BlackShield ID Synchronization Agent User Guide - SafeNet

LDAP SynchronizationAgentConfiguration GuideforPowerful Authentication Management for Service Providers and EnterprisesVersion3.xAuthentication Service Delivery Made EASY

LDAP Synchronization Agent Configuration GuideCopyrightCopyright © 2011. CRYPTOCard Inc. All rights reserved. The information contained herein is subject tochange without notice. Proprietary Information of CRYPTOCard Inc.DisclaimerThe information contained in this document may change without notice, and may have been altered orchanged if you have received it from a source other than CRYPTOCard Inc. While every effort is made toensure the accuracy of content offered on these pages, CRYPTOCard Inc. shall have no liability for errors,omissions or inadequacies in the content contained herein or for interpretations thereof.Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of anykind, and any use of this information is at the user’s own risk.No part of this documentation may be reproduced without the prior written permission of the copyrightowner. CRYPTOCard Inc. disclaims all warranties, either expressed or implied, including the warranties ofmerchantability and fitness for a particular purpose. In no event shall CRYPTOCard Inc. be liable for anydamages whatsoever, including direct, indirect, incidental, consequential or special damages, arisingfrom the use or dissemination hereof, even if CRYPTOCard Inc. has been advised of the possibility ofsuch damages. Some provinces, states or countries do not allow the exclusion or limitation of liability forconsequential or incidental damages, so the foregoing limitation may not apply.Links and addresses to Internet resources are inspected thoroughly prior to release, but the everchangingnature of the Internet prevents CRYPTOCard Inc. from guaranteeing the content or existenceof the resource. When possible, the reference contains alternate sites or keywords that could be used toacquire the information by other methods. If you find a broken or inappropriate link, please send anemail with the topic name, link, and its behaviour to support@cryptocard.com.The software described in this document is furnished under a license and may be used or copied only inaccordance with the terms of the license.TrademarksBlackShield ID, CRYPTOCard and the CRYPTOCard logo are trademarks and/or registered trademarks ofCRYPTOCard Corp. in Canada and/or other countries. All other goods and/or services mentioned aretrademarks of their respective holders.2

LDAP Synchronization Agent Configuration GuideContact InformationCRYPTOCard’s technical support specialists can provide assistance when planning and implementingCRYPTOCard in your network. In addition to aiding in the selection of the appropriate authenticationproducts, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transitionfrom existing access control systems and a satisfying experience for network users. We can also help youleverage your existing network equipment and systems to maximize your return on investment.CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If youpurchased this product through a CRYPTOCard channel partner, please contact your partner directly forsupport needs.To contact CRYPTOCard directly:United Kingdom2430 The Quadrant, Aztec West, Almondsbury,Bristol, BS32 4AQ, U.K.Phone: +44 870 7077 700Fax: +44 870 70770711support@cryptocard.comNorth America600-340 March Road, Kanata, Ontario,Canada K2K 2E4Phone: +1 613 599 2441Fax: +1 613 599 2442support@cryptocard.comFor information about obtaining a support contract, see our Support Web page athttp://www.cryptocard.comPublication HistoryDate Description Revision2011.11.28 Feature changes 2.32011.08.31 Feature changes 2.22011.07.04 Added Feature Update 2.12011.05.09 Minor updates 2.02011.03.14 Initial release 1.03

LDAP Synchronization Agent Configuration GuideContentsApplicability................................................................................................................................................... 5Overview ....................................................................................................................................................... 6Features ........................................................................................................................................................ 7Preparation and Prerequisites ...................................................................................................................... 7Configuring the Agent ................................................................................................................................... 8BlackShield ID LDAP Sync Agent Configuration Tool................................................................................... 13Status Tab................................................................................................................................................ 13LDAP Configuration ............................................................................................................................. 13LDAP Sync Groups ............................................................................................................................... 13Last Sync Status ................................................................................................................................... 14Transaction Details .............................................................................................................................. 14Configuration Tab ................................................................................................................................... 15LDAP Configuration ............................................................................................................................. 15LDAP Credentials ................................................................................................................................. 16LDAP Sync Group(s) ............................................................................................................................. 17LDAP Schema Configuration ............................................................................................................... 18Other Synchronization Options............................................................................................................... 18Mobile Number Country Code ............................................................................................................ 18LDAP Scan Interval .............................................................................................................................. 18Group Sync Options ............................................................................................................................ 19Key Set ................................................................................................................................................. 19BlackShield ID Synchronization Server ................................................................................................ 19Notification Tab ...................................................................................................................................... 20SMTP Configuration ............................................................................................................................ 20E-Mail Test .......................................................................................................................................... 21E-Mail Message Templates ................................................................................................................. 214

