Configure external directory connection

To manage user accounts for Sophos Mobile Admin and the Self Service Portal in an external LDAP user directory, you must configure the connection to your LDAP server.

Sophos Mobile can connect to the following LDAP servers:

  • Active Directory
  • Google Cloud Directory
  • IBM Domino
  • NetIQ eDirectory
  • Red Hat Directory Server
  • Zimbra

For supported versions, see the Sophos Mobile 9.5 release notes.

Note There is no synchronization between the LDAP directory and Sophos Mobile. Sophos Mobile only accesses the LDAP directory to look up user information. Changes to an LDAP user account are not implemented on the Sophos Mobile database, and vice versa.
  1. On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the User setup tab.
  2. Select External LDAP directory.
  3. Click Configure external LDAP.

Configuration depends on the LDAP server type. The following instructions apply to Active Directory.

  1. On the Server details page, configure the following settings:
    1. In the LDAP type field, select the LDAP server type.
    2. In the Primary URL field, enter the IP address or name of the primary directory server.
      Select SSL/TLS to secure the server connection by SSL or TLS (depending on what the server supports).
    3. Optional In the Secondary URL field, enter the IP address or name of a directory server Sophos Mobile uses as fallback in case the primary server isn’t available.
    4. In the User and Password fields, enter the credentials Sophos Mobile uses to authenticate with the LDAP server.

      Use one of the following formats:

      • <domain>\<user name>
      • <user name>@<domain>.<domain code>

      For security reasons, we recommend you select an account with no write permissions for the directory.

  2. On the Search base page, enter the distinguished name (DN) of the search base object.
    The search base object defines the location in the directory from which the LDAP search begins.
  3. On the Search fields page, configure the attributes of the directory service that contain the user properties Sophos Mobile uses.
    Select the attribute names from the list or enter them manually.

    Use the following mappings for Active Directory:

    Property in Sophos Mobile Attribute in Active Directory
    User name sAMAccountName
    First name givenName
    Last name sn
    Email mail
  4. On the SSP configuration page, specify the users that are allowed to log in to the Self Service Portal. Enter the relevant information in the LDAP directory group field, using one of the following options:
    • If you enter the name of a group that is defined on the directory server, all members of that group are allowed to log in to the Self Service Portal. After you have entered the group name, click Test group to resolve the group name into a Distinguished Name (DN).
    • If you leave the field empty, no users from the directory server are allowed to log in to the Self Service Portal. Use this option if you want to enable external user management for Sophos Mobile Admin but not for the Self Service Portal.
    Note The group you specify here is not related to the user group you define on the Group settings tab of the Self Service Portal page. With those settings, you define task bundles, Sophos Mobile group membership and available device platforms for each user group.
  5. Select Apply.
  6. On the User setup tab, click Save.