The Directory Synchronization feature of Symantec Encryption Management Server (previously PGP Universal Server) lets you synchronize your server with an LDAP directory (such as Microsoft Active Directory) so that internal users can be created from the users in LDAP directory.
Directory Synchronization allows you to assign different user polices to specific internal user groups. When using Directory Synchronization, internal users for Symantec Encryption Management Server (SEMS) can come only from the directory you specify when you enable Directory Synchronization. If users are in the LDAP directory, they will be added to the system as internal users. If users are not in that directory, their disks, messaging, or files will not be managed by server.
Enabling Directory Synchronization allows you to do multiple things:
- Include consumers found in specified directories as internal users or managed devices.
- Prevent specified consumers found in the directories from becoming members of any group except the Excluded group.
- Include only specified consumers from the directories, allowing them to be added to the server as internal users or managed devices, and excluding consumers that do not match the criteria.
- Match certain consumers, based on their attributes in the specified directories, with a consumer policy group you create.
- When you enable Directory Synchronization, Symantec Encryption Management Server (SEMS) uses the LDAP directory to help create and enroll internal users.
When users are added to Symantec Encryption Management Server from a directory via Directory Synchronization, their names, email address, and existing X.509 certificates (used to secure S/MIME email message) are imported. If certificates are not found, Symantec Encryption Management Server generates PGP keys (and certificates, if configured for certificates) for these users.
When Directory Synchronization is enabled, for a user to be correctly added to Symantec Encryption Management Server, the "mail" attribute must be present in the directory and they must match the information Symantec Encryption Management Server has about them. The "uid" attribute must also be present, unless the directory is a Microsoft Active Directory, which requires the "sAMAccountName" attribte. For example, if Symantec Encryption Management Server discovers a user with a login name of "ming" and an email address of "mingp@example.com", that user must have attribute "uid=ming" and "mail=mingp@example" in the directory. If these attributes do not match or are empty, the user is not added correctly.
Here is a brife introduction of the configuration of Directory Synchronization in Symantec Encryption Management Server:
1. Log into Symantec Encryption Management Server, from 'Consumers' tab, select 'Directory Synchronization', then click 'Enable' button:
2. Make suer the Directory Synchronization is enabled:
3. Click 'Add LDAP Directory':
4. Fill in the necessary information of the LDAP Directory, including the credentials, the IP address or the host name, the port, and the priority:
5. Click 'Test Connection' button and make sure the LDAP test succeeded:
6. After saving the LDAP directory configuration, click 'Settings' button:
7. Select to enable 'Enroll clients using directory authentication':
Until now, we just finished the configuration of Directory Synchronization in Symantec Encryption Management Server, then the internal users will be created from the users in the LDAP directory.