You can configure the Citrix App Layering appliance, also known as Enterprise Layer Manager (ELM), to connect to a directory service, for example, Active Directory. When you connect to your directory service, you create one or more Directory Junctions to access specific domains or organizational units (OUs). The appliance does not modify the directory service to which you connect. The software caches the attributes for each directory service entry. If the connection to the directory service is lost temporarily, the software can use the cached information for management tasks.
When creating a Directory Junction, use the following industry standard acronyms:
In the App Layering management console, a hierarchical view of Users and Groups appears in the Users > Directory Tree.
What happens when you add Directory Junctions
Each Directory Junction that you create specifies a starting node in the directory tree. A new directory junction cannot include users who are already members of another junction. You can't nest junctions.
If you add a Parent Directory Junction, all its children migrate to that junction. All imported Users and Groups move to the Parent, along with all Elastic Assignments. After the Users and Groups move, the Child Directory Junctions are removed.
If you’re creating several Distinguished Names
The system compares the Domain Component first---the portions of the Distinguished Name that start with "DC=". In Distinguished Names, order matters. For example, DC=A,DC=B is different from DC=B,DC=A. The system adds separate Directory Junctions In the following instances:
Directory Junctions merge if their domain components match and their other components are related.
User attributes are imported from the directory service
The App Layering software imports and caches user and group attributes from your directory service when:
The attributes that the software caches are read-only. All changes to the attributes for directory service users come from the directory server.
Imported attributes are synchronized regularly
The software synchronizes the information it caches for directory service users with the directory service every 12 hours. If the software discovers that a user is no longer an object in the directory service, it classifies the user as abandoned. You can view this information in the Information view for the user.
1. Click Users > Directory Service.
2. Click Create Directory Junction in the Action bar. The Create Directory Junction wizard opens.
3. On the Connection Details tab, specify the details for the directory server.
4. On the Authentication Details tab, type the authentication details for a user with permissions to search the directory service.
5. On the Distinguished Name (DN) Details tab:
a. Specify where the software starts searching for users and groups in the remote directory service.
Example: To start the search at the Group B Organizational Unit at the root of a domain, type the following Base DN:
OU=GroupB, DC=mydomain, DC=com
b. Click Test Base DN to ensure that the Base DN works. If you receive one of these messages, edit and retest the Base DN:
6. On the Attribute Mapping tab, type the names of directory service attributes that you want to map to the local attributes. You can also use the default settings.
To change the mapping from local attributes back to default mappings, click Use Defaults.
7. On the Confirm and Complete tab, verify the Directory Junction settings. Type a comment if necessary, and then click Create Directory Junction. If you type in comments, they appear in the Information view Audit History.