Declaring an LDAP directory

Declaring an LDAP directory on the SDMC server allows the end user to share his protected files with all users located in the directory without having to manually import their certificates.

  • SDS for C&M is compatible with LDAP directories such as OpenLDAP and Active Directory for Windows Server 2008, 2012 and 2016.
  • The PKI must have published the certificates beforehand in the directory, for example Stormshield Data Authority Manager (SDAM).
  • Certificates must contain an email address in one of their fields.
  1. In the SDMC server's administration interface, select the Policies menu on the left.
  2. In the LDAP section, enable the search for users via LDAP. The LDAP parameters will then appear.

LDAP area

  1. Fill in the LDAP server settings:
    • LDAP server name: indicate the name of your LDAP server,
    • Activate LDAPS: click to enable the SSL protocol and secure LDAP connections,
    • Port: indicate an LDAP port number if you do not wish to use the default port,
    • Protocol: choose the version of the protocol.
  2. Enter the User and certificate search settings:
    • Base: indicate the branch of the tree ("dn" for Distinguished Name) from which SDS for C&M must perform searches,
    • Search sub-trees: click to enable searches on all levels below the search base,
    • Common name: indicate the desired value for this attribute if the default cn value is not suitable.
    • Certificate: indicate the desired value for this attribute if the default userCertificate value is not suitable.

When protecting or sharing a file, a user can search for other users in the LDAP directory. This search is based only on the attributes distinguishedName for Active Directory and EntryDN for OpenLDAP. These attributes will then allow the user's DN to be retrieved.

  1. Fill in the Alternate authentication parameters. These settings are optional and will only be applied if the default Single Sign-On (SSO) authentication mode fails.

Several authentication modes are available for you to access your LDAP directory:

  • SSO mode: Identification mechanism that uses the identifiers for logging on to the operating system in order to access the LDAP directory. This is the default mode for Windows clients. It cannot be used for Windows clients located outside the Active Directory domain, or for macOS clients.
  • Simple authentication: Universal identification mechanism, in which the login and password are sent in plaintext over the network. To implement it, enter the keywords and password provided by the administrator of the LDAP directory in the Connection DN and Password fields. This is the default mode for macOS clients. It is used in Windows if SSO mode fails. In this mode, you are strongly advised to enable the LDAPS parameter.
  • Anonymous authentication: If the SSO mode does not work, and the Connection DN and/or Password fields are empty, authentication will be anonymous.

  1. Click on Save at the top right side of the window.