate from 10 to 50. Maximum Idle: The maximum number of connections that can be idle, select the number of connections to keep idle from 0 to 30. Cloud Connector: Select whether to use the Cloud Connector in the Directory server. When you click Test to verify the conformity of input items, IP and Port information of Cloud Connector is automatically input. 4. Clicking Connection Test validates the Sync service input fields and saves the IP/HOST addresses and port number of the directory server. 5. After entering all information, click Save. Note: You may enable Cloud Connector to create a secure channel between the directory server and Knox Manage server. To learn more about how to enable Cloud Connector, see Cloud connector. Checking connection status with a directory server To check the connection with the directory server, follow the steps below: 1. Go to Settings > System Integration > Directory Integration. 2. Select the directory server to check the connection status, and click Check Directory Status. Click OK when the confirmation pop-up appears. 3. Check the Connection Status column on the directory list. 348

5 Setting a directory connector Enable the directory connector to filter a client's user information on the directory server integrated with Knox Manage and to import it. The directory connector extracts the required user information through the Directory Type, Range, and Filter settings, etc., simplifies the user registration process, and improves work efficiency for IT administrators. In the Connector settings, you can identify users by their Directory Type and Filter values, and also map the user information attributes on the Knox Manage and directory servers. When enabling the connector, see the following for more information on how to configure the Directory Type, Filter, and Output Field settings: Directory Type: See Directory service type. Base DN and Range: See Setting Base DN. Filter: See Setting filters. Output Field: See Setting output field. Adding directory connector To add a directory connector, follow the steps below: 1. Go to Settings > System Integration > Directory Connector. 2. Click on the top of the window. 3. In the Add Service window, enter the information. Service ID: Enter an ID that is up to 25 characters in length, containing letters, numbers, and special characters (only dashes and underscores allowed). Service Name: Enter a name that can distinguish it from other services. 349

6 Status: Select the status of the connector service that you need to operate. The default value is Activated. Pool Name: Among the pool names registered for directory servers in Settings > Integrations > Directory, choose the pool name that you want to register for the connector service. Service Type: Select a directory service type in accordance with the purpose of using user information provided by the directory server such as Authentication or Search. For more information, see Directory service type. Base DN: Click, and then in the Select the Base DN window, select the location from which searches should start on the directory server. For more information on Base DN, see Setting Base DN. Filter: Click, and then in the Select Object Class window, select an Object Class and attributes. Knox Manage provides basic filters for each directory type and allows you to select an LDAP syntax filter for user searches. For more information on filter, see Setting filters. Range: Based on the location specified in the Base DN field, select a search range for the directory server. - Object: Search within the level of Base DN. - One Level: Search within the level and the sub-level of Base DN. - Subtree: Search within all sub-levels including Base DN. Output field: Perform a search using the filter, and then select the set of attributes that should be returned for the entries that satisfy the filter. - Total: Returns all attributes for the searched entries. - Select: Only returns the attributes selected in the Output Field among the attributes for the searched entries. For information base output field, see Setting output field. Admin Role: Click 4. Click Save. and select Admin Role to manage the service. 350

7 Directory service type To perform user authentication or user searches on the directory server integrated with Knox Manage, select a directory type as follows: Classification Directory Service Type Service Description Authentication Authentication The Filter and Output Field fields are automatically set in accordance with the Directory Type value. Authentication requests are made to the client's directory server using this information. Search (Manually) Authentication (Manually) Search (Manually) Profile Configuration (User) VPN Exchange Account Profile Configuration (Certificate) Certificate Generic VPN The administrator has to fill out the Filter and Output Field fields manually. Authentication requests are made to the client's directory server using this information. Searches are performed on the integrated directory server using the Filter value manually entered by the administrator. This information can also be sent to devices. When VPN, Exchange, or Account is selected for integration in Profiles > Device Management Profile, this searches for a user using the Filter value specified for the connector. In order for you to go to Profiles > Device Management Profile > Android or ios > Settings, select Connector in the User information input method field in the Add Android/iOS Settings window, choose VPN, Exchange, or Account for integration, and then search for a user, you need to select Profile Configuration (User) as the Directory Type while registering the connector. When the administrator chooses Certificate or Generic VPN for integration in Profiles > Device Management Profile, this authenticates a user using the Filter value specified for the connector. In order for you to go to Profiles > Device Management Profile > Android or ios > Settings, select Connector in the User certificate input method field in the Add Android/iOS Settings window, and then authenticate a user through Certificate or Generic VPN integration, you need to select Profile Configuration (Certificate) as the Directory Type while registering the connector. Note: In order for you to select globalldapserviceauthenticator in the Authenticator field under Authentication in Settings > Configuration, and then authenticate a user on devices, you need to select Authentication or Authentication (Manually) as the Directory Type while registering the connector. For more information about configuring the Authentication settings in Knox Manage, see Configuring authentication. 351

8 Setting Base DN In the Base DN field, specify the location from which data searches should start on the directory server. You can enter a Base DN manually or select one. Please set it carefully: leaving the Base DN field unspecified may cause the entire directory server to be searched. To set the Base DN, follow the steps below. The Base DN field can be set while adding or modifying a directory connector. 1. Go to Settings > System Integration > Directory Connector. 2. Click next to a service, or click Service ID and click Modify. 3. In the Modify Service window, click next to Base DN. 352

