Adding a user store
Complete the following procedure to add a user store to VIP Enterprise Gateway.
Once you add a user store, you can manage it on the
User Store
page.See Managing user stores.
- Do one of the following steps:
- If no user stores have been added to VIP Enterprise Gateway, click theUser Storetab to access theAdd User Storepage.
- If a user store has already been added to VIP Enterprise Gateway, click theUser Storetab. In theUser Storepage, clickAdd Newto display theAdd User Storepage.
- In theAdd User Storepage, enter the following details and clickSubmit:FieldDescriptionUser StoreTypeType of user store (LDAP).Copy Settings FromSelectCreate Newto create a user store, or select a user store from the list of existing user stores to copy all the settings from that user store to the new user store.If you copy the settings from an existing user store, edit or retain any of the settings for the new user store.NameEnter a unique name for the user store that you want to create. The user store name can only contain ASCII characters, underscores (_), periods (.), and dashes (-).This name appears in the list that displays the names of user stores that you have added to VIP Enterprise Gateway.Server InformationConnectionEnter a unique name for the LDAP server that you want to add as a failover user store. The connection name can only contain ASCII characters, underscores (_), periods (.), and dashes (-).HostThe server ID (IP address in IPv4 format or fully qualified domain name) of the LDAP user store.PortThe port number for the machine hosting the user store database. Symantec recommends that you use the default port number 389 if you are not using a secure socket layer (SSL) connection, or 636 if you enable SSL.TimeoutThe maximum number of seconds that VIP Enterprise Gateway waits for a connection to the user store database.Enable SSLSelect whether to use SSL to secure the connection between VIP Enterprise Gateway and the user store database. If the LDAP server is configured with SSL and if you have selected the Enable SSL option, you must ensure the following items:
- Import the root and the intermediate certificates that are associated with the SSL certificate that the LDAP server uses, to VIP Enterprise Gateway Trusted CA Store.Adding the root and the intermediate certificates enables LDAP Server connections from the Configuration Console, Self Service Portal, My VIP portal, VIP Manager, IdPs, and LDAP Synchronization.
- As the Validation Server uses the Windows native LDAP client, you must add the root and the intermediate certificate to the Windows certificate store. To add these certificates, navigate toMMC > Add/Remove Snap-in > Certificatesand import the root and the intermediate certificates that are associated with LDAP here.
- The Subject Name in the LDAP SSL certificate must have the complete fully qualified domain name, including the host name of the LDAP server.
- Restart all the Validation Servers after these changes have been completed.
If you want to allow users to reset their expired password in an Active Directory (AD) user store, you must enable SSL on this page.Bind InformationUser Distinguished NameThe Distinguished Name (DN) of the user account that VIP Enterprise Gateway uses to bind to the user store. For example,CN=admin,DC=acme,DC=com.This user account should have the following privileges:- For AD-based user stores, the user account must have domain user privileges.
- For LDAP-based user stores, the user must have search privileges on the sub tree for the given search base. For example, if the Base DN is configured asou=vipadministrators,dc=acme,dc=com, the user must have the search privileges for the entire search base.
PasswordThe password that you use to log in to the user store database.Search CriteriaBase DNA string that indicates where to start searching for user information within the user store database. For example,DC=acme,DC=com.If you use your directory root as the Base DN, searches may take longer to complete (Base DN is optional for AD Catalog-based user stores).If you are configuring AD as a user store, you can view theDomain Lookupbutton near the Base DN field after you enter the string in the Base DN field. You can clickDomain Lookupto check whether there are any sub-domains that are associated with the AD. If sub-domains are available, you can select each of the sub-domains and clickSubmitto create individual user stores using each of these sub-domains.User FilterSpecify your user store filters for the directory search. For example:- To search for a user, use the format(&(uid=%s)(objectclass=organizationalPerson))
- To search for a user in AD, use the format(&(&(objectClass=user)(objectCategory=person))(sAMAccountName=%s))
- To search for a user in AD with Groupmembership enabled, use the format:(&(&(objectClass=user)(objectCategory=person))(sAMAccountName=%s)(memberOf=cn=Security_group,cn=Users,DC=sales,DC=acme,DC=com))
Replace%swith the logging user name.Edit Default VIP User Name AttributeSelect this check box if you want to edit the LDAP attribute value that is used as VIP User Name.VIP User Name AttributeIf you selected theEdit Default VIP User Name Attributecheckbox, enter the new LDAP attribute value that you want to use as VIP User Name in VIP Authentication Service.The VIP Administrator must use these values for one-time registration. To change these values, contact Symantec Support.Test SettingsTest User NameAn existing user ID to verify that the user who is specified in the User Distinguished Name field has the correct search permissions to the user store. The test is mandatory to verify that the configuration is working.