Add a custom LDAP connection

To customize the user information when adding the connection, complete the following:

1. Go to Setting > Identity & Directory > Connection in the Knox Manage console.

2. On the Connection page, click Add.

3. On the Add Connection page, enter basic information about a connection.

   • Connection Type — Select Custom LDAP to specify connection type.

   • Connection Name — Enter the connection name, with a maximum length of 25 characters and consisting of letters, numbers, and special characters (- or _ only). This name is used to distinguish each connection and also used when selecting connections in User, Group, and Organization. For more information, see Connect to AD/LDAP.

   • Target — Select User for the connection target.

   • Scheduler — Select Use if you want to schedule automatic sync, and specify sync schedule details in the Schedule tab:

     • Time Zone — Click the drop-down menu and select the time zone to use for the automatic synchronization. You can change the default in Setting > Configuration > Basic Configuration.

     • Sync Interval — Select a sync interval from Once, Hourly, Daily, Weekly, Monthly, or Advanced Settings.

       If you select Advanced Settings, set a regular interval in month, week, day, or hour format using cron expressions, following the examples given on the screen.

     • Time — Set the start time for the connection.

     • Start Date — Set the start date for the connection.

     • Target of Scheduler — Click the check box next to User, Group, or Organization as the target information to retrieve from the directory through the scheduled connection.

4. On the Server tab, do the following:

   • IP/Host — Enter the IP or host address of the directory, and the TCP port number for communicating with the directory server. The default port number used for unencrypted communication with the directory server is 389.

   • Encryption Type — Select None (No encryption) or TLS (Transport Layer Security) as the encryption method for the internet communication protocol used for communicating with the directory server.

   • Auth Type — Select None, Simple, DIGEST-MD5(SASL), or CRAM-MD5(SASL) as the authentication method used when establishing a connection with the directory server.

   For DIGEST-MD5(SASL) or CRAM-MD5(SASL), also specify the following Authentication details:

   SASL Setting	Description
   SASL Realm	Enter the realm value of the SASL server in domain format. For example, sample.com.
   Quality of Protection	Select the quality of the data protection from the following. Authentication Only — Protect data only upon authentication. Authentication with integrity — Ensure integrity of all the data exchanged, as well as authentication. Authentication with integrity and privacy — Ensure integrity of all data exchanges, as well as authentication through data encryption.
   Protection Strength	Select a data protection level, and determine whether or not mutual authentication should be performed when exchanging data. High — Use 128-bit encryption. Medium — Use 56-bit encryption. Low — Use 40-bit encryption. Mutual authentication — Select the check box to ensure data validity by inserting the key into the data exchanged between the client and server.

   • User ID — Enter the administrator information of the directory server in any of the following forms:

     • domain/administrator ID
     • administrator ID @ domain
     • CN = administrator ID, CN = Users, DC = domain, and DC = com

   • Password — Enter the user ID’s password.

5. Click the User tab, and then enter the following information:

   • Base DN — Base DN (Distinguished Name) is the point from which a server searches for users. We recommend that you select the closest Base DN to the target users for the best performance.

   • Filter — Filter strings that specify a subset of data items in an LDAP data type.

     Click Select to open the Select Object Class page and select an Object Class and attributes for the LDAP Syntax string that are used to filter search results.

     • Recommended Properties — Displays the recommended properties of the selected object class.

     • Return Value — Displays the LDAP Syntax of the selected property information and object class.

     • Default — Select the object class name defined by default as a filter.

     • Custom — Select the object class name defined by connected directory server as a filter.

   • Sync Target — Select some or all users from the Base DN set above.

     • Directly Select (Recommended) — Click Select to open the Select Sync Target screen where you can select your desired targets. Or click Preview to view details about a sync target.

     • All Users — All users are selected.

   • Apply Auto Profile — A profile is automatically applied to a user’s device only when their organization details change.

   • Sync Deleted Directory Users — Select whether to sync deleted users in the LDAP server with Knox Manage users:

     • Yes — Deleted users in the LDAP server are also deleted from the Knox Manage user list. The deleted users can be viewed in Manage Sync Exception on the Connection list.

     • No — Deleted users in the LDAP server are not deleted from the Knox Manage user list.

6. Click next to Detail in the Mapping Information area and enter information for mapping the group attributes of the directory server and the group attributes entered when registering groups in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

   • Click Select to the right of each item to search for the attributes defined in the directory server.
   • Click Refresh to the right of each item to reset the saved values back to the default values.
   • Select the check box next to User Static Input Value to delete the default mapped values and to allow you to enter values manually.

7. Click Save & Sync.

8. On the Save & Sync page, click OK. You can click View next to Expected Sync Result to preview the sync result before starting sync.