9 4. In the Select the Base DN window, click the entry that you wish to set as the search start point on the directory server. Selected DN: Shows the selected DN (Distinguish Name). 5. Click Save. Setting filters Set up a filter to retrieve user information from the directory server. Knox Manage provides basic filters for each Directory Type. Administrators can search for information using a set filter. The filter is an LDAP syntax filter, which may differ by service. Filter attributes that are most commonly used to configure the filter settings on the directory server are as follows: {userid}: Knox Manage user ID {username}: Knox Manage user name { }: Knox Manage user {contact}: Knox Manage user phone number {empno}: Knox Manage user employee number To select the filter in the Modify Service window, follow the steps below. The filter settings can be configured while adding or modifying a directory connector. 1. Go to Settings > System Integration > Directory Connector. 2. Click next to a service, or click Service ID and click Modify. 3. In the Modify Service window, click next to Filter and in the Select Object Class window, click Object Class Name and Property Title you want to set as a filter and click OK. When searching for a specific object class, enter the object class name in the Select Object Class window and click on. To select the object class name defined by default as a filter, click Default at the bottom. To select the object class name defined by the connected directory server as a filter, click Custom at the bottom. 353

10 Property Information: The property information of the selected object class is displayed. Return Value: The LDAP Syntax of the selected property information and object class is displayed. 4. Click Save. Setting output field Entries searched on the directory server through a filter contain several attributes. The Output Field settings should be configured to only extract the desired attributes out of all available attributes. You can set an output field. If you click Total in the Output Field of the Add Service or Modify Service window, all fields are set as output fields and if you click Select, you can set the output field by selecting it. To set an output field in the Modify Service window, follow the steps below. The Output Field settings can be configured while adding or modifying a directory connector. 1. Go to Settings > System Integration > Directory Connector. 354

11 2. Click next to a service, or click Service ID and click Modify. 3. In the Modify Service window, click the Select radio button in the Output Field, and then click Add in the Output Field Settings area. Alternatively, click Loading Attribute, and select attributes. Loaded Attribute List: Attributes defined in the directory server: - Property Title: Name of attributes. - Description: Detailed description of attributes. Selected Attribute List: Return attributes when calling a service. Default: To select the object class name defined by default as a filter, click Default at the bottom. Custom: To select the object class name defined by the connected directory server as a filter, click Custom at the bottom. 355

12 a. Enter the property title in the search field of the Loading Attribute window, and click. b. Select a property title from Loaded Attribute list, and click to move the items to the Selected Attribute List. If a wrong property title selected, click to restore. 3. Click Save at the bottom of the Loading Attribute window. 4. After confirming the selected attributes in the Output Field Settings area, and click Save. Double click the source name item to change source name of each attributes. The Return Attribute Name may not be returned normally if you modify it arbitrarily with the name of the attribute you are requesting from the directory server. Testing directory service To make sure that the connector service functions correctly on the directory server, perform a test by setting parameters. To check whether the connector service functions properly through a test, follow the steps below: 1. Go to Settings > System Integration > Directory Connector. 2. Click next to a service. 3. Enter information required to perform a test in the Test window as follows: URL: A URL, which is used for a test when the service is called, is automatically entered. Click the dropdown menu on the right side of the URL field, and select XML or JSON as the output format. Parameter: If you have written a parameter key and value before, they are entered automatically. If there are none, then enter the parameter key and value previously specified in the Filter field in the Save Input Parameters window. (For example, userid=administrator) Load: Click Load to enter parameter. In the Input Value List window. In the Storage ID area of the Input Value List window, click the parameter that you wish to use as an input parameter, and then click OK. 356

13 Save: To use a repeatedly used input parameter by clicking Load, enter the relevant parameter key and value in the Input Value List window, and then click Save. - Input ID: To distinguish the parameter from other parameters, enter an Input ID that is up to 50 characters in length, containing letters, numbers, and special characters (only dashes and underscores allowed). - Service ID: Service ID of input parameter is automatically entered. - Service Type: Service type of parameter, such as SAP and DB, is automatically entered. - Description: Enter description of the parameter. - Parameters: In the Save Input Parameters window, enter the parameter key and parameter value previously specified in the Filter field as demonstrated below: (For example: userid=administrator) 4. Click Send to test the service connection in the Test window. You can check the Result Message in the Results Values area. The test results are displayed in tree structure, with the results expanded to the last node. Result Message displays the message type: either XML or JSON. 357

14 5. Click Close. Setting directory service operation hours You can set operation hours for directory service and record logs regarding the service. Also, you can choose to send message to users notifying the non-operating hours as well. To set the operation time of a directory service, follow the steps below: 1. Go to Settings > System Integration > Directory Connector. 2. Select a Service ID, and click Connector Service. 3. In the Connector Service window, select either Default or Individual set the details, and Save. Connector Service Time tab: Select the service time type. 358

15 Item Default Description Default service hour is 00:00-24:00 Monday to Saturday. Individual Message during non-operating hours tab: Enter a message notifying nonoperation hours. The entered message sends to the user devices when the service is not in operation. The service operates based on the time and day set by the administrator. For example) Mon. 00:00-20:30, Tue. 00:00-24:00, and Fri. 13:00-13:30: To add an operation schedule, select appropriate time and day, and click after selecting the date and time. To delete an a schedule, select an item and click after selecting the date and time. View Timetable: Displays all the specified service operation time and day in a time table format. 359

16 Log Service tab: Set whether to record log. Item Default Individual Description Log information is logged for the connector service. Choose whether to log the transaction. 360