Guide
TrainingSupportCommunity

Advanced Settings for AD, LDAP, AD-LDS directories

Suggest Edits

There are several advanced configuration settings available for your AD, LDAP, and AD-LDS directories.

Sync users and groups in a multi-domain Active Directory

Organizations can have multiple Active Directory domains for different geographical regions. To sync all of the users in all groups, Enterprise Application Access (EAA) has the global catalog server option. When you don't select this option, groups and users belonging to other domains with the same AD forest is not be synced.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  3. Select your directory to open it.

  4. Click the Advanced tab.

  5. In the Advanced Settings section, enable Global catalog server.

  6. Click Save.

  7. Click Sync Directory.
    You should see all users synced across multiple domains.

📘

Enterprise Application Access uses ports 3268 and 3269 on the global catalog server to sync groups and users. Make sure Enterprise Application Access can communicate with the Active Directory on these ports and configure firewall rules to add these ports to allow list.

Password Management for AD, LDAP directory services

You can configure your AD, LDAP, to allow EAA to manage password complexity of the Login Portal from Enterprise Center. Every AD has a password complexity requirement. Your business may have other password reset requirements such as:

  • New employees may be required to change their password upon first login.

  • Periodic password change, for example every 90 or 180 days, as per your business' security policy. This can be set at the group or individual user lever in the AD domain.

    • Change password when it is still valid.

    • Reset password after it has expired.

  • Proactive or at will password change.

If your AD uses Windows 2008, 2012, or 2016, LDAPS is required for the directory host.
If your AD uses Open LDAP, LDAP or LDAPS may be used for the directory host.

The directory Password Management fields are:

  • Allow users to change password. Select this option to allow users to change their passwords in the EAA Login Portal.

    • For the AD, enable this setting to allow users to change their passwords if their current password is valid and the you do not require that users have to reset the password on their next login.

    • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset, provided the grace authentication limit with expired passwords or must-reset passwords has not been exceeded.

By default, this setting is disabled. If disabled, the user cannot change the password through the EAA Login Portal and need to do so through the native directory outside of EAA.

  • Allow users to reset password. Select this option to allow users to change their passwords in the EAA Login Portal.

    • For the AD enable this setting to allow users to change their passwords if the EAA administrator requires the user to reset the password on their next login.

    • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset after the grace authentication limit with expired passwords or must-reset passwords has been exceeded.

To support this capability, EAA needs write privileges on the service account to modify another user's password. This setting only controls whether EAA attempts to handle these use cases, the configuration needed for the service account must be configured on the AD or Open LDAP itself. Typically accounts with admin privileges also have the permissions to change another user's password. Admins may want to restrict this privilege for the service account using mechanisms supported by the directory.

By default, allowing users to reset their own password is disabled. If disabled, the user cannot change the password through the EAA Login Portal and need to do so through the native directory outside of EAA.

  • Default password policy. This is a required field. It is automatically completed by the Microsoft AD. If you are using Open LDAP as your directory host, enter the default password policy for the directory.

  • Password expiry warning threshold (in seconds). This setting allows EAA to set a password change reminder message to users when they log in to the EAA portal to encourage users to change their password before it expires. EAA can determine the age of the user's current password upon login and, if it exceeds the configured warning threshold, display a password change reminder message.

To support password changes from the EAA Login Portal, EAA needs write privileges on the service account to modify another user's password. If write privileges are not granted to EAA, the warning message may help to reduce admin support for expired user passwords. Enter the amount of time, in seconds, before the password expires to display the password change reminder message.

By default this threshold is set to zero (0). When set to zero (0), no warning messages display.

  • Password force change threshold (in seconds). This setting allows EAA to force a password change to users when they log in to the EAA Login Portal before they can access any application. This threshold should be greater than the warning threshold and less than the maximum age of the password in the AD. Enter the amount of time, in seconds, before the password expires to force a password change from the EAA Login Portal.

By default this threshold is set to zero (0). When set to zero (0), EAA does not attempt to force a change of current valid passwords.

  • Password complexity. To set a message for users to read in the EAA Login Portal, enter information about the password requirements in the Password complexity field.

Password Restrictions

Enterprise Application Access is flexible when it comes to passwords, but there are limitations on what you can use for password names.

Create all user and system-level passwords using the following requirements. Passwords must not be predictable or easy to guess. These passwords must meet the following requirements or they are rejected by the authorization system:

  • Minimum length of eight characters.

  • Cannot be the same as the username, accountID, userID, or loginID.

  • Contain at least one character from the following categories:

    • Uppercase characters
    • Lowercase characters
    • Numeric characters
    • Non-alphabetic characters (special characters "~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/".)

  • Passwords must be changed every 90 days (once changed, the password may not be reused for two years).

  • Passwords must not be shared or given to another user.

  • Group passwords are forbidden.

  • Passwords must not be stored in clear text.

  • Passwords must be changed or the account is disabled upon:

    • Password compromise
    • Suspected security breach
    • Password disclosure

Manage password complexity for the Login Portal from the Active Directory (AD)

In Enterprise Application Access (EAA) you can configure your Active Directory (AD) to allow Enterprise Application Access to manage password complexity of the EAA Login Portal from Enterprise Center.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  3. On the directory list page, click the directory to open it.

  4. Click the Advanced tab.

  5. In Password Management select Allow users to change password.

  6. Complete the fields that apply to your password policy.

  7. Click Save.

Kerberos configuration for AD, LDAP directories

You can configure your kerberos realm, IP addresses for each Key Distribution Center (KDC) for setting up kerberos authentication for your AD, LDAP directory services.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  3. Select your directory to open it.

  4. Click Advanced tab.

  5. Click Kerberos Configuration.

  6. Click Add New Realm (+ icon)

a. Specify the Kerberos Realm. It is usually the same as the FQDN of the AD domain. If you have more than one domain in your forest, specify at least one reachable AD domain controller for each child domain in the forest.
b.Specify the IPV4 or IPv6 address followed by the port number. It should be of the format <IP_ADDRESS:PORT_NUMBER>

  1. Click Save.

Configure Organizational Unit Search Filter and Attribute

You can configure OU search filter and OU attribute for your organizational unit.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  3. Select your directory to open it.

  4. Click Advanced tab.

  5. Under Advanced Settings:

a. Organizational Unit Search Filter. Specify any search filter for your Organizational Unit.
b. Organizational Unit Attribute. Specify any attribute that's tied to the Organizational Unit.

  1. Click Save.

Updated 7 months ago