Configure external directory connection

To manage user accounts for Sophos Mobile Admin and the Self Service Portal in an external LDAP user directory, you must configure the connection to your LDAP server.

Sophos Mobile can connect to the following LDAP servers:

  • Active Directory
  • Google Cloud Directory
  • HCL Domino
  • NetIQ eDirectory
  • Red Hat Directory Server
  • Zimbra

For supported versions, see the Sophos Mobile 9.6 release notes.

For Active Directory, you can find additional information in knowledge base article 128081.

For Google Cloud Directory, you can find additional information in knowledge base article 132870.

Note There is no synchronization between the LDAP directory and Sophos Mobile. Sophos Mobile only accesses the LDAP directory to look up user information. Changes to an LDAP user account are not implemented on the Sophos Mobile database, and vice versa.

To configure an LDAP connection to an external user directory:

  1. On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the User setup tab.
  2. Select External LDAP directory.
  3. Click Configure external LDAP.

Configuration depends on the LDAP server type. The following instructions apply to Active Directory.

  1. On the Server details page, configure the following settings:
    1. In the LDAP type field, select the LDAP server type.
    2. In the Primary URL field, enter the IP address or name of the primary directory server.

      Select SSL/TLS to use LDAP over SSL (LDAPS) for the server connection.

      Note For Active Directory, LDAPS is mandatory. For information on setting up LDAPS for Active Directory, see the Microsoft document Step by Step Guide to Setup LDAPS on Windows Server.
    3. Optional In the Secondary URL field, enter the IP address or name of a directory server Sophos Mobile uses as fallback in case the primary server isn’t available.
    4. In the User and Password fields, enter the credentials Sophos Mobile uses to authenticate with the LDAP server.

      Use one of the following formats:

      • <domain>\<user name>
      • <user name>@<domain>.<domain code>
      Note For security reasons, we recommend you select an account with no write permissions for the directory.
  2. On the Search base page, enter the distinguished name (DN) of the search base object.
    The search base object defines the location in the directory from which the LDAP search begins.
  3. On the Search fields page, configure the attributes of the directory service that contain the user properties Sophos Mobile uses.
    Select the attribute names from the list or enter them manually.

    Use the following mappings for Active Directory:

    Property in Sophos Mobile

    Attribute in Active Directory

    User name

    sAMAccountName

    First name

    givenName

    Last name

    sn

    Email

    mail

  4. On the SSP configuration page, specify the users that can sign in to the Self Service Portal. Enter the relevant information in the LDAP directory group field, using one of the following options:
    • If you enter a user group from your LDAP directory, Sophos Mobile looks up users in that group and all subgroups.

      After you’ve entered the group name, click Test group to resolve the group name into a Distinguished Name (DN).

    • If you enter a single asterisk *, Sophos Mobile looks up users in all groups defined in your LDAP directory. It doesn’t look up users that aren’t a member of any group.
    • If you leave the field empty, no users can sign in to the Self Service Portal. Use this option to turn on external user management for Sophos Mobile Admin but not for the Self Service Portal.
    Note The group you specify here is not related to the user group you define on the Group settings tab of the Self Service Portal page. With those settings, you define task bundles, Sophos Mobile group membership and available device platforms for each user group.
  5. Click Apply.
  6. On the User setup tab, click Save.