LDAP Synchronization Agent Configuration GuideApplicabilityThis integration guide is applicable to:SummaryAuthentication ServerBlackShield CloudBlackShield SPE Server (3.x)Supported Windows Versions Windows XP SP 3Windows 2003 R2 ServerWindows 2008 SP2 and Windows 2008 R2Windows Vista SP2Windows 7Supported Architecture32-bit64-bitAdditional Software Components .Net 2.0Network Port TCP Port 8456TCP Port 389TCP Port 636 (optional)Support LDAP Directory ServersActive DirectorySun One 6.xNovell eDirectory 8.xLDAP Directory Server AccessRead-onlySupported LDAP GroupsSingle LDAP GroupMultiple LDAP GroupsApplicability 5

Synchronization Agent Configuration GuideOverviewThe LDAP Synchronization Agent has been developed to simplify the task of user creation in BlackShieldCloud. Without the agent, the administrator must manually input user information via the web basedmanagement interface. Once installed, the LDAP Synchronization Agent monitors LDAP groups formembership changes and updates user information in BlackShield Cloud to reflect these changes.1. Organization imports their synchronization agent key file into the LDAP Synchronization Agent,configures a connection to their LDAP Directory Server then selects one or more LDAP groups.2. The LDAP Synchronization Agent queries the LDAP Directory server for all users within theselected LDAP Group(s).3. For each member of the group: The first name, last name, username, email address, address,phone, mobile and selected LDAP group(s) are exported by the LDAP Synchronization Agent andqueued for transmission.4. The LDAP Synchronization Agent pushes all user and group information to the BlackShield Cloudwhich in turn creates each user and group in the Virtual Server.5. The LDAP Synchronization Agent queries the LDAP Directory server every 20 minutes (defaultsynchronization period) and pushes all user and group information to the BlackShield Cloud.6. Additions, deletions and updates are pushed to BlackShield Cloud during each synchronization.Overview 6

Synchronization Agent Configuration GuideFeaturesMost organizations maintain information about their users in an LDAP directory such as Active Directory.The purpose of the Synchronization Agent is to auto-populate BlackShield Cloud with users maintainedin one of these user sources.Key features of the agent are:Can be used with almost any LDAP Directory Server.Can accommodate custom LDAP schemas.Does not write to the LDAP Directory Server.Does not require an administrator account to connect to the LDAP Directory Server.Can synchronize multiple LDAP Directory Servers.Uses AES encryption between the LDAP Synchronization Agent and the BlackShield Cloud.Supports SSL between the LDAP Synchronization Agent and the LDAP Directory Server.Preparation and PrerequisitesYou will need the following to install and configure the LDAP Synchronization Agent:The BlackShield Cloud account total license capacity must be equal to or greater than the amount ofusers synchronized from LDAP. LDAP groups do not count towards capacity.The synchronization agent key file generated by your Virtual Server (MASSyncConfigFile.bmc). This isgenerated from the LDAP Sync Agent Settings link in the Authentication Processing Module withinthe COMMS tab of your Virtual Server.The agent Installer (BlackShield ID LDAP Sync Agent x64.exe or BlackShield ID LDAP Sync Agent.exefor 64-bit and 32-bit systems respectively)The IP address/host name and port number of your LDAP Directory Server.An account name and password that can be used by the LDAP Synchronization Agent to connect tothe LDAP Directory Server.TCP Port 389 or 636 open between the LDAP Synchronization Agent and the LDAP Directory Server.TCP Port 8456 open between the LDAP Synchronization Agent and BlackShield Cloud.Features 7

