Menu

Add sync services

Add AD/LDAP directory services in Knox Manage to synchronize user, organizational, and group information. Once added, you can sync through the corresponding menus in User, Group, and Organization.

To add a sync service, complete the following steps:

  1. Navigate to Advanced > AD/LDAP Sync > Sync Service.

  2. On the “Sync Service” page, click Add.

  3. On the “Add Sync Service” page, enter information required for specifying the basic information about a sync service.

    • Sync Service Name: Enter the sync service name (up to 25 characters consisting of letters, numbers, and special characters (- or _ only). It will be used to distinguish each sync service and also used when selecting sync services in User, Group, and Organization.

    • Target: Select sync target(s) for your AD/LDAP integration:

      • User: Select this to allow integration at the user level.

      • Group: Select this to allow integration by groups based on the User Base DN. Selecting Group automatically selects User as well.

      • Organization: Select this only if the Knox Manage users' organization code is identical to the AD/LDAP's organization code.

    • Scheduler: Select Use if you want to schedule automatic syncs. In the Schedule tab below it, fill in the details of the sync schedule:

      • Time Zone: Click the drop-down menu and select the time zone to use for the automatic synchronization. You can change the default in Setting > Configuration > Basic Configuration.

      • Sync Interval: Click the drop-down menu and select a sync service interval: Once, Hourly, Daily, Weekly, Monthly, or Advanced Settings. If you select Advanced Settings, set a regular interval in month, week, day, or hour format using cron expressions, following the examples given on the screen.

      • Time: Set the start time for the sync service.

      • Start Date: Set the start date for the sync service.

      • Target of Scheduler: Click the checkbox next to User, Group, or Organization as the target information to retrieve from the directory through the scheduled sync service.

  4. Click the Server tab and enter information required for specifying the LDAP server information.

    • Directory Type: Select a directory. Select Other when connecting to other directory servers except the Microsoft Active Directory.

    • IP/Host: Enter the IP or host address of the directory, and the TCP port number for communicating with the directory server. The default port number used for unencrypted communication with the directory server is 389.

    • Encryption Type: Select None (No encryption), SSL (Secured Socket Layer), or TLS (Transport Layer Security) as the encryption method for the internet communication protocol used for communicating with the directory server.

    • Auth Type: Select None, Simple, DIGEST-MD5(SASL), or CRAM-MD5(SASL) as the authentication method used when establishing a connection with the directory server. After selecting DIGEST-MD5(SASL) or CRAM-MD5(SASL), fill out the Authentication details field for the chosen Auth Type as follows:

      Auth Type Desciption

      DIGESTMD5(SASL)/CRAMMD5(SASL)

      Configure the settings for Simple Authentication and Security Layer (SASL), a telnet-based protocol:

      • SASL Realm: Enter the realm value of the SASL server in domain format (e.g., sample.com).
      • Quality of Protection: Select the quality of the data protection from the following.
        • Authentication Only: Protect data only upon authentication.
        • Authentication with integrity: Ensure integrity of all the data exchanged, as well as authentication.
        • Authentication with integrity and privacy: Ensure integrity of all data exchanges, as well as authentication through data encryption.
      • Protection Strength: Select a data protection level, and determine whether or not mutual authentication should be performed when exchanging data.
        • High: Use 128-bit encryption.
        • Medium: Use 56-bit encryption.
        • Low: Use 40-bit encryption.
        • Mutual authentication: Click the checkbox next to Mutual authentication to ensure data validity by inserting the key into the data exchanged between the client and server.
    • User ID: Enter the administrator information of the directory server in any of the following forms:

      • domain/administrator ID
      • administrator ID @ domain
      • CN = administrator ID, CN = Users, DC = domain, and DC = com.
    • Password: Enter the user ID’s password.

  5. Click the User, Group, or Organization tab according to your selection in Target. Fill in the details.

  6. Click Save & Sync.

  7. (Optional) In the “Save & Sync Service” window, click View next to Expected Sync Result if you want to preview the sync result before starting sync.

  8. Click OK.

Customizing user information

Customize user information on the User tab in the “Add Sync Service” window.

To customize the user information when adding the sync service, complete the following steps:

  1. Navigate to Advanced > AD/LDAP Sync > Sync Service.

  2. On the “Sync Service” page, click Add.

  3. On the “Add Sync Service” page, enter information required for specifying the basic information about a sync service. For more information, see Adding sync services.

    NOTE—When entering the information on the “Add Sync Service” page, you must select User for the sync service target.

