Connect to an LDAP directory Skip Navigation

Connect to an LDAP directory

  • Create an LDAP account for
    BlackBerry UEM
    that is located in the relevant LDAP directory. The account must meet the following requirements:
    • The account has permission to read all users in the directory.
    • The account's password never expires and the user is not required to change the password at next login.
  • If the LDAP connection is SSL encrypted, make sure that you have the server certificate for the LDAP connection and that the LDAP server supports TLS 1.2. If SSL is enabled, the LDAP connection to
    BlackBerry UEM
    must use TLS 1.2.
  • Verify the LDAP attribute values that your organization uses (the steps below give examples for typical attribute values). You must specify the LDAP attribute values at step 11 and on.
  1. On the menu bar, click
    Settings > External integration > Company directory
    .
  2. Click
    Add an LDAP connection
    .
  3. In the
    Directory connection name
    field, type a name for the directory connection.
  4. In the
    LDAP server discovery
    drop-down list, perform one of the following actions:
    • To automatically discover the LDAP server, click
      Automatic
      . In the
      DNS domain name
      field, type the domain name for the server that hosts the company directory.
    • To specify a list of LDAP servers, click
      Select server from list below
      . In the
      LDAP server
      field, type the name of the LDAP server. To add more LDAP servers, click The Add icon.
  5. In the
    Enable SSL
    drop-down list, perform one of the following actions:
    • If the LDAP connection is SSL encrypted, click
      Yes
      . Beside the
      LDAP server SSL certificate
      field, click
      Browse
      and select the LDAP server certificate.
    • If the LDAP connection is not SSL encrypted, click
      No
      .
  6. In the
    LDAP Port
    field, type the TCP port number for communication. The default values are 636 for SSL enabled or 389 for SSL disabled.
  7. In the
    Authorization required
    drop-down list, perform one of the following actions:
    • If authorization is required for the connection, click
      Yes
      . In the
      Login
      field, type the DN of the user that is authorized to log in to LDAP (for example, an=admin,o=Org1). In the
      Password
      field, type the password.
    • If authorization is not required for the connection, click
      No
      .
  8. In the
    User Search base
    field, type the value to use as the base DN for user information searches.
  9. In the
    LDAP user search filter
    field, type the LDAP search filter that is required to find user objects in your organization's directory server. For example, for an
    IBM Domino Directory
    , type
    (objectClass=Person)
    .
    If you want to exclude disabled user accounts from search results, type
    (&(objectclass=user)(logindisabled=false))
    .
  10. In the
    LDAP user search scope
    drop-down list, perform one of the following actions:
    • To search all objects following the base object, click
      All levels
      . This is the default setting.
    • To search objects that are one level directly following the base DN, click
      One level
      .
  11. In the
    Unique identifier
    field, type the name of the attribute that uniquely identifies each user in your organization's LDAP directory (must be a string that is immutable and globally unique). For example,
    dominoUNID
    in
    IBM Domino
    LDAP 7 and later.
  12. In the
    First name
    field, type the attribute for each user’s first name (for example,
    givenName
    ).
  13. In the
    Last name
    field, type the attribute for each user’s last name (for example,
    sn
    ).
  14. In the
    Login attribute
    field, type the login attribute to use for authentication (for example,
    uid
    ).
  15. In the
    Email address
    field, type the attribute for each user's email address (for example,
    mail
    ). If you do not set the value, a default value is used.
  16. In the
    Display name
    field, type the attribute for each user's display name (for example,
    displayName
    ). If you do not set the value, a default value is used.
  17. In the
    Email profile account name
    field, type the attribute for each user’s email profile account name (for example,
    mail
    ).
  18. In the
    User Principal Name
    field, type the user principal name for SCEP (for example,
    mail
    ).
  19. To enable directory-linked groups for the directory connection, select the
    Enable directory-linked groups
    check box.
    Specify the following information:
    • In the
      Group search base
      field, type the value to use as the base DN for group information searches.
    • In the
      LDAP group search filter
      field, type the LDAP search filter that is required to find group objects in your company directory. For example, for
      IBM Domino Directory
      , type
      (objectClass=dominoGroup)
      .
    • In the
      Group Unique Identifier
      field, type the attribute for each group's unique identifier. This attribute must be immutable and globally unique (for example, type
      cn
      ).
    • In the
      Group Display name
      field, type the attribute for each group's display name (for example, type
      cn
      ).
    • In the
      Group Membership attribute‎
      field, type the name of the attribute for group membership. The attribute values must be in DN format (for example,
      CN=jsmith,CN=Users,DC=example,DC=com
      ).
    • In the
      Test Group Name‎
      field, type an existing group name for validating the group attributes specified.
  20. Click
    Save
    .
  21. Click
    Close
    .
If you want to add a directory synchronization schedule, see Add a synchronization schedule.