Connect to an LDAP directory

To connect to an on-premises LDAP directory, you must first install at least one instance of the BlackBerry Protect Connectivity Node.
  1. In the BlackBerry Protect Connectivity Node console (http:/localhost:8088), click General settings > Company directory.
  2. Click The Add icon.
  3. Select LDAP.
  4. In the Connection name field, type a name for this company directory connection.
  5. In the LDAP server discovery drop-down list, click one of the following: If you want to use automatic discovery, click Automatic.
    • If you want to use automatic discovery, click Automatic then in the DNS domain name field, type the DNS domain name.
    • If you want to specify the LDAP computer, click Select server from list below. Click The Add icon and type the FQDN of the computer. Repeat this step to add more computers.
  6. In the Enable SSL drop-down list, select whether you want to enable SSL authentication for LDAP traffic. If you click Yes, click Browse and select the SSL certificate for the LDAP computer.
  7. In the LDAP port field, type the port number of the LDAP computer.
  8. In the Authorization required drop-down list, select whether authentication is required with the LDAP computer. If you click Yes, type the username and password of the LDAP account. The username must be in DN format (for example, CN=Megan Ball,OU=Sales,DC=example,DC=com).
  9. In the Search base field, type the search base that you want to access (for example, OU=Users,DC=example,DC=com).
  10. In the LDAP user search filter field, type the filter that you want to use for LDAP users. For example: (&(objectCategory=person)(objectclass=user)). If you want to restrict searching to all members of a single group for the entire Aurora Endpoint Security tenant, you can use the following example: (&(objectCategory=person)(objectclass=user)(memberOf=CN=Local,OU=Users,DC=example,DC=com)).
  11. In the LDAP user search scope drop-down list, click one of the following: If you want user searches to apply to all levels below the base DN, click All levels. If you want to limit user searches to one level below the base DN, click One level.
  12. In the Unique identifier field, type the attribute for each user’s unique identifier (for example, uid). The attribute must be immutable and globally unique for every user.
  13. In the First name field, type the attribute for each user’s first name (for example, givenName).
  14. In the Last name field, type the attribute for each user’s last name (for example, sn).
  15. In the Login attribute field, type the attribute for each user’s login attribute (for example, cn).
  16. In the Email address field, type the attribute for each user’s email (for example, mail).
  17. In the Display name field, type the attribute for each user’s display name (for example, displayName).
  18. To synchronize more user details from your company directory, select the Synchronize additional user details check box. The additional details include company name and office phone.
  19. To enable directory-linked groups, select the Enable directory-linked groups check box.
    Specify the following information:
    • In the Group search base field, type the value to use as the base DN for group information searches.
    • In the LDAP group search filter field, type the LDAP search filter that is required to find group objects in your company directory.
    • In the Group Unique Identifier field, type the attribute for each group's unique identifier. This attribute must be immutable and globally unique.
    • In the Group Display name field, type the attribute for each group's display name.
    • In the Group Membership attribute field, type the name of the attribute for group membership. The attribute values must be in DN format.
    • In the Test Group Name field, type an existing group name for validating the group attributes specified.
  20. Click Save.