O3 Gateway User Store Requirements - Active Directory

Article:TECH196938  |  Created: 2012-09-19  |  Updated: 2013-02-19  |  Article URL http://www.symantec.com/docs/TECH196938
Article Type
Technical Solution

Issue



This document describes information the Symantec O3 gateway needs to connect to a user store.  Listed Here - Active Directory.


Solution



Firewall Settings:

The O3 gateway must communicate with the Active Directory server through the management interface to provide user store capabilities.
Configure firewalls to allow your gateway to communicate with Active Directory on designated ports.

Item Protocol / Ports Traffic Direction (from perspective of gateway)
LDAP TCP 389 (default) Outbound
LDAPS TCP 636 (default) Outbound

 

Category Item                             Definition    Value
 General IP Address or DNS Name IP address or DNS hostname of Active Directory Server.  If domain is specified,  DNS will determine which domain controller is used and not leverage Windows service records to use an active domain controller.    yourdomain.com
 
  Port Default port number for Microsoft LDAP is 389, although 636 may be used for LDAPS connections.    389
  Directory Search Root Specifies starting point of user searches performed by the gateway. To find users,
the gateway can traverse any level(s) lower than the value specified for the search
root. Value should be presented in a distinguished name format such as DC=myco,DC=com. Object class that defines users.  For Active Directory, typically “user” unless you have modified schema. 
 yourdomain.com
 
  User Tag Tag used to search for users when they authenticate to O3 Intelligence Center. With 
Active Directory store, the sAMAccountname user tag is commonly used to store user names
sAMAccountname
Service User Information   Add a user with read permissions to your Active Directory to allow the O3 gateway to establish and maintain a connection.  This user can be part of the Domain Users group.   
    Principle Username Includes both login name and UPN suffix to be appended to the name. It is unique in a forest of trees, and presented in the format joeuser@domain_name.  The user only requires read access to Active Directory and can assume Domain User permissions. Account must be enabled to search from Directory Search Root specified above. Tester01@yourdomain.com
    Password The password for the principal username must not expire.  If the 
 password expires, no user will be able to authenticate to the SSO 
 portal until the password is reset. 
your@pass01
Test User Information   Add a user with the same permission as your service user.  
    Username The sAMAccountName or network login of a test user that can be used to validate basic functionality of O3 Intelligence Center. It should not be the same as the service user specified above. Tester02@yourdomain.com
    Password The password should not be set to change on initial login. your@pass02

ACCOUNT VERIFICATION:
Before you return this document to Symantec, you must verify the accuracy of the information provided in the previous table. First complete the procedure to verify Service User credentials and then repeat the procedure to verify Test User credentials. The procedure is identical except for the different login credentials used for each user.


  1. Before you begin, download and install Apache Directory Studio:

     
  2. Log on to your Windows server with the Service User credentials (see previous table).
     
  3. Open Apache Studio and connect to the user account:
    1. Navigate to File/New in the main menu. A dialogue box will appear.
    2. Provide server information, username, and password requested in the dialogue box.
    3. Connect to the server.

    A successful connection verifies the accuracy of the information provided in this document. If the connection fails, you must troubleshoot to determine the cause and establish correct values.
     
  4. Repeat steps 2 and 3 with a Test User credential set.
     

Once you have successfully verified both Service and Test User credentials with this procedure, return this document to your Symantec support representative.




Article URL http://www.symantec.com/docs/TECH196938


Terms of use for this information are found in Legal Notices