Connect to AD/LDAP

Sync user information with AD/LDAP

You can add information about users, groups, and organizations to the Knox Manage server through the Active Directory (AD) service that is built upon the industry-standard Lightweight Directory Access Protocol (LDAP). This service helps you keep the information synchronized across multiple sites in an enterprise and sync information on demand or automatically at specified time intervals.

The AD/LDAP service, provided by Knox Manage, supports filtered search to view user information and historical data about sync services. Samsung’s Cloud Connector secure data transfer channel ensures that the sync between the enterprise and cloud servers is secure. For more information, see Using Cloud Connector.

Connect AD/LDAP directory service to Knox Manage

Add AD/LDAP directory services in Knox Manage to synchronize user, organizational, and group information. Once added, you can sync through the corresponding menus in User, Group, and Organization. Knox Manage supports only one SCC client connection to a single-forest active directory with a single domain.

To add an AD connection:

1. Go to Setting > Identity & Directory > Connection in the Knox Manage console.

2. On the Connection page, click Add.

3. On the Add Connection page, enter information required for specifying the basic information about a connection.

   • Connection Name — Enter the connection name. Can include up to 25 characters, consisting of letters, numbers, and special characters (- or _ only).

   • Target — Select sync targets for your AD/LDAP integration:

     • User — Select this option to allow integration at the user level.

     • Group — Select this option to allow integration by groups based on the User Base DN. Selecting Group automatically selects User as well.

     • Organization — Select this option only if the Knox Manage users’ organization code is identical to the AD/LDAP’s organization code.

   • Scheduler — Select Use if you want to schedule automatic syncs. In the Schedule tab under it, fill in the details of the sync schedule:

     • Time Zone — Click the drop-down menu and select the time zone to use for the automatic synchronization. You can change the default in Setting > Configuration > Basic Configuration.

     • Sync Interval — Click the drop-down menu and select a sync interval from Once, Hourly, Daily, Weekly, Monthly, or Advanced Settings. If you select Advanced Settings, set a regular interval in month, week, day, or hour format using cron expressions, following the examples given on the screen.

     • Time — Set the start time for the connection.

     • Start Date — Set the start date for the connection.

     • Target of Scheduler — Click the check box next to User, Group, or Organization as the target information to retrieve from the directory through the scheduled connection.

4. Click the Server tab and enter information required for specifying the LDAP server information.

   • Directory Type — Select a directory type, such as On-premise AD, Microsoft Entra Domain Service, or Others.

     If Microsoft Entra Domain Service is selected as the directory type, the account does not connect to the server through the cloud connector. If you experience connection errors, you may need to turn off the firewall on the target device.

   • IP/Host — Enter the IP or host address of the directory, and the TCP port number for communicating with the directory server. The default port number used for unencrypted communication with the directory server is 389.

   • Encryption Type — Select None (No encryption) or TLS (Transport Layer Security) as the encryption method for the internet communication protocol used for communicating with the directory server.

   • Auth Type — Select None, Simple, DIGEST-MD5(SASL), or CRAM-MD5(SASL) as the authentication method used when establishing a connection with the directory server. After selecting DIGEST-MD5(SASL) or CRAM-MD5(SASL), fill out the Authentication details field for the chosen Auth Type as follows:

     Auth Type

     Description

     DIGESTMD5(SASL)/CRAMMD5(SASL)

     Configure the settings for Simple Authentication and Security Layer (SASL), a telnet-based protocol: SASL Realm --- Enter the realm value of the SASL server in domain format, for example ,sample.com. Quality of Protection --- Select the quality of the data protection from the following. Authentication Only --- Protect data only upon authentication. Authentication with integrity --- Ensure integrity of all the data exchanged, as well as authentication. Authentication with integrity and privacy --- Ensure integrity of all data exchanges, as well as authentication through data encryption. Protection Strength --- Select a data protection level, and determine whether or not mutual authentication should be performed when exchanging data. High --- Use 128-bit encryption. Medium --- Use 56-bit encryption. Low --- Use 40-bit encryption. Mutual authentication --- Click the check box next to Mutual authentication to ensure data validity by inserting the key into the data exchanged between the client and server.

   • User ID — Enter the administrator information of the directory server in any of the following forms:

     • domain/administrator ID
     • administrator ID @ domain
     • CN = administrator ID, CN = Users, DC = domain, and DC = com.

   • Password — Enter the user ID’s password.

5. Click the User, Group, or Organization tab according to your selection in Target. Fill in the details.

   • For more information on the User tab, see Customizing user information.

   • For more information on the Group tab, see Customizing group information.

