Skip to content

Configure external directory connection

To manage user accounts for Sophos Mobile Admin and Sophos Mobile Self Service Portal in an external LDAP user directory, you must configure the connection to your LDAP server.

Sophos Mobile can connect to the following LDAP servers:

  • Active Directory
  • HCL Domino
  • NetIQ eDirectory
  • Red Hat Directory Server
  • Zimbra

For supported versions, see the Sophos Mobile release notes.

For Active Directory, you can find additional information in knowledge base article 128081.


There is no synchronization between the LDAP directory and Sophos Mobile. Sophos Mobile only accesses the LDAP directory to look up user information. Changes to an LDAP user account are not implemented on the Sophos Mobile database, and vice versa.

To configure an LDAP connection to an external user directory:

  1. On the menu sidebar, click Setup > Sophos setup, and then click the User setup tab.

    If you’re a super administrator, open the customer’s Edit customer page instead.

  2. Select External LDAP directory.

  3. Click Configure external LDAP.

Configuration depends on the LDAP server type. The following instructions apply to Active Directory.

  1. On the Server details page, configure the following settings:

    1. In the LDAP type field, select the LDAP server type.
    2. In the Primary URL field, enter the IP address or name of the primary directory server.

      Select SSL/TLS to use LDAP over SSL (LDAPS) for the server connection.


      For Active Directory, LDAPS is mandatory. For information on setting up LDAPS for Active Directory, see the Microsoft document Step by Step Guide to Setup LDAPS on Windows Server.

    3. Optional: In the Secondary URL field, enter the IP address or name of a directory server Sophos Mobile uses as fallback in case the primary server isn’t available.

    4. In the User and Password fields, enter the credentials Sophos Mobile uses to authenticate with the LDAP server.

      Use one of the following formats:

      • <domain>\<user name>
      • <user name>@<domain>.<domain code>


      For security reasons, we recommend you select an account with no write permissions for the directory.

  2. On the Search base page, enter the distinguished name (DN) of the search base object.

    The search base object defines the location in the directory from which the LDAP search begins.

  3. On the Search fields page, configure the attributes of the directory service that contain the user properties Sophos Mobile uses.

    Select the attribute names from the list or enter them manually.

    Use the following mappings for Active Directory:

    Property in Sophos Mobile Attribute in Active Directory
    User name sAMAccountName
    First name givenName
    Last name sn
    Email mail
  4. On the SSP configuration page, specify the users that can sign in to Sophos Mobile Self Service Portal. Enter the relevant information in the LDAP directory group field, using one of the following options:

    • If you enter a user group from your LDAP directory, Sophos Mobile looks up users in that group and all subgroups.

      After you’ve entered the group name, click Test group to resolve the group name into a Distinguished Name (DN).

    • If you enter a single asterisk *, Sophos Mobile looks up users in all groups defined in your LDAP directory. It doesn’t look up users that aren’t a member of any group.

    • If you leave the field empty, no users can sign in to Sophos Mobile Self Service Portal. Use this option to turn on external user management for Sophos Mobile Admin but not for Sophos Mobile Self Service Portal.

    For details on Self Service Portal configuration, see Create Self Service Portal configurations.


    The group you specify here is not related to the user group you define in your Self Service Portal configurations. With those settings, you define task bundles, Sophos Mobile group membership and available device platforms for each user group.

  5. Click Apply.

  6. Click Save.