O3 Gateway User Store Requirements - Active Directory
|Article:TECH196938|||||Created: 2012-09-19|||||Updated: 2013-02-19|||||Article URL http://www.symantec.com/docs/TECH196938|
This document describes information the Symantec O3 gateway needs to connect to a user store. Listed Here - Active Directory.
The O3 gateway must communicate with the Active Directory server through the management interface to provide user store capabilities.
Configure firewalls to allow your gateway to communicate with Active Directory on designated ports.
|Item||Protocol / Ports||Traffic Direction (from perspective of gateway)|
|LDAP||TCP 389 (default)||Outbound|
|LDAPS||TCP 636 (default)||Outbound|
|General||IP Address or DNS Name||IP address or DNS hostname of Active Directory Server. If domain is specified, DNS will determine which domain controller is used and not leverage Windows service records to use an active domain controller.||yourdomain.com
|Port||Default port number for Microsoft LDAP is 389, although 636 may be used for LDAPS connections.||389|
|Directory Search Root||Specifies starting point of user searches performed by the gateway. To find users,
the gateway can traverse any level(s) lower than the value specified for the search
root. Value should be presented in a distinguished name format such as DC=myco,DC=com. Object class that defines users. For Active Directory, typically “user” unless you have modified schema.
|User Tag||Tag used to search for users when they authenticate to O3 Intelligence Center. With
Active Directory store, the sAMAccountname user tag is commonly used to store user names
|Service User Information||Add a user with read permissions to your Active Directory to allow the O3 gateway to establish and maintain a connection. This user can be part of the Domain Users group.|
|Principle Username||Includes both login name and UPN suffix to be appended to the name. It is unique in a forest of trees, and presented in the format joeuser@domain_name. The user only requires read access to Active Directory and can assume Domain User permissions. Account must be enabled to search from Directory Search Root specified above.||Tester01@yourdomain.com|
|Password||The password for the principal username must not expire. If the
password expires, no user will be able to authenticate to the SSO
portal until the password is reset.
|Test User Information||Add a user with the same permission as your service user.|
|Username||The sAMAccountName or network login of a test user that can be used to validate basic functionality of O3 Intelligence Center. It should not be the same as the service user specified above.||Tester02@yourdomain.com|
|Password||The password should not be set to change on initial login.||your@pass02|
Before you return this document to Symantec, you must verify the accuracy of the information provided in the previous table. First complete the procedure to verify Service User credentials and then repeat the procedure to verify Test User credentials. The procedure is identical except for the different login credentials used for each user.
- Before you begin, download and install Apache Directory Studio:
- Log on to your Windows server with the Service User credentials (see previous table).
- Open Apache Studio and connect to the user account:
- Navigate to File/New in the main menu. A dialogue box will appear.
- Provide server information, username, and password requested in the dialogue box.
- Connect to the server.
A successful connection verifies the accuracy of the information provided in this document. If the connection fails, you must troubleshoot to determine the cause and establish correct values.
- Repeat steps 2 and 3 with a Test User credential set.
Once you have successfully verified both Service and Test User credentials with this procedure, return this document to your Symantec support representative.
Article URL http://www.symantec.com/docs/TECH196938