Configure external directory connection

When you use an external LDAP directory for managing user accounts for the Sophos Mobile Control console and the Self Service Portal, you must configure the directory connection so that Sophos Mobile Control can retrieve the user data from the LDAP server. For on-premise installations of Sophos Mobile Control, this is done by the super administrator when the customer is created.
Note: There is no synchronization between the LDAP directory and Sophos Mobile Control. Sophos Mobile Control only accesses the LDAP directory to look up user information. Changes to an LDAP user account are not implemented on the Sophos Mobile Control database, and vice versa.
  1. On the menu sidebar, under SETTINGS, click Setup > System setup, and then click the User setup tab.
  2. Select External LDAP directory.
  3. Click Configure external LDAP to specify the server details.
  4. On the Server details page, configure the following settings:
    1. Select the LDAP type. Sophos Mobile Control supports:
      • Active Directory
      • IBM Domino
      • NetIQ eDirectory
      • Red Hat Directory Server
      • Zimbra
    2. In the Primary URL field, enter the URL of the primary directory server. You can enter the server IP or the server name. Select SSL to use SSL for the server connection. For Sophos Mobile Control as a Service, SSL cannot be deselected.
    3. Optional: In the Secondary URL field, enter the URL of a directory server that is used as fallback in case the primary server cannot be reached. You can enter the server IP or the server name. Select SSL to use SSL for the server connection. For Sophos Mobile Control as a Service, SSL cannot be deselected.
    4. In the User field, enter an account for lookup operations on the directory server. Sophos Mobile Control uses the account credentials when it connects to the directory server.

      For Active Directory, you also need to enter the relevant domain. Supported formats are:

      • <domain>\<user name>
      • <user name>@<domain>.<domain code>
      Note: For security reasons, we recommend you specify a user that only has read permissions for the directory server and not write permissions.
    5. In the Password field, enter the password for the user.
    Click Next.
  5. On the Search base page, enter the Distinguished Name (DN) of the search base object.
    The search base object defines the location in the external directory from which the search for a user or user group begins.
  6. On the Search fields page, define which directory fields are to be used for resolving the %_USERNAME_% and %_EMAILADDRESS_% placeholders in profiles and policies. Type the required field names or select them from the User name and Email lists.
    Note: The lists only contain fields that are configured for the user that is currently connected to the LDAP directory, specified in step 4.d earlier in this description. If, for example, an email field was not configured for that user, you need to manually enter the required value in the Email field.
    In the case of Active Directory, these field mappings apply:
    • User name: sAMAccountName
    • First name: givenName
    • Last name: sn
    • Email: mail
  7. On the SSP configuration page, specify the users that are allowed to log in to the Self Service Portal. Enter the relevant information in the SSP group field, using one of the following options:
    • If you enter an asterisk *, all authenticated directory users are allowed to log in to the Self Service Portal.
    • If you enter the name of a group that is defined on the directory server, all members of that group are allowed to log in to the Self Service Portal. After you have entered the group name, click Resolve group to resolve the group name into a Distinguished Name (DN).
    • If you leave the field empty, no users from the directory server are allowed to log in to the Self Service Portal. Use this option if you want to enable external user management for the Sophos Mobile Control console but not for the Self Service Portal.
    Note:

    The group you specify here is not related to the directory group you define on the Group settings tab of the Self Service Portal page. With those settings, you define task bundles, Sophos Mobile Control group membership and available device platforms for each directory group.

  8. Click Apply.
  9. On the User setup tab, click Save.