  4. Click the User tab, and then enter the following information:

    • Base DN: Base DN (Distinguished Name) is the point from which a server will search for users. We recommend that you select the closest Base DN to the target users for the best performance.

    • Filter: Filter strings that specify a subset of data items in an LDAP data type.

      Click Select to open the “Select Object Class” window and select an Object Class and attributes for the LDAP Syntax string that will be used to filter search results. For more information about setting filters, see Add a directory connector.

      • Recommended Properties: Displays the recommended properties of the selected object class.

      • Return Value: Displays the LDAP Syntax of the selected property information and object class.

      • Default: Select the object class name defined by default as a filter.

      • Custom: Select the object class name defined by connected directory server as a filter.

    • Sync Target: Select some or all users from the Base DN set above.

      • Directly Select (Recommended): Click Select to open the “Select Sync Target” window where you can select your desired targets.

        Click Preview to view details about a sync target.

      • All Users: All users are selected.

    • Auto Profile Deploy: A profile is automatically applied to a user's device only when their organization details change.

    • Sync Deleted LDAP Users: Select whether to sync deleted users in the LDAP server with Knox Manage users:

      • Yes: Deleted users in the LDAP server are also deleted from the Knox Manage user list. The deleted users can be viewed in Manage Sync Exception on the Sync Service list.

      • No: Deleted users in the LDAP server are not deleted from the Knox Manage user list.

  5. Click next to Detail in the Mapping Information area and enter information for mapping the user attributes of the directory server and the user attributes entered when registering user accounts in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

    • User ID: Enter a user ID up to 220 characters.

    • User Name: Enter the user’s login name that will be used for the Windows domain. Enter the UPN in “User’s login name@domain_name” format.

    • Employee No.: Enter the employee’s number.

    • Email: Enter the user’s email address.

    • Mobile No.: Enter the user’s mobile number.

    • DN (Distinguished Name): Enter the unique name of the LDAP object.

    • Object Identifier: Enter the ID used to distinguish the synced user.

    • Organization: Enter the organization name.

    • Status: Enter the status of the user account.

    • Last Updated Date: Enter the last date when the user information was updated.

    • Created Date: Enter the date when the user was created.

    • First Name: Enter the user’s first name.

    • Middle Name: Enter the user’s middle name.

    • Last Name: Enter the user’s last name.

    • Display Name: Enter the user’s display name.

    • Department: Enter the user’s department.

    • Administrator DN: Enter the unique name of the administrator.

    • Email User Name: Enter the user’s email username.

    • Contact: Enter the contact information.

    • UPN: Enter the User Principal Name (UPN).

    • User Identifier: Enter the name used to distinguish the synced user.

    • Default Country Code: Enter the default country code.

    • Organization Code: Enter the organization code.

    • Position Code: Enter the position code.

    • Site: Enter the site information.

    • Security Level: Select a security level for the user.

    • User Certificate: Select a user certificate.

    • User-Defined 1: Enter a user defined value.

    • User-Defined 2: Enter a user defined value.

    • User-Defined 3: Enter a user defined value.

    NOTE

    • Click Select to the right of each item to search for the attributes defined in the directory server.

    • Click Refresh to the right of each item to reset the saved values back to the default values.

    • Click the checkbox next to User Static Input Value to delete the default mapped values and to allow you to enter values manually.

  6. Click Save & Sync.

  7. In the “Save & Sync Service” window, click OK.

    • Click View next to Expected Sync Result to preview the sync result before starting sync.

Customizing group information

Customize group information on the Group tab in the “Add Sync Service” window.

To customize the group information when adding the sync service, complete the following steps:

  1. Navigate to Advanced > AD/LDAP Sync > Sync Service.

  2. On the “Sync Service” page, click Add.

  3. On the “Add Sync Service” page, enter information required for specifying the basic information about a sync service. For more information, see Adding sync services.

    NOTE—When entering the information on the “Add Sync Service” page, you must select the sync service target as Group.

  4. Click the Group tab, and then enter the following information:

    • Base DN: Base DN (Distinguished Name) is the point from which a server will search for groups. We recommend that you select the closest Base DN to the target groups for the best performance.

    • Filter: Filter strings that specify a subset of data items in an LDAP data type.

      Click Select to open the “Select Object Class” window and select an Object Class and attributes for the LDAP Syntax string that will be used to filter search results. For more information about setting filters, see Add a directory connector.

    • Sync Target: Select some or all groups from the Base DN set above.

      • Directly Select (Recommended): Click Select to open the “Select Sync Target” window where you can select your desired targets.

