Synchronizing with LDAP

ESET Secure Authentication supports synchronization with LDAP.


note

An administrator can synchronize either the entire AD domain or select only a specific OU subtree of the AD domain.

In the case of a Windows domain, only one OU subtree can be synchronized per AD domain (directory service) because the entire AD GUID becomes the created realm's ID. If the administrator tries to synchronize another OU subtree of that AD (Windows domain), the "Realm '<ID>' already exists" error message will display.

Sample LDAP Server Path to synchronize an OU subtree of "esa.local" AD domain (Windows domain):

LDAP://<serverName>/OU=sub_OU,OU=first_OU,DC=esa,DC=local

 

When synchronizing a different directory type, the entire Server LDAP Path becomes the created realm's ID.

1.Access ESA Web Console and click Users.

2.Next to Realms, click icon_add-or-create, select Create Synchronized Realm.

3.Type the address of your LDAP server, select the applicable LDAP server type from the Sync Server type drop-down menu, and type your LDAP username and password.

4.If this is a one time import, leave the Sync interval intact. Otherwise, select the applicable synchronization interval.

5.Select the check box next to Run immediately and click Save.

users_create-synchronized-realm

 

When your ESA instance is synchronized with LDAP, to synchronize it again manually:

1.In the Realms section, select the saved and synchronized LDAP server.

2.Click the gear icon icon_settings_inline and then click Synchronize Now.

Supported configuration parameters

objFilter - Required; used as a filter for selecting the user object in LDAP.

AttrName - Optional; name of LDAP user property storing the username. If Windows LDAP is selected for Sync Server Type, the username is read from "sAMAccountName" property. Otherwise, the username is read from "cn" property.

AttrPhone - Optional; name of LDAP user property holding the phone number. If the AttrPhone parameter is not used, the mobile number is taken from the user field that is set as default in ESA Web Console > Settings > Mobile Number Field.

AuthType - Optional; defines the type of authentication used when connecting to LDAP server. Default value for the Windows platform is 1 (Secure), for the other platform 0 (None). Available values:

o0 (None)

o1 (Secure)

o2 (Encryption/SecureSocketsLayer)

o4 (ReadonlyServer)

o16 (Anonymous)

o32 (FastBind)

o64 (Signing)

o128 (Sealing)

o256 (Delegation)

o512 (ServerBind)

For more information on each authentication type see the official Microsoft documentation.