To manage user accounts for Sophos Mobile Admin and the Self Service Portal in an external
LDAP user directory, you must configure the connection to your LDAP server.
Sophos Mobile can connect to the following LDAP servers:
- Active Directory
- Google Cloud
Directory
- HCL Domino
- NetIQ eDirectory
- Red Hat Directory Server
- Zimbra
For supported versions, see the Sophos Mobile 9.6 release notes.
For Active Directory, you can find additional information in knowledge base article
128081.
For Google Cloud Directory, you can find additional information in knowledge base article
132870.
Note There is no synchronization between the LDAP directory and Sophos Mobile.
Sophos Mobile only accesses the LDAP directory to look up user information.
Changes to an LDAP user account are not implemented on the Sophos Mobile
database, and vice versa.
To configure an LDAP connection to an external user directory:
-
On the menu sidebar, under MANAGE, click
Customers.
-
On the Customers page, click the customer for whom you
want to configure an LDAP connection.
-
On the Edit customer page, under User directory, select
External LDAP directory.
-
Click Configure external LDAP.
Configuration depends on the LDAP server type. The following instructions apply to Active
Directory.
-
On the Server details page, configure the
following settings:
-
In the LDAP type
field, select the LDAP server type.
-
In the Primary URL field, enter the IP
address or name of the primary directory server.
Select SSL/TLS to use LDAP
over SSL (LDAPS) for the server connection.
Note For Active Directory, LDAPS is mandatory. For information on setting up LDAPS for
Active Directory, see the Microsoft document Step by Step Guide to Setup LDAPS on
Windows Server.
- Optional
In the Secondary URL
field, enter the IP address or name of a directory server Sophos Mobile uses as fallback in case the primary server isn’t
available.
-
In the User and
Password fields, enter the credentials
Sophos Mobile uses to authenticate with the LDAP server.
Use one of the following formats:
- <domain>\<user name>
- <user name>@<domain>.<domain code>
Note For security reasons, we recommend you select an account with no write permissions for
the directory.
-
On the Search base page, enter
the distinguished name (DN) of the search base object.
The search base object defines the location in the directory from which the LDAP search
begins.
-
On the Search fields page,
configure the attributes of the directory service that contain the user properties Sophos Mobile uses.
Select the attribute names from the list or enter them manually.
Use the following mappings for Active Directory:
|
Property in Sophos Mobile
|
Attribute in Active Directory
|
|
User name
|
sAMAccountName
|
|
First name
|
givenName
|
|
Last name
|
sn
|
|
Email
|
mail
|
-
On the SSP configuration page, specify the users that can sign in to the Self
Service Portal. Enter the relevant information in the LDAP directory group field, using one of the
following options:
Note The group you specify here is not related to the user group you define on the
Group
settings tab of the
Self Service Portal page. With those
settings, you define task bundles,
Sophos Mobile group membership and
available device platforms for each user group.
For further
information on the Self Service Portal group settings, see the Sophos Mobile administrator help.
-
Click Apply.
-
On the Edit customer page, click Save.
