New Directory Synchronization Features in PGP Universal Server 2.5.2

Article:TECH148984  |  Created: 2006-12-11  |  Updated: 2012-02-02  |  Article URL http://www.symantec.com/docs/TECH148984
Article Type
Technical Solution


Issue




This article will discuss the new Directory Synchronization Features that have been incorporated into PGP Universal Server 2.5.2 and above.

 


Solution




 

New Directory Synchronization Features in PGP Universal Server 2.5.2

There are 3 new features that have been incorporated into the 2.5.2 release of PGP Universal Server to give administrators greater control of the Directory Synchronization process:

 

  1. The Ability to Enable/Disable LDAP Refferals

     
  2. The Ability to Set the LDAP Cache Timeout

     
  3. The Ability to Select your LDAP Directory Type
     

Directory Synchronization Overview

Directory Synchronization is a feature of a PGP Universal Server that allows an administrator to synchronize an LDAP directory with your PGP Universal Server. Directory Synchronization allows you to assign different user polices to specific internal user groups. Directory Synchronization lets you do multiple things:

 

  1. Include users from the specified directory as internal users for the PGP Universal Server.

     
  2. Exclude specified users from the directory from being internal users.

     
  3. Include only specified users from the directory, allowing them to be added to the PGP Universal Server as internal users, and excluding users that dont match the criteria.

     
  4. Match certain users from the specified directory with an internal user policy you create.

     
  5. When you enable Directory Synchronization, your PGP Universal Server will use the LDAP directory to assist it with creating and enrolling internal users.


 

Note: PGP Universal Server supports LDAPv2, and LDAPS. You can use any of a number of directories with PGP Universal Server, although directories that more closely conform to the OpenLDAP or X.500 standards will work best.


Because you specify what type of LDAP directory you use, PGP Universal Server queries user information using only the necessary attributes, providing faster results when querying user information.

Required Attributes:

 

  1. uid or sAMAccountName
    These attributes are interchangeable. Microsoft Active Directory uses sAMAccountName. All other LDAP directories use uid. 

     
  2. DN
    This attribute will exist if the user exists in the directory. 

     
  3. mail or proxyAddresses
    These attributes are interchangeable. Every user must have an email address for the attribute mail. 

     
  4. CN
    This attribute matches what PGP Universal Server refers to as Display Name. Each user must have a password defined in the directory. This security feature prevents enrollment unless the user can authenticate with a username and password.


Optional Attributes: 

 

  1. userCertificate
    This attribute allows PGP Universal Server to find user X.509 S/MIME public certificates. 

     
  2. Attributes used to assign users to Internal User Policies
    Refer to Matching Attributes in the Administration Guide for more information.
     


 

Note: Microsoft Windows 2000/2003 Active Directory with Exchange Server has all required attributes. Other Directory Server and Email Server combinations might not have the necessary attributes.


 

New Features

  1. The Ability to Enable/Disable LDAP Refferals

    The checkbox for Enable LDAP Referrals gives an Administrator the option to allow PGP Universal Server to query referred LDAP directories for user information.

    The LDAP directory you choose for Directory Synchronization can respond to PGP Universal Server queries with a referral or reference to another LDAP directory. If you allow PGP Universal Server to query referred LDAP directories, the search can take a long time. If you do not allow referred queries, PGP Universal Server will disable users not found in the named directory, even if user information is available in the referred directory.

     
  2. The Ability to Set the LDAP Cache Timeout

    The text box next to "LDAP Cache Timeout (in minutes)" allows an Administrator to control the time before the Universal Server again queries information from the LDAP Directory for a user it has already searched on.

    The default is 10 minutes. The LDAP cache contains timestamps that record when the PGP Universal Server last queried user information. The user information itself is stored in the PGP Universal Server database, not in the cache. The time stamp in the cache prevents another search on the user within the cache timeout limit, to keep LDAP queries from overloading the system.

     
  3. The Ability to Select your LDAP Directory Type

    The drop-down box next to "LDAP directory type" allows an Administrator to select their LDAP directory type.

    An Administrator can choose either Active Directory or OpenLDAP (RFC 1274). Active Directory is the default setting. Microsoft Active Directory uses the sAMAccountName attribute for user information where OpenLDAP-based directories use the attribute uid for user information. PGP Universal Server queries user information using only the necessary attributes, providing faster results when querying user information.


Legacy ID



683


Article URL http://www.symantec.com/docs/TECH148984


Terms of use for this information are found in Legal Notices