Synchronization Agent Configuration Guide8. In Event Recipient Lists select Add.Enter one or more valid email addresses tothe recipient email list and set the event.9. To start / stopsynchronization, click theStart / Stop buttons inService Status.10. To allow Sync AgentPermission, click theChange Permission link inthe Sync Permissioncolumn under the LDAPSync Agent Hosts task ofthe AuthenticationProcessing module on theCOMMS tab of yourBlackshield Console.Change the Sync AgentHost Permission to Allowand click Apply.Configuring the Agent 12

Synchronization Agent Configuration GuideBlackShield ID LDAP Sync Agent Configuration ToolThe BlackShield ID LDAP Sync agentconfiguration tool allows for themodification of various features availablewithin the agent.Status TabThe Status tab deals primarily with supplying information on LDAP Sync Groups and their transactiondetails.LDAP ConfigurationLDAP CONNECTION STATUSDisplays the current connection status between the agent and the LDAP Directory server.LDAP CONFIGURATION INFODisplays the connection information for the LDAP Server. This dialog does not display any passwordinformation.LDAP Sync GroupsLists all LDAP Groups configured to synchronize against the BlackShield Cloud.BlackShield ID LDAP Sync Agent Configuration Tool 13

Synchronization Agent Configuration GuideLast Sync StatusLAST SYNC TIMEDisplays the last synchronization attempt by the agent.SCAN DURATIONDisplays the amount of time required to scan all groups to retrieve user information.# OF UNIQUE OBJECTSDisplays the amount of LDAP objects discovered during the last scheduled scan.# OF DIFFERENCESDisplays the amount of LDAP objects differences between the local persistent cache and the LDAPDirectory server during the last scheduled scan.SENT TRANSACTIONSDisplays the amount of updates sent to the BlackShield Cloud.TOTAL USERS SYNC’DDisplays the amount of users currently synchronized with the BlackShield Cloud.Transaction DetailsIDDisplays the number of the current transaction record.STATUSDisplays the status of the transaction.SCAN STARTEDDisplays the start date and time of an LDAP Directory server scan.SCAN ENDEDDisplays the end date and time of an LDAP Directory server scan.SENT TO BLACKSHIELDDisplays the date and time the transaction was delivered to BlackShield Cloud.REFRESHAmount of time before transaction details will be updated.SAVE ASSaves all transaction details to a file.CLEARPermanently deletes all transaction details.BlackShield ID LDAP Sync Agent Configuration Tool 14

Synchronization Agent Configuration GuideConfiguration TabThe Configuration tab deals primarily with LDAPconfiguration and scanning intervals.LDAP ConfigurationThis section is used to configure the connectionbetween the agent and the LDAP Directory server.HOST NAME OR IPSpecifies the location of the LDAP server.PORTBy default TCP port 389 is used. If required, theActive Directory Global Catalog (TCP port 3268)may be used.USE SSLIf the LDAP server has been configured to use acertificate this option may be select. If the optionis selected change the Port value to 636.NUMBER OF FAILOVERMay configure up to 4 other failover LDAP servers. All LDAP servers must have access to the sameBaseDN.BlackShield ID LDAP Sync Agent Configuration Tool 15

Synchronization Agent Configuration GuideLDAP SCHEMAIncludes default LDAP schema support for ActiveDirectory (2003/2008), eDirectory 8.x and Sun One6.xAdditional schemas may appear if configuredunder LDAP Schema Configuration.LDAP CredentialsUSER DNIf using Active Directory, the value should beentered in an email formatExample: The BaseDN in the figure is dc=ts,DC=cryptocard, DC=com. So username “ccldap”could be defined in UserDN asccldap@ts.cryptocard.com.If using another LDAP Server the User DN may bemore complicated, for exampleuid=ccldap, ou=Users, dc=ts, dc=cryptocard,dc=comBASE DN:Specifies the top level of the LDAP Server.APPEND BASE DNThis will add the Base DN to the information defined in User DN.Example: If I specified a User DN of uid=ccldap and selected Append Base DN the following would besubmitted to the LDAP Server when connectinguid=ccldap, dc=ts, dc=cryptocard, dc=comPASSWORDUsed in combination with User DN as credentials to connect to the LDAP Server.BlackShield ID LDAP Sync Agent Configuration Tool 16