   • For more information on the Organization tab, see Customizing organization information.

6. Click Save & Sync.

7. (Optional) On the Save & Sync Service page, click View next to Expected Sync Result if you want to preview the sync result before starting sync.

8. Click OK.

Customize user information

Customize user information on the User tab on the Add Connection page.

To customize the user information when adding the connection, complete the following steps:

1. On the Add Connection page, enter information required for specifying the basic information about a connection.

   When entering the information on the Add Connection page, you must select User for the connection target.

2. Click the User tab, and then enter the following information:

   • Base DN — Base DN (Distinguished Name) is the point from which a server searches for users. We recommend that you select the closest Base DN to the target users for the best performance.

   • Filter — Filter strings that specify a subset of data items in an LDAP data type.

     Click Select to open the Select Object Class page and select an Object Class and attributes for the LDAP Syntax string that are used to filter search results.

     • Recommended Properties — Displays the recommended properties of the selected object class
     • Return Value — Displays the LDAP Syntax of the selected property information and object class
     • Default — Select the object class name defined by default as a filter
     • Custom — Select the object class name defined by connected directory server as a filter.

   • Sync Target — Select some or all users from the Base DN set above.

     • Directly Select (Recommended) — Click Select to open the Select Sync Target screen where you can select your desired targets.

       Or click Preview to view details about a sync target.

     • All Users — All users are selected.

     You can set between 10,000 and 70,000 sync targets. The default remains at 40,000, but you can submit a request to change it. To learn how to submit a request, go to Submit a support ticket.

   • Apply Auto Profile — A profile is automatically applied to a user’s device only when their organization details change.

   • Sync Deleted LDAP Users — Select whether to sync deleted users in the LDAP server with Knox Manage users:

     • Yes — Deleted users in the LDAP server are also deleted from the Knox Manage user list. The deleted users can be viewed in Manage Sync Exception on the Connection list.

     • No — Deleted users in the LDAP server are not deleted from the Knox Manage user list.

3. Click next to Detail in the Mapping Information area and enter information for mapping the user attributes of the directory server and the user attributes entered when registering user accounts in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

   • User ID — Enter a user ID up to 220 characters.

   • User Name — Enter the user’s login name that is used for the Windows domain. Enter the UPN in User’s login name@domain_name format.

   • Employee No. — Enter the employee’s number.

   • Email — Enter the user’s email address.

   • Mobile No. — Enter the user’s mobile number.

   • DN (Distinguished Name) — Enter the unique name of the LDAP object.

   • Object Identifier — Enter the ID used to distinguish the synced user.

   • Organization — Enter the organization name.

   • Status — Enter the status of the user account.

   • Last Updated Date — Enter the last date when the user information was updated.

   • Created Date — Enter the date when the user was created.

   • First Name — Enter the user’s first name.

   • Middle Name — Enter the user’s middle name.

   • Last Name — Enter the user’s last name.

   • Display Name — Enter the user’s display name.

   • Department — Enter the user’s department.

   • Administrator DN — Enter the unique name of the administrator.

   • Email User Name — Enter the user’s email address that is linked to their username.

   • Contact — Enter the contact information.

   • UPN — Enter the User Principal Name (UPN).

   • User Identifier — Enter the name used to distinguish the synced user.

   • Default Country Code — Enter the default country code.

   • Organization Code — Enter the organization code.

   • Position Code — Enter the position code.

   • Site — Enter the site information.

   • Security Level — Select a security level for the user.

   • User Certificate — Select a user certificate.

   • User-Defined 1 — Enter a user defined value.

   • User-Defined 2 — Enter a user defined value.

   • User-Defined 3 — Enter a user defined value.

   • Click Select to the right of each item to search for the attributes defined in the directory server.

   • Click Refresh to the right of each item to reset the saved values back to the default values.

   • Click the check box next to User Static Input Value to delete the default mapped values and to allow you to enter values manually.

4. Click Save & Sync.

5. On the Save & Sync page, click OK.

   • You can click View next to Expected Sync Result to preview the sync result before starting sync.

Customize group information

Customize group information on the Group tab on the Add Connection page.

To customize the group information when adding the connection:

1. On the Add Connection page, enter information required for specifying the basic information about a connection.

   When entering the information on the Add Connection page, you must select the connection target as Group.

2. Click the Group tab, and then enter the following information:

   • Base DN — Base DN (Distinguished Name) is the point from which a server searches for groups. We recommend that you select the closest Base DN to the target groups for the best performance.

   • Filter — Filter strings that specify a subset of data items in an LDAP data type.

     Click Select to open the Select Object Class screen and select an Object Class and attributes for the LDAP Syntax string that are used to filter search results.

