Adding a user store

Complete the following procedure to add a user store to VIP Enterprise Gateway.
Once you add a user store, you can manage it on the
User Store
page.
  1. Do one of the following steps:
    • If no user stores have been added to VIP Enterprise Gateway, click the
      User Store
      tab to access the
      Add User Store
      page.
    • If a user store has already been added to VIP Enterprise Gateway, click the
      User Store
      tab. In the
      User Store
      page, click
      Add New
      to display the
      Add User Store
      page.
  2. In the
    Add User Store
    page, enter the following details and click
    Submit
    :
    Field
    Description
    User Store
    Type
    Type of user store (LDAP).
    Copy Settings From
    Select
    Create New
    to create a user store, or select a user store from the list of existing user stores to copy all the settings from that user store to the new user store.
    If you copy the settings from an existing user store, edit or retain any of the settings for the new user store.
    Name
    Enter a unique name for the user store that you want to create. The user store name can only contain ASCII characters, underscores (_), periods (.), and dashes (-).
    This name appears in the list that displays the names of user stores that you have added to VIP Enterprise Gateway.
    Server Information
    Connection
    Enter a unique name for the LDAP server that you want to add as a failover user store. The connection name can only contain ASCII characters, underscores (_), periods (.), and dashes (-).
    Host
    The server ID (IP address in IPv4 format or fully qualified domain name) of the LDAP user store.
    Port
    The port number for the machine hosting the user store database. Symantec recommends that you use the default port number 389 if you are not using a secure socket layer (SSL) connection, or 636 if you enable SSL.
    Timeout
    The maximum number of seconds that VIP Enterprise Gateway waits for a connection to the user store database.
    Enable SSL
    Select whether to use SSL to secure the connection between VIP Enterprise Gateway and the user store database. If the LDAP server is configured with SSL and if you have selected the Enable SSL option, you must ensure the following items:
    • Import the root and the intermediate certificates that are associated with the SSL certificate that the LDAP server uses, to VIP Enterprise Gateway Trusted CA Store.
      Adding the root and the intermediate certificates enables LDAP Server connections from the Configuration Console, Self Service Portal, My VIP portal, VIP Manager, IdPs, and LDAP Synchronization.
    • As the Validation Server uses the Windows native LDAP client, you must add the root and the intermediate certificate to the Windows certificate store. To add these certificates, navigate to
      MMC > Add/Remove Snap-in > Certificates
      and import the root and the intermediate certificates that are associated with LDAP here.
    • The Subject Name in the LDAP SSL certificate must have the complete fully qualified domain name, including the host name of the LDAP server.
    • Restart all the Validation Servers after these changes have been completed.
    If you want to allow users to reset their expired password in an Active Directory (AD) user store, you must enable SSL on this page.
    Bind Information
    User Distinguished Name
    The Distinguished Name (DN) of the user account that VIP Enterprise Gateway uses to bind to the user store. For example,
    CN=admin,DC=acme,DC=com
    .
    This user account should have the following privileges:
    • For AD-based user stores, the user account must have domain user privileges.
    • For LDAP-based user stores, the user must have search privileges on the sub tree for the given search base. For example, if the Base DN is configured as
      ou=vipadministrators,dc=acme,dc=com
      , the user must have the search privileges for the entire search base.
    Password
    The password that you use to log in to the user store database.
    Search Criteria
    Base DN
    A string that indicates where to start searching for user information within the user store database. For example,
    DC=acme,DC=com
    .
    If you use your directory root as the Base DN, searches may take longer to complete (Base DN is optional for AD Catalog-based user stores).
    If you are configuring AD as a user store, you can view the
    Domain Lookup
    button near the Base DN field after you enter the string in the Base DN field. You can click
    Domain Lookup
    to check whether there are any sub-domains that are associated with the AD. If sub-domains are available, you can select each of the sub-domains and click
    Submit
    to create individual user stores using each of these sub-domains.
    User Filter
    Specify your user store filters for the directory search. For example:
    • To search for a user, use the format
      (&(uid=%s)(objectclass=organizationalPerson))
    • To search for a user in AD, use the format
      (&(&(objectClass=user)(objectCategory=person))(sAMAccountName=%s))
    • To search for a user in AD with Groupmembership enabled, use the format:
      (&(&(objectClass=user)(objectCategory=person))(sAMAccountName=%s)(memberOf=cn=Security_group,cn=Users,DC=sales,DC=acme,DC=com))
    Replace
    %s
    with the logging user name.
    Edit Default VIP User Name Attribute
    Select this check box if you want to edit the LDAP attribute value that is used as VIP User Name.
    VIP User Name Attribute
    If you selected the
    Edit Default VIP User Name Attribute
    checkbox, enter the new LDAP attribute value that you want to use as VIP User Name in VIP Authentication Service.
    The VIP Administrator must use these values for one-time registration. To change these values, contact Symantec Support.
    Test Settings
    Test User Name
    An existing user ID to verify that the user who is specified in the User Distinguished Name field has the correct search permissions to the user store. The test is mandatory to verify that the configuration is working.