Synchronization Agent Configuration GuideMANUAL DN CONFIGURATIONAllows for manually editing the location whereusers can be found.LDAP Sync Group(s)LDAP groups may be selected from AvailableGroups and placed into Synchronized Group(s).If the group is not visible, enter the name of thegroup in the Available Groups field.Synchronization will not take place if SynchronizedGroup(s) contains no groups.If a selected LDAP group is deleted on the LDAPDirectory Server, all synchronization will be halteduntil the group is removed from the agent orrecreated on the LDAP Directory Server.If you’d like to remove all LDAP users fromBlackShield Cloud, you must place an empty LDAPgroup in Synchronized Group(s).BlackShield ID LDAP Sync Agent Configuration Tool 17

Synchronization Agent Configuration GuideLDAP Schema ConfigurationThe schema management dialog allows for thecreation of a custom schema. This can be used toview LDAP objects which are not visible by defaultwithin the LDAP Synchronization agent.Other Synchronization OptionsMobile Number Country CodeCOUNTRY CODE TO PREPENDThe agent automatically strips all non-numeric characters from the data in the “Cell Number” mapping(refer to point 7 above). In addition, if a numeric value is entered into this field, the agent will prependthis value to the “Cell Number” mapping under the following conditions: If the Cell Number has 00 as the leading digits, the agent will remove the leading 00.Example: 0041-77889991111 becomes 4177889991111If the Cell Number has 0 as the leading digit, the agent will strip the 0 and prepend the countrycode.Example using 31 as prepend country code: 0778-89991111 becomes 3177889991111If the Cell Number leading digit is 1 through 9, the agent will prepend the country code.Example using 31 as prepend country code: 778-89991111 becomes 3177889991111LDAP Scan IntervalThis value determines how frequently the agent will scan LDAP for changes and apply them toBlackShield Cloud. The default value is 20 minutes.BlackShield ID LDAP Sync Agent Configuration Tool 18

Synchronization Agent Configuration GuideGroup Sync OptionsThe Group Sync options allow you to control the LDAP groups that get migrated into BlackShield Cloud.The default value is Sync filter groups only.The following options are available:All: All LDAP groups will be imported into BlackShield Cloud.With members only: Only the LDAP groups assigned to synchronized users are imported intoBlackShield Cloud.Sync filter groups only: Only the monitored LDAP sync group is imported into BlackShield Cloud.None: No LDAP groups will be imported into BlackShield Cloud.Key SetDisplays the account specific synchronization agent key being used in BlackShield Cloud. Thisinformation must match with the Key Set found under Virtual Servers, Account Name, COMMS,Authentication Processing, LDAP Sync Agent Settings within BlackShield Cloud.BlackShield ID Synchronization ServerDisplays the location of the BlackShield Cloud LDAP synchronization servers and the TCP port.BlackShield ID LDAP Sync Agent Configuration Tool 19

Synchronization Agent Configuration GuideNotification TabThe Notification tab deals primarilywith SMTP Server configuration andalert messages.SMTP ConfigurationCONFIGURE SMTP SETTINGSEnter a from Email address, the Hostname/IPaddress of the SMTP server, port number.If required, the user name and passwordcredentials to log onto the SMTP server may beentered.BlackShield ID LDAP Sync Agent Configuration Tool 20

Synchronization Agent Configuration GuideE-Mail TestENTER EMAIL ADDRESSThis section is used to test the SMTP configuration.E-Mail Message TemplatesThe agent can send notification if it is unable to connect to LDAP or connect to BlackShield.Event Recipient ListsLIST NAMEDisplay name for the event.RECIPIENT E-MAILEnter a valid email address then select Add.RECIPIENT E-MAIL LISTDisplays a list of all email addresses to notify.EVENTSPlace a checkmark on LDAP or Sync ServerConnection issue.BlackShield ID LDAP Sync Agent Configuration Tool 21