App Layering

Directory service

You can configure the appliance to connect to a directory service, for example, Active Directory. When you connect to your directory service, you will create one or more Directory Junctions to access specific domains or OUs. The appliance does not modify the directory service you connect to. The software caches the attributes for each directory service entry, so that if the connection to the directory service is lost temporarily, the software can use the cached information for management tasks.

When creating a Directory Junction, you use the following industry standard acronyms:

  • OU - Organizational Unit
  • DC - Domain Component

About connecting the appliance to a directory service

In the Management Console, the Users > Directory Tree displays a hierarchical view of Users and Groups

Supported protocols

When binding to a directory service, the App Layering appliance is compatible with the following secure socket and transport layer protocols:

  • Secure Socket Layer:
    • SSL 3.0
  • Transport Layer Security:
    • TLS 1.1
    • TLS 1.2

What happens when you add Directory Junctions

Each Directory Junction that you create specifies a starting node in the directory tree. A new directory junction cannot include users who are already members of another junction, and junctions cannot be nested.

If you add a Parent Directory Junction, all of its children are migrated to that junction. All imported Users and Groups will be moved to the Parent, along with all Elastic Assignments. After being moved, the Child Directory Junctions are deleted.

**If you’re creating several Distinguished Names **

The system compares the Domain Component first—the portions of the Distinguished Name that start with “DC=”. Please be aware that in Distinguished Names, order matters. For example, DC=A,DC=B is different than DC=B,DC=A. The system adds separate Directory Junctions if their DC components differ, or if their DC components match and the remaining components do not overlap. Directory Junctions are merged if their DC components match and their other components are related.

User attributes are imported from the directory service

The App Layering software imports and caches user and group attributes from your directory service when:

  • You assign administrator privileges to a user.
  • The values of the attributes change in the directory service.

The attributes that the software caches are read only. All changes to the attributes for directory service users come from the directory server.

Imported attributes are synchronized regularly

The software synchronizes the information it caches for directory service users with the directory service every 12 hours. If the software discovers that a user is no longer an object in the directory service, it classifies the user as abandoned (you can view this information in the Information view for the user).

Create a directory junction

  1. Select Users > Directory Service.

  2. Select Create Directory Junction in the Action bar. This opens the Create Directory Junction wizard.

  3. In the Connection Details tab, specify the details for the directory server.
    • Directory Junction Name - This name becomes the name of the folder that you see in the tree view. You can use any name, including the name of a domain in your directory service tree.
    • Server address - This is the name for the server you will use for the directory service. (IP Address or DNS Name)
    • Port - Specify the port number for communicating with the directory server.
    • SSL check box - Select this if you want to use Secure Sockets Layer (SSL) communication. If certificate errors occur, the wizard displays a list of these errors. If you know it is safe to ignore them, select Ignore Certificate Errors.
    • Test Connection - Click to verify that the appliance can connect to the directory service.
  4. In the Authentication Details tab, enter the authentication details for a user who has permissions to search the directory service.
    • Bind Distinguished Name - To determine the correct syntax for the Bind DN or user name, see the documentation for your directory. The following examples show some of the ways you can specify a user for the directory service:
      • domain\username
    • Bind Password. - Enter the password
    • Test Authentication - Click to verify that the connection to the directory server is valid.
  5. In the Distinguished Name Details tab:
    1. Specify where the software should start searching for users and groups in the remote directory service. Example: To start the search at the Group B Organizational Unit at the root of a domain, you would enter the following Base Distinguished Name: OU=GroupB, DC=mydomain, DC=com
    2. Click the Test Base DN button to make sure that the Base Distinguished Name is valid. If you receive one of these messages, edit and retest the Base Distinguished Name:
      • A directory junction with this Distinguished Name already exists.
      • This Distinguished Name is already accessible through an existing Directory Junction.
      • This Distinguished Name encompasses at least one existing Directory Junction that will be replaced by this new one.
  6. In the Attribute Mapping tab, enter the names of directory service attributes that you want to map to the local attributes or use the default settings. Note: To change the mapping from local attributes back to default mappings, click Use Defaults.

  7. In the Confirm and Complete tab, verify the Directory Junction settings, enter a comment if required, and click Create Directory Junction. If you enter comments, they appear in the Information view Audit History.
Directory service