About Directory Services

User authentication and authorization can be managed using an Active Directory or LDAP (Lightweight Directory Access Protocol). These directory services make it easier to manage large numbers of Signiant users. Users are authenticated using a trusted corporate service rather than the Signiant Manager itself.

Authentication Service

Upon initial login by an unregistered user, the Manager presents logon credentials to the selected directory service. Directory authentication uniquely identifies the Signiant user through their corporate username and password. Users do not have to manage a separate username and password for Signiant, and a corporate standard for password management can be enforced.

User authorization rights are determined by Access Control Lists or Permissions on Signiant managed objects, such as users, groups, and jobs. Although access can be configured for each user, managing access through user group membership is the recommended best practice. Signiant synchronizes user group membership in the directory with user group membership in Signiant so that access to objects in Signiant can be managed through the directory.

Signiant supports multiple directories. When a user logs into the Manager, the application is searched for a matching username. When a match is found, a login is attempted using the supplied password. When it is not possible to maintain unique usernames across directory services, the Enforce Domain Credentials option can be used to force users to provide domain-qualified usernames when logging into Signiant.

The Native Signiant User Directory is always enabled and provides user management without a corporate directory service. There must be at least one administrative user defined in the Native Directory for managing basic configuration including directory services.

First Time Login

When a user logs in for the first time using a directory account, their group membership and user attributes, such as name and phone number, are copied to a directory account stub created in the Signiant database. This account can be updated or deleted like a native account with the exception that the password cannot be set and group membership is synchronized with the directory each time the user logs in.

Global and directory-specific settings determine whether directory users are allowed to log into the Manager.

When an unregistered user first logs in, and more than one directory service is listed, authentication searches the services in the order in which they appear in the list. You change the order in which the directory services appear, so that the authentication scans the most common one first. The default method for user authentication, called Native Product Authentication, is set up during installation.

When an Active Directory or LDAP user belongs to a group that also exists in a Signiant group list (that is, with the same name), a synchronization occurs between the Signiant group and the Active Directory group. All existing groups not found in a directory group are removed, except the default user group defined using the directory management service.

After users log in and are identified in the Manager database, you can edit their user information. Signiant maps and synchronizes the following LDAP and Active Directory fields to these corresponding Signiant fields:

LDAP and Active Directory field	Signiant field
mail	email
givenName	first_name
sn	last_name
telephoneNumber	phone
facsimileTelephoneNumber	fax
Mobile	mobile
Title	title

Managing Directory Services

You can manage multiple directory services on the Administration > Users > Directory Services page.

Adding or Editing a Directory Service

When you add a directory service, you must specify a name for the service, the server name/IP address, and port number. The Native Product Authentication service does not have any configuration settings, but you can edit the name, test user and test password fields. Blank passwords are not supported for Enterprise LDAP/LDAPS Authentication. If a user has a blank password and tries to authenticate, the user will be denied access.

To add or edit a directory service:

1. In the Manager, navigate to Administration > Users > Directory Services.
2. Click Add or select an existing directory service and click Edit.
3. Choose options on the appropriate tabs:

Settings Tab

• Type: Choose the type of directory service. Select Enterprise Active Directory Authentication or Enterprise LDAP/LDAPS Authentication.
• Name: Enter a directory service name.
• Active Directory Name: Displayed only if Enterprise Active Directory Authentication is selected. Enter the Windows domain name associated with the directory service. If you do not know the Server Name/IP, the Manager queries the DNS for your Active Directory server. If you have multiple Active Directory servers, you can provide some redundancy to your configuration by completing only the Active Directory Name field and leaving the Server Name/IP field blank.
• Server Name/IP: The server name or IP address of your authentication server. If you do not know this information and have entered the Active Directory Name, the Manager queries the DNS for your Active Directory server. If you have multiple Active Directory servers, you can provide some redundancy to your configuration by completing only the Active Directory Name field and leaving the Server Name/IP field blank.
• Port: Select one of the listed ports to enable connection to your authentication server.
• Timeout: Enter the read timeout value for your directory server. The default 10 seconds.
• Secure Connection: When enabled, an SSL connection is used.
• Search Base: Displayed only when Enterprise LDAP/LDAPS Authentication is selected. This is the point within the authentication hierarchy at which to start the search. Examples: cn=Users, dc=company, dc=somewhere, dc=com

Authentication Options

• Synchronize User's information at login: Displayed if Enterprise Active Directory Authentication is selected. When enabled, user Active Directory credentials are synchronized during login.
• Enforce Domain Credentials: Forces users to include their domain name in their login credentials. This ensures the uniqueness of user accounts and increases security when multiple directory services are in use.
• Restrict to Group Membership: Enter the name of the group to which the user must belong in order to be authenticated. Leave this field blank to allow a user to log in regardless of group membership.
• Enable Support For Nested Groups: Displayed if Enterprise Active Directory Authentication is selected. Enable this option to ensure that all nested Active Directory groups are synchronized and updated in the Manager.
• Directory User: Specifies the user credentials associated with the global directory recipient search. The specified user must be valid in the directory service. If you do not specify a user, the directory will not be available for global recipient searching. The domain name should not be appended to the username.
• Password: Enter the password associated with the username.

