Add a directory server

Add a directory server in the Admin Portal to synchronize corporate user information by integrating the corporate directory server.

To add a directory server, complete the following steps:

1. Navigate to Advanced > Directory Integration > Directory Pool.

2. On the “Directory Pool” page, click Add.

3. On the “Add Directory Pool” page, enter the following information:

Directory Pool Name: Enter a name for the pool that is up to 20 characters and that consists of letters, numbers, or special characters (only dashes and underscores are allowed) to distinguish it from other directory services.
Encryption Type: Select one of the following encryption types for the internet communication protocol used for communication with the directory server.
- None: No encryption
- SSL: Secured Socket Layer
- TLS: Transport Layer Security
Auth Type: Select one of the following authentication types used for communication with the directory server.

NOTE— Knox Manage provides a secure channel between the directory server and the Knox Manage server through Cloud Connector. If you select the authentication type as GSSAPI (Kerberos), Cloud Connector cannot be used. For more information about Cloud Connector, see Using Cloud Connector.

None: no encryption
Simple: Select this if you are not certain about the authentication type.
DIGEST-MD5 (SASL), CRAM-MD5 (SASL) , or GSSAPI (Kerberos): If you select one of these authentication types, configure the additional advanced settings on the Authentication Detailed Setting tab as follows:

Authentication type	Description
DIGESTMD5 (SASL) and CRAMMD5 (SASL)	Enter the following information for configuring the settings for Simple Authentication and security layer (SASL), which is a telnet-based protocol. SASL Realm: Enter the realm value of the SASL server in the relevant domain’s format, such as sample.com. Quality of Protection: Select one of the following qualities of the data protection options. Authentication only: Protects the data only for authentication. Authentication with integrity: Ensures the integrity of all the data exchanged, including authentication data. Authentication with integrity and privacy: Ensures integrity for all the data exchanges, including authentications through data encryption. Protection Strength: Select one of the data protection levels. High: Use 128-bit encryption. Medium: Use 56-bit encryption. Low: Use 40-bit encryption. Mutual authentication: Click the checkbox to ensure data validity by inserting the key into the data exchanged between the client and server.
GSSAPI (Kerberos)	Enter the following information for GSSAPI (Kerberos) authentication. Kerberos Credential Configuration: Select one of the following methods for obtaining a Kerberos ticket. Use native TGT: Select this if you have already issued a ticket in the Admin Portal. Obtain TGT from KDC: Issue a new ticket using the default user ID and password. Kerberos Configuration: Select one of the following methods for configuring the Kerberos server. Use native system configuration: Use the Kerberos server information defined in the Java Property. Use following configuration: Enter the following Kerberos server information manually. Kerberos Realm: Enter the realm of the Kerberos server. KDC Host: Enter the Kerberos Key Distribution Center (KDC) host or the IP address. KDC Port: Enter the KDC port number.

Authentication type

Description

DIGESTMD5 (SASL) and CRAMMD5 (SASL)

Enter the following information for configuring the settings for Simple Authentication and security layer (SASL), which is a telnet-based protocol.

SASL Realm: Enter the realm value of the SASL server in the relevant domain’s format, such as sample.com.
Quality of Protection: Select one of the following qualities of the data protection options.

Authentication only: Protects the data only for authentication.
Authentication with integrity: Ensures the integrity of all the data exchanged, including authentication data.
Authentication with integrity and privacy: Ensures integrity for all the data exchanges, including authentications through data encryption.

Protection Strength: Select one of the data protection levels.

High: Use 128-bit encryption.
Medium: Use 56-bit encryption.
Low: Use 40-bit encryption.
Mutual authentication: Click the checkbox to ensure data validity by inserting the key into the data exchanged between the client and server.

GSSAPI (Kerberos)

Enter the following information for GSSAPI (Kerberos) authentication.

Kerberos Credential Configuration: Select one of the following methods for obtaining a Kerberos ticket.

Use native TGT: Select this if you have already issued a ticket in the Admin Portal.
Obtain TGT from KDC: Issue a new ticket using the default user ID and password.

Kerberos Configuration: Select one of the following methods for configuring the Kerberos server.

Use native system configuration: Use the Kerberos server information defined in the Java Property.
Use following configuration: Enter the following Kerberos server information manually.
Kerberos Realm: Enter the realm of the Kerberos server.
KDC Host: Enter the Kerberos Key Distribution Center (KDC) host or the IP address.
KDC Port: Enter the KDC port number.

IP/Host: Enter the IP or host address of the directory address. Enter the TCP port number that should be used for communication with the directory server. 389 is the default port number used for unencrypted communication with the directory server.
User ID: Enter the user ID (administrator account) that can access the directory server and read it. It can be entered in various forms, such as domain\administrator ID, administrator ID@domain or CN=administrator ID, CN=Users, DC=domain, DC=com.
Password: Enter the user ID’s password.
Max Active Limit: Select the maximum number of active connections available from 10 to 50.
Max Idle Limit: Select the maximum number of idle connections available from 0 to 30.
Description: Enter a description of the directory server.

4. Click Test Connection to test suitability with the entered information of the directory server, and then click Save to add the directory server.