HOW TO: Enable Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)
search cancel

HOW TO: Enable Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)

book

Article ID: 180239

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

The Directory Synchronization service is a component on the PGP Encryption Server (Symantec Encryption Management Server) that will allow it to query your Active Directory or LDAP directory. 

It allows the PGP server to query users and associated AD objects and is the typical configuration for most environments due to the ease of use and convenience. 

This article will go over what it takes to add a Directory Sync service for your own internal directory.  

Resolution

Directory Synchronization allows you to assign different user polices to specific internal user groups.  When using Directory Synchronization, Internal Users come only from the directory you specify when you enable Directory Synchronization. During enrollment, if a user exists in the directory, they are added to the system as internal users and placed in the corresponding policy for their user account.  


Important Tip: The PGP Encryption Server supports LDAPv2, LDAPv3.  LDAPS is highly recommended for secure communications from the PGP server to the LDAP directory.
Because authentication operations are taking place behind the scenes with sensitive information.  Because LDAPS relies on TLS, certificates are used and hostnames must be able to be resolved properly. Although LDAP can use an IP address for of the domain controller, when using LDAPS, ensure you use the FQDN of the DC or the connections will fail.  See the following article for more information:

197991 - PGP Encryption Server Directory Synchronization cannot use IP address for LDAPS

You can use any of a number of directories with the PGP Encryption Server, although directories that more closely conform to the OpenLDAP or X.500 standards work best.


Bind DN User Requirement

Ensure the Bind DN user has the appropriate permissions in order to traverse the LDAP directory (Active Directory).  This user is in charge of finding users for authenticating them that they are proper users, and if it can't find users, then other processes can fail, such as user enrollment and grouping.  You can use Softerra LDAP Browser to get another perspective of binding to the user. 

Enable LDAP Directory Synchronization

  1. Log into the PGP Server web console.

  2. Click Consumers and then select Directory Synchronization.

  3. Click Enable.

  4. Below LDAP Directories, click Add LDAP Directory.

  5. Type a Name and select a Type of LDAP directory.

     Note: The LDAP directory types include: Active Directory and OpenLDAP (RFC 1274)

  1. Enter the FQDN/Hostname for your LDAP server.

  2. Do not enter any password in at this stage.

  3. Click the Test Connection button to verify you can successfully connect to the LDAP server.

    This is just to make sure that there is a network path to the AD server. 
    Important Note: You will not be using 389 in production and for any of the next steps.  Port 389 is provided for backward compatibility of legacy systems but should no longer be used.
    Future versions of the PGP Encryption Server may not allow 389 and is best to use port 636.

  4. Once you have been able to test the connection on the host, change the port to 636 for LDAPS (Secure).

  5. Type an appropriate value in the Bind DN field. This value is used to initially bind (or authenticate) to the LDAP directory server.
    Binding determines the permission granted for the duration of a connection.

    For more information on LDAP Syntax with the PGP Encryption Server, see the following article:
    218617 - How to obtain the Base DN or Bind DN Attributes for LDAP Directory Synchronization for the PGP Encryption Server

  6. For any other operations and for production use, only port 636 over LDAPS (Secure) should be used.
  7. Now enter a Passphrase for the user value.
  8. Click the Test Connection button again to ensure the credentials provided were accepted.


     
  9. Base Distinguished Names (Optional) - If you have a large LDAP structure and notice any latency during enrollment, entering in a Base DN can help speed up the LDAP lookups.
    If you notice issues, enter or browse for a Base DN for your domain.  If you are not noticing any issues, the directory queries start at the top.

  10. Consumer Matching Rules - The PGP Server can match a consumer's enrollment username to this LDAP Directory using a regular expression.
    This option is usually not needed and requires expertise in regex.  We recommend leaving this unconfigured unless you have a specific need.

  11. Click Save.

 

Multiple-Domain Environments

If you have multiple domains, you can add more Active Directory entries to cover those domains. 

If you have a Global Catalog that will provide searchability to both or all of your domains, use a Global Catalog instead of a single Active Directory--this may help speed up the lookups. 

If a global catalog is not an option to enter here, simply add another directory for your other domain and each of the directories will be searched.

In addition to the above Directory Synchronization, ensure that the domain you would like to manage are also added to the "Managed Domains" list on the PGP server:

Once the above values have been added, both domains will be queried, and each of the applicable domains will be allowed to enroll to the PGP server for your users. 

If you have any difficulty getting this configured, review the steps and if you still run into issues, reach out to Symantec Encryption Support for further guidance and troubleshooting.

Additional Information

Powered by Wolken Software