Advanced LDAP Options Tab

• Group Object Class: Enter the object class of the group class in the directory schema.
• Group Member Attribute: Enter the attribute of the group that contains the members.
• Group Naming Attribute: Enter the naming attribute associated with the group.
• User Object Class: Enter the user object class used in your schema.
• User Username Attribute: Enter the attribute associated with the username in your schema.

Test Settings Tab

• Name: Enter the same directory service name you entered on the Settings tab. Note: You may need to try various account name options, such as <domain_name>\<account_name> or <domain_name>@<account_name>, to successfully authenticate.
• Server Name/IP: Enter the same server name/IP address entered on the Settings tab.
• Test User: Enter a username you can use to test the settings specified on this tab.
• Test Password: Enter the password associated with the username.

Click Test. The Log displays the test results.

Enabling and Disabling Directory Services

Disabling a directory service makes it unavailable for user authentication. The directory is not removed from the authentication configuration. Any users currently logged on using the selected authentication service are not affected. If these users log out, they will not be able to log back in with the disabled directory service. You cannot disable Signiant Native Product Authentication.

To disable a directory service, click Disable.
To reactivate the directory service, click Enable.

Deleting Directory Services

When you delete a network directory service, usernames and passwords associated with that type are no longer able to log into the Manager. Any users currently logged in using the selected configuration type are not affected. Once they log out they are not able to log back in to the deleted directory service. You will also lose all of the information associated with the directory service.

To delete a directory service, select the directory service, click Delete and confirm the deletion.

Reordering the Directory Services List

When the Manager Authentication Service authenticates a user, it runs through the list of directory services as they appear. You can reorder the list of directory services so that the Manager scans the most common directory service in your network first.

To reorder directory services, select the directory service to move and click Move Up or Move Down.

Configuring System-wide Settings

System-wide user settings are automatically associated with a user the first time they into the Manager. Each time a user who is not already in the Manager database logs in, the default actions specified in the system-wide user settings will occur.

To configure system-wide settings, click Settings in the toolbar and choose Directory Services Settings:

• Default User Group: Select the group that users are assigned to by default when they first log in. When Auto Register New Users is enabled, users are automatically assigned to any groups in the Signiant Manager that match the groups with which the user is associated in their directory service. If no matching groups exist, users are assigned to the default group selected here. To specify that no default user group be assigned, select Do not use a default User Group.

• Auto Register New Users: Enable this option to automatically register new users. This requires the selected directory service to accept the user's authentication credentials. To ensure that not everyone in your organization has access to the Signiant Manager, disable this option after all users have logged in once.

• Allow Administrative Login: Enable this option to allow users to access the Signiant Manager.

• Organization for Auto Registered Users: Select the organization to which users are automatically registered with when they first log in. When No Organization is selected, user accounts are created in the Manager's _System_ organization and are not displayed unless this organization has been granted to the administrator.

• Organization for Auto Registered Manager UI Users Based On Group Membership: Enable this option to allow all auto-registered Signiant Manager users to be assigned to the organization associated with the Signiant group that matches the group with which the user is associated in their directory service. This option does not apply to auto-registered Media Exchange users. If a user belongs to a group in their directory service that matches a group name in the Signiant Manager, the organization associated with that group is assigned to the user. For example, if you have a Signiant group called "Accountants" whose associated organization is "Accounting", all auto-registered users who belong to the "Accountants" group in their directory service are automatically assigned to the "Accounting" organization upon first login to the Signiant Manager.

  Note: When enabled, this option overrides the Default User Group and Organization for Auto Registered Users. Users who match are not assigned to the default user group or organization specified.

• Cache Passwords For Logged In Users: Enable this option to ensure that when a user's password changes, any jobs associated with the user still run. The Signiant Manager will update the cached password.

• Enable Active Directory Users Synchronization: Applies only to Active Directory users. Once enabled, you must configure the Synchronization period in days.

User Lockout

To prevent user lockout, any change to the user's Active Directory/LDAP/LDAPS password should be followed by logging back into the Manager to cache the new password. This will ensure that a job scheduled to run regularly as the logged in user does not continue to attempt to run using the old password, an issue that eventually triggers user lockout on the Manager and the Active Directory or LDAP/LDAPS account.