Use the Administrative Tools | Directories | Attributes tab to synchronize the attributes in Safeguard for Privileged Passwords to the directory schema attributes.
The Attributes tab displays the default directory attributes that are mapped to the Safeguard for Privileged Passwords properties, such as the user's first name.
To map the Safeguard for Privileged Passwords properties to different directory attributes
|
Note: You can use or remove the default object class. |
The following tables list the default directory attributes.
Safeguard for Privileged Passwords Attribute | Directory Attribute | ||
---|---|---|---|
Users | |||
Object Class |
Browse to select a class definition that defines the valid attributes for the user object class. Default: user for Active Directory, inetOrgPerson for LDAP | ||
User Name |
sAMAccountName for Active Directory, cn for LDAP | ||
Password |
userPassword for LDAP | ||
First Name |
givenName | ||
Last Name |
sn | ||
Work Phone |
telephoneNumber | ||
Mobile Phone |
mobile | ||
| |||
Description |
description | ||
The directory attribute used to match the email address claim or name claim value from the SAML Response of an external federation authentication request. Typically, this will be an attribute containing the user’s email address or other unique identifier used by the external Secure Token Service (STS). For both Active Directory and OpenLDAP 2.4, this will default to the "mail" attribute.
| |||
Authentication |
The directory attributed used to match the username value in an external Radius server that has been configured for either primary or secondary authentication. For Active Directory, this will default to using the "samAccountName" attribute. For OpenLDAP 2.4, this will default to using the "cn" attribute.
| ||
The directory attribute used when automatically associating existing managed Directory Accounts to users of a directory user group as linked accounts. For information on managing Directory Accounts, see Adding directory accounts to a directory. Defaults:
When choosing an attribute, it must exist on the user itself and contain one or more "Distinguished Name" values of other directory user objects. For example, you would not want to use the "owner" attribute in OpenLDAP 2.4, as the direction of the relationship is going the wrong way. You would instead want an “owns” attribute to exist on the user such as the default "seeAlso" attribute. | |||
Computers | |||
Object Class |
Browse to select a class definition that defines the valid attributes for the computer object class. Default: computer for Active Directory, ipHost for LDAP | ||
Name |
cn | ||
Network Address |
dNSHostName for Active Directory, ipHostNumber for LDAP | ||
Operating System |
operatingSystem for Active Directory | ||
Operating System Version |
operatingSystemVersion for Active Directory | ||
Description |
description | ||
Groups | |||
Object Class |
Browse to select a class definition that defines the valid attributes for the group object class. Default: group for Active Directory, groupOfNames for LDAP | ||
Name |
sAMAccountName for Active Directory, cn for LDAP | ||
Member |
member | ||
Description |
description |
After you add a directory you can verify that Safeguard for Privileged Passwords can log into it using the Check Connection option.
|
Note: When you run Connect from the directory's General tab (such as when you add the directory initially), you must enter the service account credentials. Once you add the directory to Safeguard for Privileged Passwords it saves these credentials. The Check Connection option does not require that you enter the service account credentials because it uses the saved credentials to verify that it can log into that asset. |
To check a directory’s connectivity
Choose the Check Connection option.
Safeguard for Privileged Passwords displays a Toolbox task pane that shows the results.
This topic explains how to add a directory account to a directory. Safeguard for Privileged Passwords also allows you to set up directory account discovery jobs that run automatically each time it synchronizes the directory. For more information, see Directory account discovery job workflow.You must add a directory to Safeguard for Privileged Passwords before you can add directory accounts.
Ensure that you add accounts that you want Safeguard for Privileged Passwords to manage. If you add directory user accounts to a directory, Safeguard for Privileged Passwords will automatically change the user passwords according to the directory profile schedule you set which could prevent a directory user from logging into Safeguard for Privileged Passwords. For information about how to set up directory users as Safeguard for Privileged Passwords users, see Adding a user.
|
IMPORTANT: The standard global catalog port, 3268 (LDAP), must be open on the firewall for every Windows global catalog server in the environment and SPP Appliance to communicate for directory management tasks (for example, adding a directory account, a directory user account, or a directory user group). LDAP uses port 389 for unencrypted connections. For more information, see the Microsoft publication How the Global Catalog Works. |
To add directory accounts to a directory
To search for a directory account, you must enter text into the search box. Safeguard for Privileged Passwords searches each domain of a forest. You can search on partial strings. For example, if you enter "ad" in the Contains box, it will find any user Name or Distinguished Name that contains "ad". The text search is not case sensitive and does not allow wild cards.
-OR-
Safeguard for Privileged Passwords allows you to set up directory account discovery jobs that run automatically each time it synchronizes the directory. For more information, see Directory account discovery job workflow.
To setup a directory account discovery job
|
Note: This dialog also opens when you select Reoccur in the Find Accounts dialog. For more information, see Adding directory accounts to a directory. |
General tab |
Where you enter the directory account discovery job name and designate the directory profile to govern the accounts the discovery job adds to Safeguard for Privileged Passwords. |
Rules tab |
Where you configure the search criteria for the discovery job. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy