Directory Synchronization allows you to assign different user policy to specific internal user groups.  When using Directory Synchronization, Internal Users come only from the directory you specify when you enable Directory Synchronization. During enrollment, if a user exists in the directory, they are added to the system as internal users and placed in the corresponding policy for their user account.  


Important Tip: The PGP Encryption Server supports LDAPv2, LDAPv3.  LDAPS is highly recommended for secure communications from the PGP server to the LDAP directory.
Because authentication operations are taking place behind the scenes with sensitive information.  Because LDAPS relies on TLS, certificates are used and hostnames must be able to be resolved properly. Although LDAP can use an IP address for of the domain controller, when using LDAPS, ensure you use the FQDN of the DC or the connections will fail.  See the following article for more information:

197991 - PGP Encryption Server Directory Synchronization cannot use IP address for LDAPS

You can use any of a number of directories with the PGP Encryption Server, although directories that more closely conform to the OpenLDAP or X.500 standards work best.

Bind DN User Requirement

Ensure the Bind DN user has the appropriate permissions in order to traverse the LDAP directory (Active Directory).  This user is in charge of finding users for authenticating them that they are proper users, and if it can't find users, then other processes can fail, such as user enrollment and grouping.  You can use Softerra LDAP Browser to get another perspective of binding to the user. 

Enable LDAP Directory Synchronization

1. Log into the PGP Server web console.
   
   
2. Click Consumers and then select Directory Synchronization.
   
   
3. Click Enable.
   
   
4. Below LDAP Directories, click Add LDAP Directory.
   
   
5. Type a Name and select a Type of LDAP directory.

     Note: The LDAP directory types include: Active Directory and OpenLDAP (RFC 1274)

6. Enter the FQDN/Hostname for your LDAP server.
   
   
7. Do not enter any password in at this stage.
   
   
8. Click the Test Connection button to verify you can successfully connect to the LDAP server.
   
   This is just to make sure that there is a network path to the AD server. 
   Important Note: You will not be using 389 in production and for any of the next steps.  Port 389 is provided for backward compatibility of legacy systems but should no longer be used.
   Future versions of the PGP Encryption Server may not allow 389 and is best to use port 636.
   
   
9. Once you have been able to test the connection on the host, change the port to 636 for LDAPS (Secure).
   
   
10. Type an appropriate value in the Bind DN field. This value is used to initially bind (or authenticate) to the LDAP directory server.
    Binding determines the permission granted for the duration of a connection.
    
    For more information on LDAP Syntax with the PGP Encryption Server, see the following article:
    218617 - How to obtain the Base DN or Bind DN Attributes for LDAP Directory Synchronization for the PGP Encryption Server
    
    
11. For any other operations and for production use, only port 636 over LDAPS (Secure) should be used.
12. Now enter a Passphrase for the user value.
13. Click the Test Connection button again to ensure the credentials provided were accepted.
    
    
     
14. Base Distinguished Names (Optional) - If you have a large LDAP structure and notice any latency during enrollment, entering in a Base DN can help speed up the LDAP lookups.
    If you notice issues, enter or browse for a Base DN for your domain.  If you are not noticing any issues, the directory queries start at the top.
    
    
15. Consumer Matching Rules - The PGP Server can match a consumer's enrollment username to this LDAP Directory using a regular expression.
    This option is usually not needed and requires expertise in regex.  We recommend leaving this unconfigured unless you have a specific need.
    
    
16. Click Save.