Directory Service Connection Settings

DeviceLock Reports : Report Categories and Types : User Dossiers : Directory Service Connection Settings

The menu on the User Dossiers node provides a command to configure a connection to an LDAP-compatible directory service, such as Active Directory or OpenLDAP. This connection extends user dossiers with information about users from the directory service (see User account information).

If there is no connection to a directory service, user dossiers are only based on information found in the DeviceLock Enterprise Server log records.

User dossiers automatically connect to Active Directory if the DeviceLock Enterprise Server computer is a member of an Active Directory domain. To access Active Directory, in this case, user dossiers by default use the DeviceLock Enterprise Server service’s startup account specified by the Log on as parameter. If this account does not have sufficient rights to access Active Directory, credentials of an alternative account can be supplied in the directory service connection settings dialog box.

User dossiers retrieve updated information from the directory service on a daily basis at 1:00 AM local server time, as well as every time the DeviceLock Enterprise Server service starts.

To manage directory service connection settings

1. In the console tree, select DeviceLock Enterprise Server > Reports > User Dossiers.

2. Right-click User Dossiers, and select the Directory Service Settings command.

3. Set, view, or change the settings in the Directory service connection settings dialog box that appears.

Directory service connection settings dialog box

The Directory Service Settings command brings up a dialog box to set, view, or change the settings to connect to an LDAP-compatible directory service. These settings depend upon the directory service selected:

• Active Directory - Credentials to access Active Directory domain services.

• LDAP - Credentials and other settings to connect to an LDAP server.

Active Directory

Active Directory settings are used when the computer running the DeviceLock Enterprise Server is a member of an Active Directory domain, but the DeviceLock Enterprise Server service logon account does not have rights to access Active Directory. In this case, user dossiers can employ a domain user account with sufficient rights to retrieve data from Active Directory. It is also possible to connect to a specific Active Directory domain, which might be required when DeviceLock Enterprise Server runs on a computer that is not joined to a domain (stand-alone server), or user data needs to be retrieved from a different domain.

The dialog box provides the following fields to specify the Active Directory domain, and to supply the name and password of a domain user:

•Host - Either of the following:

•The Fully Qualified Domain Name (FQDN) of the Active Directory domain. Example: production.company.com

•The name or IP address of the server running the Active Directory domain controller. Example: dc1.production.company.com

One can select a domain controller from the list by clicking the

button next to this field.

Note: If no host is specified, user dossiers either connect to any available domain controller of the domain to which the DeviceLock Enterprise Server’s computer is joined, or do not connect to Active Directory domain services (in the case of stand-alone server).

•User Name - The name of the domain user in either of the following formats:

•user@domain - In this format, user is the user account name and domain is the domain UPN suffix.

•domain\user - In this format, domain is the domain’s short (NetBIOS) name and user is the domain user’s logon name.

•Password - The password of the user account in the Active Directory domain.

Note: If no user name is specified, user dossiers access Active Directory with the DeviceLock Enterprise Server service’s logon account specified by the Log on as parameter.

LDAP

The dialog box provides the following fields to specify credentials and other settings to connect to an LDAP server (such as an OpenLDAP or AD LDS server):

•Host - The name or IP address of the LDAP server. One can select a server from the list by clicking the

button next to this field.

•Port - The LDAP server’s TCP port number, 389 by default.

•Base DN - The starting point to search the directory tree. This must be a valid distinguished name (DN), such as cn=users,o=company,c=US. If the base DN is not specified, the search goes from the tree root. Click the Fetch button to select a naming context for the base DN.

•User DN, Password - The distinguished name (DN) and password of the directory user to access the LDAP server. User DN must be a valid DN, such as cn=admin,o=company,c=US.

Note: If no user DN is specified, user dossiers access the LDAP server with the DeviceLock Enterprise Server service logon account specified by the Log on as parameter.