Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.18
  3. Installation and configuration
  4. Configuration
  5. Connecting to your company directories
  6. Connect to an LDAP directory

Connect to an LDAP directory

  • Create an LDAP account for
    BlackBerry UEM
     that is located in the relevant LDAP directory. The account must meet the following requirements:
    • The account has permission to read all users in the directory.
    • The account's password never expires and the user is not required to change the password at next login.
  • If the LDAP connection is SSL encrypted, make sure that you have the server certificate for the LDAP connection and that the LDAP server supports TLS 1.2. If SSL is enabled, the LDAP connection to
    BlackBerry UEM
     must use TLS 1.2.
  • Verify the LDAP attribute values that your organization uses (the steps below give examples for typical attribute values). You must specify the LDAP attribute values at step 11 and on.
  1. On the menu bar, click
    Settings > External integration > Company directory
    .
  2. Click
    Add an LDAP connection
    .
  3. In the
    Directory connection name
     field, type a name for the directory connection.
  4. In the
    LDAP server discovery
     drop-down list, perform one of the following actions:
    • To automatically discover the LDAP server, click
      Automatic
      . In the
      DNS domain name
       field, type the domain name for the server that hosts the company directory.
    • To specify a list of LDAP servers, click
      Select server from list below
      . In the
      LDAP server
       field, type the name of the LDAP server. To add more LDAP servers, click The Add icon.
  5. In the
    Enable SSL
     drop-down list, perform one of the following actions:
    • If the LDAP connection is SSL encrypted, click
      Yes
      . Beside the
      LDAP server SSL certificate
       field, click
      Browse
       and select the LDAP server certificate.
    • If the LDAP connection is not SSL encrypted, click
      No
      .
  6. In the
    LDAP Port
     field, type the TCP port number for communication. The default values are 636 for SSL enabled or 389 for SSL disabled.
  7. In the
    Authorization required
     drop-down list, perform one of the following actions:
    • If authorization is required for the connection, click
      Yes
      . In the
      Login
       field, type the DN of the user that is authorized to log in to LDAP (for example, an=admin,o=Org1). In the
      Password
       field, type the password.
    • If authorization is not required for the connection, click
      No
      .
  8. In the
    User Search base
     field, type the value to use as the base DN for user information searches.
  9. In the
    LDAP user search filter
     field, type the LDAP search filter that is required to find user objects in your organization's directory server. For example, for an
    IBM Domino Directory
    , type
    (objectClass=Person)
    .
    If you want to exclude disabled user accounts from search results, type
    (&(objectclass=user)(logindisabled=false))
    .
  10. In the
    LDAP user search scope
     drop-down list, perform one of the following actions:
    • To search all objects following the base object, click
      All levels
      . This is the default setting.
    • To search objects that are one level directly following the base DN, click
      One level
      .
  11. In the
    Unique identifier
     field, type the name of the attribute that uniquely identifies each user in your organization's LDAP directory (must be a string that is immutable and globally unique). For example,
    dominoUNID
     in
    IBM Domino
     LDAP 7 and later.
  12. In the
    First name
     field, type the attribute for each user’s first name (for example,
    givenName
    ).
  13. In the
    Last name
     field, type the attribute for each user’s last name (for example,
    sn
    ).
  14. In the
    Login attribute
     field, type the login attribute to use for authentication (for example,
    uid
    ).
  15. In the
    Email address
     field, type the attribute for each user's email address (for example,
    mail
    ). If you do not set the value, a default value is used.
  16. In the
    Display name
     field, type the attribute for each user's display name (for example,
    displayName
    ). If you do not set the value, a default value is used.
  17. In the
    Email profile account name
     field, type the attribute for each user’s email profile account name (for example,
    mail
    ).
  18. In the
    User Principal Name
    field, type the user principal name for SCEP (for example,
    mail
    ).
  19. To enable directory-linked groups for the directory connection, select the
    Enable directory-linked groups
     check box.
    Specify the following information:
    • In the
      Group search base
       field, type the value to use as the base DN for group information searches.
    • In the
      LDAP group search filter
       field, type the LDAP search filter that is required to find group objects in your company directory. For example, for
      IBM Domino Directory
      , type
      (objectClass=dominoGroup)
      .
    • In the
      Group Unique Identifier
       field, type the attribute for each group's unique identifier. This attribute must be immutable and globally unique (for example, type
      cn
      ).
    • In the
      Group Display name
       field, type the attribute for each group's display name (for example, type
      cn
      ).
    • In the
      Group Membership attribute‎
       field, type the name of the attribute for group membership. The attribute values must be in DN format (for example,
      CN=jsmith,CN=Users,DC=example,DC=com
      ).
    • In the
      Test Group Name‎
       field, type an existing group name for validating the group attributes specified.
  20. Click
    Save
    .
  21. Click
    Close
    .
If you want to add a directory synchronization schedule, see Add a synchronization schedule.