   • Sync Target — Select some or all groups from the Base DN set above.

     • Directly Select (Recommended) — Click Select to open the Select Sync Target screen where you can select your desired targets.

       Click Preview to view details about a sync target.

     • All Groups — All groups are selected. This option may exhibit poor performance in high-volume cases.

   You can set between 10,000 and 70,000 sync targets. The default remains at 40,000, but you can submit a request to change it. To learn how to submit a request, go to Submit a support ticket.

   • Apply or Unassign Auto Profile/App — Profiles are automatically applied to the user devices when organization information is changed.

   • Sync Deleted LDAP Groups — Select whether to sync deleted groups in the LDAP server with Knox Manage groups:

     • Yes —Deleted groups in the LDAP server are also deleted from the Knox Manage group list. The deleted groups can be viewed in Manage Sync Exception on the Connection list.

     • No —Deleted users in the LDAP server are not deleted from the Knox Manage organization list.

3. Click next to Detail in the Mapping Information area and enter information for mapping the group attributes of the directory server and the group attributes entered when registering groups in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

   • Group Name — Enter the name for the group.

   • Member — Select a member for the group.

   • Organization — Select the organization to which the group belongs. If left unspecified, the group does not belong to any organization.

   • DN (Distinguished Name)— Enter the unique name of the LDAP object.

   • Object Identifier — Enter the ID used to distinguish the synced group.

   • Group Identifier — Enter the name used to distinguish the synced group.

   Consider the following items:

   • Click Select to the right of each item to search for the attributes defined in the directory server.

   • Click Refresh to the right of each item to reset the saved values back to the default values.

   • Click the check box next to User Static Input Value to delete the default mapped values and to allow you to enter values manually.

4. Click Save & Sync.

5. (Optional) On the Save & Sync page, click View next to Expected Sync Result if you want to preview the sync result before starting sync.

6. Click OK.

Customize organization information

Customize organization information on the Organization tab on the Add Connection page.

To customize the organization information when adding the connection:

1. On the Add Connection page, enter information required for specifying the basic information about a connection.

   When entering the information on the Add Connection page, you must select the connection target as Organization.

2. Click the Organization tab, and then enter the following information:

   • Base DN —Base DN (Distinguished Name) is the point from which a server searches for organizations. We recommend that you select the closest Base DN to the target organizations for the best performance.

   • Filter — Filter strings that specify a subset of data items in an LDAP data type.

     Click Select to open the Select Object Class page and select an Object Class and attributes for the LDAP Syntax string that are used to filter search results.

   • Sync Target — Select some or all organizations from the Base DN set above.

     • Directly Select (Recommended) — Click Select to open the Select Sync Target page where you can select your desired targets.

       Click Preview to view details about a sync target.

     • All Organizations — All organizations are selected.

   • Sync Deleted LDAP Organizations — Select whether to sync deleted organizations in the LDAP server with Knox Manage organizations:

     • Yes —Deleted organizations in the LDAP server are also deleted from the Knox Manage organization list. The deleted organizations can be viewed in Manage Sync Exception on the Connection list.

     • No —Deleted organizations in the LDAP server are not deleted from the Knox Manage organization list.

3. Click next to Detail in the Mapping Information area and enter information for mapping the organization attributes of the directory server and the organization attributes entered when registering organizations in Knox Manage. The most common values of a directory server are entered automatically, but you can change them according to the directory server.

   • Organization Code — Enter the organization code.

   • Organization Name — Enter the organization name.

   • Member — Enter the member of the organization.

   • Organization — Enter the member’s organization.

   • DN — Enter the unique name of the organization.

   • Object Identifier — Enter the ID used to distinguish the synced organization.

   • Organization Identifier — Enter the name used to distinguish the synced organization.

   • Company Number — Enter the company number.

   • Upper Organization Code — Enter the code for an organization in a higher tier than the organization to which the user belongs. It allows synchronizing the organization by maintaining the hierarchical relationships in the organization chart.

   • Department Head ID — Enter the ID of the department head.

   • Department Head Name — Enter the name of the department head.

   • Department Head Position — Enter the position of the department head.

   • Display Order — Enter the display order.

   • Click Select to the right of each item to search for the attributes defined in the directory server.

   • Click Refresh to the right of each item to reset the saved values back to the default values.

   • Click the check box next to User Static Input Value to delete the default mapped values and to allow you to enter values manually.

4. Click Save & Sync.

5. (Optional) On the Save & Sync page, click View next to Expected Sync Result if you want to preview the sync result before starting sync.

6. Click OK.