        Click Preview to view details about a sync target.

      • All Groups: All groups are selected. This option may exhibit poor performance in high-volume cases.

    • Auto Profile/App Apply: Profiles are automatically applied to the user devices when organization information is changed.

    • Sync Deleted LDAP Groups: Select whether to sync deleted groups in the LDAP server with Knox Manage groups:

      • Yes: Deleted groups in the LDAP server are also deleted from the Knox Manage group list. The deleted groups can be viewed in Manage Sync Exception on the Sync Service list.

      • No: Deleted users in the LDAP server are not deleted from the Knox Manage organization list.

  5. Click next to Detail in the Mapping Information area and enter information for mapping the group attributes of the directory server and the group attributes entered when registering groups in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

    • Group Name: Enter the name for the group.

    • Member: Select a member for the group.

    • Organization: Select the organization to which the group belongs. If left unspecified, the group will not belong to any organization.

    • DN (Distinguished Name): Enter the unique name of the LDAP object.

    • Object Identifier: Enter the ID used to distinguish the synced group.

    • Group Identifier: Enter the name used to distinguish the synced group.

    NOTE

    • Click Select to the right of each item to search for the attributes defined in the directory server.

    • Click Refresh to the right of each item to reset the saved values back to the default values.

    • Click the checkbox next to User Static Input Value to delete the default mapped values and to allow you to enter values manually.

  6. Click Save & Sync.

  7. (Optional) In the “Save & Sync Service” window, click View next to Expected Sync Result if you want to preview the sync result before starting sync.

  8. Click OK.

Customizing organization information

Customize organization information on the Organization tab in the” Add Sync Service” window.

To customize the organization information when adding the sync service, complete the following steps:

  1. Navigate to Advanced > AD/LDAP Sync > Sync Service.

  2. On the “Sync Service” page, click Add.

  3. On the “Add Sync Service” page, enter information required for specifying the basic information about a sync service. For more information, see Add sync services.

    NOTE—When entering the information on the “Add Sync Service” page, you must select the sync service target as Organization.

  4. Click the Organization tab, and then enter the following information:

    • Base DN: Base DN (Distinguished Name) is the point from which a server will search for organizations. We recommend that you select the closest Base DN to the target organizations for the best performance.

    • Filter: Filter strings that specify a subset of data items in an LDAP data type.

      Click Select to open the “Select Object Class” window and select an Object Class and attributes for the LDAP Syntax string that will be used to filter search results. For more information about setting filters, see Add a directory connector.

    • Sync Target: Select some or all organizations from the Base DN set above.

      • Directly Select (Recommended): Click Select to open the “Select Sync Target” window where you can select your desired targets.

        Click Preview to view details about a sync target.

      • All Organizations: All organizations are selected.

    • Sync Deleted LDAP Organizations: Select whether to sync deleted organizations in the LDAP server with Knox Manage organizations:

      • Yes: Deleted organizations in the LDAP server are also deleted from the Knox Manage organization list. The deleted organizations can be viewed in Manage Sync Exception on the Sync Service list.

      • No: Deleted organizations in the LDAP server are not deleted from the Knox Manage organization list.

  5. Click next to Detail in the Mapping Information area and enter information for mapping the organization attributes of the directory server and the organization attributes entered when registering organizations in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

    • Organization Code: Enter the organization code.

    • Organization Name: Enter the organization name.

    • Member: Enter the member of the organization.

    • Organization: Enter the member’s organization.

    • DN: Enter the unique name of the organization.

    • Object Identifier: Enter the ID used to distinguish the synced organization.

    • Organization Identifier: Enter the name used to distinguish the synced organization.

    • Company Number: Enter the company number.

    • Upper Organization Code: Enter the code for an organization in a higher tier than the organization to which the user belongs. It allows synchronizing the organization by maintaining the hierarchical relationships in the organization chart.

    • Department Head ID: Enter the ID of the department head.

    • Department Head Name: Enter the name of the department head.

    • Department Head Position: Enter the position of the department head.

    • Display Order: Enter the display order.

    NOTE

    • Click Select to the right of each item to search for the attributes defined in the directory server.

    • Click Refresh to the right of each item to reset the saved values back to the default values.

    • Click the checkbox next to User Static Input Value to delete the default mapped values and to allow you to enter values manually.

  6. Click Save & Sync.

  7. (Optional) In the “Save & Sync Service” window, click View next to Expected Sync Result if you want to preview the sync result before starting sync.

  8. Click OK.