Directory Server Parameters

vFire Core can be integrated and synchronized with supported directory server technologies. This capability enables you to import analyst and User details stored in databases from other directory servers into VMware Service Manager.

The vFire Core directory server uses Microsoft.NET Directory Services library. This technology supports communication with the following directory servers which are compliant with the Lightweight Directory Access Protocol (LDAP):

  • Microsoft Active Directory
  • Sun Java System directory server
  • Novell eDirectory

Besides the fields common to all sources on the Integration Source Details window, some fields are specific to directory server sources.

These fields can be named differently or vary depending on the connector.

LDAP Server Path

This is the connection string which identifies the location of the directory server for which vFire Core will establish a connection.

The connection string contains up to four pieces of information:

Directory Protocol

This part of the connection string is mandatory and will almost always be LDAP. An alternative is GC to indicate that the connection is to an Active Directory global catalog.

Host Name

This is the IP name of the server on which the directory server application is installed.

IP Port Number

This is the IP port number of the server on which LDAP is being hosted. This is required only if a port other than the LDAP default of 389 is used.

Root Naming Context

This defines the scope of the objects retrieved by Directory Integration. It is expressed as the DN (Distinguished Name) of an OU. Directory Integration will import the sub-OUs, groups, and users within that OU. The Root Naming Context must be included in the connection string.

Example of a connection string to connect to a Sun Java System Directory Server: LDAP://oneserver.mydomain.com:1095/dc=mydomain,dc=com

Example of a connection string to connect to an Active Directory server: LDAP://adserver.mydomain.com/dc=mydomain,dc=com

Example of a connection string to connect to the Global Catalog: GC://mygcserver.mydomain.com/

The Root Naming Context must be included in the connection string. If the Root Naming Context is not included in the connection string, scans will not function correctly.

It is recommended that a server name is specified in the connection string field.

User DN/ID and Password

These are the details used to authenticate vFire Core’s access to the server. In the case of connecting to an Active Directory, these can be left empty and the connection will be made using the credentials under which the vFire Core process is running. The password is always stored in an encrypted format in the database.

If the length of the entered password field does not equal the length of the stored password, and the Server and Login ID fields have not changed, the administrator will be prompted to re-enter the password. If the user changes the password on the integration tool, the Password field must be updated.

Server Bind

This setting is used to improve the performance of connecting to a directory server if the LDAP Server Path field contains a server name. The connection is not improved for connecting to the directory server if the connection string for the server does not contain a server name. 

SSL

This setting is used to create a secure connection between vFire Core and the directory server. This option is ignored if the User DN/ID field is not specified for the directory server.

Kerberos/NTLM

This setting is used to enable the source to use the Kerberos security authentication protocol.

Flat Domain Name

This field only displays for an Active Directory Connector source.

You can use this field to manually configure the domain that will be given to all users that are imported into vFire Core from the directory server. In the Active Directory, each user has a userID unique to the domain to which they belong. When there are multiple domains configured however, it is possible for two users belonging to different domains to have the same userID. In this situation, Active Directory uses their domain to distinguish between these users. When users are being imported into vFire Core from multiple domains defined in the Active Directory, vFire Core will store, for each imported analyst, their userID and an identifier for the domain to which they belong. This identifier is referred to as the flat domain name. This is what is used to identify users from multiple domains, when integrated security is configured. When users are imported from Active Directory into vFire Core, the system will try to derive their flat domain name by querying the directory server. This information however, is not always up to date.

Use this field to specify the domain that will be used by any person records that have been imported from this directory server. The value specified in this field will override any domain retrieved from the directory server itself, it is strongly recommended (although not mandatory) that you use this field to make clear which domain should be assigned to the person records that are imported from this directory server.

If you add the flat domain name after you have imported analysts or Users into vFire Core, you must rescan these analysts or Users in order to pick up the new domain name.

You can view the flat domain name of an analyst when you click the Login ID and Password button on the Person Details window for the analyst’s record. The flat domain is specified on the Domain field.

Delete Disabled Person Records

This option displays only for an Active Directory Connector source.

Select this option to delete person records that have been deleted in vFire Core if the corresponding record is disabled in the Active Directory. If the person details are reactivated from the Active Directory, the user details are restored in vFire Core during the next scheduled directory integration scan.

When a person record is deleted from vFire Core based on a disabled Active Directory record, the Login ID and Password fields for the deleted user within vFire Core will be available for reuse.

Authenticate Imported People against Source

This option only displays if the directory server and the directory server connector support authentication.

Select this option to enable vFire Core to authenticate already imported persons against the directory source from which they were initially imported.

Alemba recommends that if you have multiple sources for the same users, you only select this option for the definitive source you want vFire Core to use to authenticate the user. Otherwise, vFire Core will randomly select one of the sources enabled for authentication to authenticate the imported user.

Authentication for an Active Directory Integration Connector

For Active Directory implementations, you should enable Integrated Security on the Security Settings window in vFire Core. Configuring Integrated Security identifies imported analysts with their originating domains, and then uses this information to authenticate the analyst against the corresponding Active Directory user when a directory integration scan is performed. For Active Directory users, it is not necessary to select the Authenticate Imported People against Source option.

The Active Directory field userPrincipalName must be filled in for the Active Directory scan to run. If this is not done, an error message will display in the Activity Log stating that there is no userID.

Authentication for other Directory Integration Connectors

Person records imported from other directory servers are authenticated only if Authenticate Imported People against Source is selected. Analysts imported from non-Active Directory directory servers have their Distinguished Name (DN) stored in a vFire Core field called USER_QUALIFIED. When an analyst logs on to vFire Core, they are matched by the login ID to a user record. This setting is ignored if Integrated Security is enabled.