Advanced configuration: LDAP mode
The values for Advanced LDAP configuration mode are populated with default configuration settings based on the LDAP server type that you selected. Use this option if you need to edit these values for your environment.
- If you are using OpenLDAP, you must configure how the Cloud Extender® looks for users and groups.
- Must read specific attributes of users during the authentication process.
- Must map user properties on MaaS360® to specific fields in your LDAP.
- Must support user custom attributes.
To configure advanced settings for LDAP mode, click Advanced on the last screen of the module configuration.
Object Classes configuration
LDAP Object Classes define a type of object in LDAP. Every user and every user group on LDAP uses a specific Object Class. With the Object Class, you can list all objects that have that Object Class. After you set up an authentication profile in Basic configuration mode, select the Object Class of your users and groups.
| Option | Description |
|---|---|
| Object Class for User | The object class that identifies the type of all your users. The Cloud Extender uses the Basic mode configuration and queries your LDAP for all possible Object Classes for users and lists. If the Object Class for your users is not automatically discovered or is not featured on the select list, type the Object Class for users. The following image provides an example of the Object Class for a user on Active Directory:  |
| Object Class for Groups | The object class that identifies the type of all your user groups. The following image provides an example of the Object Class for a group of users on Active Directory:  |
| Load Attributes | Fetches all attributes of users and groups that are used to configure the Mandatory User Attributes, Optional User Attributes, and User Custom Attributes. |
Mandatory User Attributes configuration
During the authentication process, the Cloud Extender reads certain attributes of the user from your directory that it requires for other configuration aspects after a device is enrolled in the IBM® MaaS360 Portal.
| Option | Description |
|---|---|
| Username | In Basic configuration mode, the Cloud
Extender uses the
User Search Attribute Name to search for the user in LDAP. This user is the user who is trying to enroll the device. You can pick the same attribute here. If you need to represent users by a different attribute in MaaS360 (for example, by email address), select a different attribute. Note: This attribute is part of the
%username% variable in MaaS360. Use
this variable in MaaS360 policies to configure email on
mobile devices. This variable converts to the user name for the user's email
configuration.
|
| Domain | The domain of the user. You use the domain to configure email on the mobile device. You can map the domain field to a specific attribute on your directory or derive the domain from the user's Distinguished Name (DN). The following list provides an example of the DN format: uid=username,c=us,ou=subdomain,dc=company,dc=com From the example, if your domain is set to Derive from DN, the domain is company.com. |
| Mail Address | The email address of the user. Use this address to configure email on the device. |
| GUID | A unique identifier that represents each user object in your directory. Group membership evaluation uses the GUID of the user. |
Optional User Attributes configuration
In addition to Mandatory User Attributes, the Cloud Extender module for User Authentication reads optional user attributes during the authentication process. These values are uploaded to the IBM MaaS360 Portal and are used later for grouping devices or as configuration parameters. The User Principal Name (UPN) is a common field that is read during authentication.
The following window provides a standard list of user attributes on MaaS360 that can be mapped to the user's attribute on your directory:
Custom User Attributes configuration
Use the Custom User Attributes feature to define your own attributes in the IBM MaaS360 Portal and in various configuration workflows:
- You define a Custom User Attribute that is called Employee Serial Number and then use this value in MaaS360 policies for device configuration, application configuration, or as a part of Identity Certificates.
- You define a Custom User Attribute that is called Home Directory that can be used to configure Windows file shares on mobile devices.
You can use Custom User Attributes to map to your directory user's LDAP attributes. For examples of mappings against Microsoft Active Directory, see Table 3.
Other advanced settings
You can configure more LDAP settings for optimized User/Group searches and more domain mapping fields for multi-profile (multi-forest) setups:
| Option | Description |
|---|---|
| User Filters | Use this option to filter the list of users that the Cloud Extender discovers, such as filtering only by active users or by users that belong to specific departments. Use the standard LDAP filter queries to further optimize your user searches. |
| Group Filters | Use this option to filter the list of groups that the Cloud Extender discovers. |
| Domain Name Mapping | If you created multiple authentication profiles in the Cloud
Extender configuration
(multi-forest environments), use domain name mapping to instruct the Cloud
Extender what authentication
profile to use for which user. Domain name mapping applies to Microsoft Active Directory environments only when those environments are configured in LDAP mode. Domain: Enter the short domain name (that users provide during authentication). Fully Qualified Domain Name: The corresponding FQDN of the domain. This map is used to determine what authentication profile is used for user authentication. |
Next steps
The IBM MaaS360 Portal offers the Cloud Extender Scaling Tool at . Enter the number of users/devices that you plan to enroll for MaaS360 and determine how many Cloud Extenders you might need to support this scale.
Install the specified number of Cloud Extenders in a High Availability (HA) environment. To install the Cloud Extender for User Authentication in an HA environment, implement the same steps on all Cloud Extenders that have the User Authentication module enabled (including any new Cloud Extenders that are added in the future).
The Cloud Extender also offers an Export Configurations option that you use to export all details from one Cloud Extender to import those details to another Cloud Extender.