Advanced configuration: LDAP mode
The values for Advanced LDAP configuration mode are populated with default configuration settings based on the LDAP server type that you selected. Use this option if you need to edit these values for your environment.
- If you are using OpenLDAP, you must configure how the Cloud Extender® looks for users, groups, Organizational Units (OU), and domains.
- Must map user properties on MaaS360® to specific fields in your LDAP.
- Must support user custom attributes.
To configure advanced settings for LDAP mode, click Advanced on the last screen of the module configuration.
Object Classes configuration
LDAP Object Classes define a type of object in LDAP. Every user and every user group on LDAP uses a specific Object Class. With the Object Class, you can list all objects that have that Object Class. After you set up a user visibility profile in Basic configuration mode, select the Object Class of your users and groups.
| Option | Description |
|---|---|
| Object Class for User | The object class that identifies the type of all your users. The Cloud Extender uses the Basic mode configuration and queries your LDAP for all possible Object Classes for users and lists. If the Object Class for your users is not automatically discovered or is not featured on the select list, type the Object Class for users. The following image provides an example of the Object Class for a user on Active Directory:  |
| Object Class for Groups | The object class that identifies the type of all your user groups. The following image provides an example of the Object Class for a group of users on Active Directory:  |
| Load Attributes | Fetches all attributes of users and groups that are used to configure the Mandatory User Attributes, Optional User Attributes, and User Custom Attributes. |
Mandatory User Attributes configuration
During the authentication process, the Cloud Extender reads certain attributes of the user from your directory that it requires for other configuration aspects after a device is enrolled in the IBM® MaaS360 Portal.
| Option | Description |
|---|---|
| Username | In Basic configuration mode, the Cloud
Extender uses the
User Search Attribute Name to search for the user in LDAP. This user is the user who is trying to enroll the device. You can pick the same attribute here. If you need to represent users by a different attribute in MaaS360 (for example, by email address), select a different attribute. Note: This attribute is part of the
%username% variable in MaaS360. Use
this variable in MaaS360 policies to configure email on
mobile devices. This variable converts to the user name for the user's email
configuration.
|
| Domain | The domain of the user. You use the domain to configure email on the mobile device. You can map the domain field to a specific attribute on your directory or derive the domain from the user's Distinguished Name (DN). The following list provides an example of the DN format: uid=username,c=us,ou=subdomain,dc=company,dc=com From the example, if your domain is set to Derive from DN, the domain is company.com. |
| Mail Address | The email address of the user. Use this address to configure email on the device. |
| Group Membership | Group membership is evaluated in the following ways:
Use this option to configure integration by either user or group object and to provide the corresponding attribute for group evaluation. |
Optional User Attributes configuration
In addition to Mandatory User Attributes, the Cloud Extender module for User Visibility reads optional user attributes and updates those attributes periodically. These values are uploaded to the IBM MaaS360 Portal and are used later for grouping devices or as configuration parameters. The User Principal Name (UPN) is a common field that is used in various MaaS360 workflows.
The following window provides a standard list of user attributes on MaaS360 that can be mapped to the user's attribute on your directory:
Logon Hours setting that pauses authentication outside of Active Directory logon hours (supported by Cloud Extender 2.92 and later: The Cloud Extender 2.92 release prevents mobile devices from trying to sync to Active Directory during non-valid login periods, resulting in misleading error messages. With this feature, every user record in Active Directory uses a Logon Hours value that specifies when a user can log on and authenticate. The Cloud Extender Configuration Tool includes an option to specify whether to include the Logon Hours for users when you configure LDAP User Visibility using Active Directory. For User Visibility using Active Directory (not LDAP), the Logon Hours are sent unconditionally. Currently, the Logon Hours feature cannot be set for User Authentication.
The Cloud Extender retrieves data from Active Directory at the user level and sends that data back to the IBM MaaS360 Portal for the User Visibility module. The Portal distributes that data to agents. If logon hours are enabled, that information is sent to the IBM MaaS360 Portal, which occurs at least once every 4 hours. The Logon Hours are displayed in the Corporate Information tab for the User Visibility module:
Custom User Attributes configuration
Use the Custom User Attributes feature to define your own attributes in the IBM MaaS360 Portal and in various configuration workflows.
- You define a Custom User Attribute that is called Employee Serial Number and then use this value in MaaS360 policies for device configuration, application configuration, or as a part of Identity Certificates.
- You define a Custom User Attribute that is called Home Directory that can be used to configure Windows file shares on mobile devices.
You can use Custom User Attributes to map to your directory user's LDAP attributes. The following image provides an example of mappings against Microsoft Active Directory:
Other advanced settings
You can configure more LDAP settings for optimized User/Group searches and more domain mapping fields for multi-profile (multi-forest) setups:
| Option | Description |
|---|---|
| User Filters | Filters the list of users that the Cloud Extender discovers, such as filtering only by active users or by users that belong to specific departments. Use the standard LDAP filter queries to further optimize your user searches. |
| Group Filters | Filters the list of groups that the Cloud Extender discovers. |
| Domain Filters | Filters the list of domains that the Cloud Extender discovers in the domain. |
| OU Filters | Filters the list of Organizational Units (OU) that contain users and groups in the directory |
LDAP configuration for cross-forest visibility
Unlike the User Authentication module, the User Visibility module does not support multiple profiles for LDAP configuration. If your environment requires cross-forest visibility while the Cloud Extender is configured in LDAP mode, configure separate instances of the Cloud Extender for each forest (trusting or non-trusting).
Next steps
The IBM MaaS360 Portal offers the Cloud Extender Scaling Tool at . Input the number of users/devices that you plan to enroll for MaaS360 and determine how many Cloud Extenders you might need to support this scale.
Install the specified number of Cloud Extenders and configure each instance with a unique and non-overlapping search base for finding users and groups. The User Visibility module does not support High Availability (HA). You can set up redundant instances of the Cloud Extender if the primary instance of the Cloud Extender fails.