Manage a directory

Complete these tasks to manage or modify a directory:

Add a directory

Before you begin

Deploy an identity connector. For more information, see Create and download an identity connector.

Complete this procedure to add any of these directory types:

  • AD
  • LDAP
  • AD LDS
  • SCIM

After you add a directory, you need to associate the directory service to an IdP.

To add a directory:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the plus sign.

  3. In the name and description fields, enter a name and description for the directory.

  4. In the Service Type menu, select one of these directory types:

    • AD
    • LDAP
    • AD LDS
    • SCIM
  5. If you selected SCIM as the directory type, see Provision users with SCIM.

  6. Click Add New Directory.

  7. To configure the host information:

    1. Click the General settings tab.

    2. In the host menu, select either LDAP or LDAPS (secure LDAP) based on how your native directory is set up (LDAP is most common).

    3. Enter either a valid IP address, the fully qualified domain name (FQDN) of your native directory, or the URL to access the directory within your network.

    4. Only modify the port number if necessary. If needed, enter the port number to access the directory internally.

    📘

    If firewalls are used, administrators should allow the ports so that ETP can communicate with the LDAP or LDAPS FQDN and port for authentication operations.

  8. Depending on directory type, enter the AD domain or the LDAP domain. For AD domain, enter the Windows domain where your AD is located. For an LDAP domain, enter the LDAP domain where your directory is located.

  9. In the Admin Account field, enter an administrator account that ETP can use to connect to this directory. The administrator account should have read-only access or higher. For example, use the format NetBiosDOMAIN\administrator. For a Microsoft Windows AD integration, enter the Distinguished Name from the Microsoft Windows AD.

  10. In the Admin Password field, enter the password that's associated with the admin account.

  11. Select the login preference. This is the identifier for the user's principal in the directory. The user provides this identifier when they are prompted to log in or authenticate to access a website. Depending on the directory, you can choose from one of these identifiers.

    • For AD, you can select Email, SAM Account Name, User Principal Name, or Domain/SAM Account Name.

    • For LDAP, you can select Email or UID.

    • For AD LDS, you can select Email, UID, or User Principal Name.

  12. In the other tabs, configure the directory settings as they apply for your implementation.

  13. To configure password management, see Customize the Login Portal.

  14. In the Connectors tab, associate or disassociate an identity connector with the directory:

    • To associate a connector, click the plus (IMAGE_STUBIMAGE_STUB) sign in the upper right. Then select one or more connectors and click Associate.

    • To disassociate a connector, hover over the directory and click the minus sign. Then click Disassociate on the window that displays.

    IMAGE_STUBIMAGE_STUB

  15. Click the Users tab to view the users assigned to the directory. You can click the number in the Groups column to view the groups a user is associated with.

  16. Click the Groups tab to view the groups that are configured in this directory. You can view the users that are assigned to the group. You can also click the sync icon to synchronize ETP with the latest group information from your directory.

  17. To import a group from an AD, LDAP, or AD LDS:

    1. In the Groups tab, click the plus sign.

    2. In the provided text field, enter the group name. You can use wildcards to perform the search. You add an asterisk (*) on one or both ends to your search terms. Group searches are case sensitive.

    3. Click Search Group.

    4. Select the group or groups that you want to import, and click Add.

  18. Click Save. To save the connector and test that it can communicate with the directory server, click Save and Test.
    If you choose Save and Test, the Connectivity Test and Directory Diagnostics window appears and tests the connection with the identity connector. If the connection is successful, you can search for users and groups in the directory.

Delete a directory

Complete this procedure to delete a directory from ETP.

📘

You cannot delete a directory that is associated with an IdP. First disassociate the directory from the IdP on the IdP's Directories tab.

To delete a directory:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Hover over the directory that you want to delete.

  3. Click the trash can icon.

  4. In the confirmation window, click Delete.

Sync users and groups

If you believe that ETP does not currently show the latest users and groups, you can manually synchronize ETP with the directory. An option is also available to synchronize groups.

To sync users and groups:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Hover over the directory that you want to synchronize and click the sync icon.

  3. To synchronize the users listed for a specific group:

    1. Click the edit icon of a directory or click the total number of groups listed for the directory on the Directories page.

    2. In the Groups tab, hover over the group that you want to synchronize and click the sync icon.

  4. Click Save.

Reset a user's one-time password

You can reset the one-time password (OTP) for a user. After you reset the user's password, the user receives an email with instructions and a link to reset their password.

You can perform this procedure on any directory type.

To a reset a user's one-time password:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the directory with the user that requires a new one-time password.

  3. Locate and hover over the user that you want to set with a one-time password.

  4. Click the key icon.

  5. Click Yes to confirm the password reset. The user receives an email to reset their password

Import groups from AD, LDAP, or AD LDS

Complete this procedure to import a group from your Active Directory (AD), Lightweight Directory Access Protocol (LDAP), or Active Directory Lightweight Directory Services (AD LDS). When searching for groups, you can use wildcards. Group searches are case sensitive.

To import a group from your AD, LDAP, or AD LDS:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the name of the directory that you want to edit.

  3. Click the Groups tab.

  4. Click the plus sign.

  5. In the provided text field, enter the group name. You can use wildcards to perform the search. You add an asterisk (*) to one or both ends of your search terms. Group searches are case sensitive.

  6. Click Search Group.

  7. Select the group or groups that you want to import.

  8. Click Add.

  9. Click Save.

Run directory diagnostics

From the Directories page in ETP, you can:

  • Test connectivity to confirm that the identity connector can communicate with the directory server.

  • Search for users and get their AD attributes. This is a quick way to determine whether a user exists in the directory.

  • Search for groups and get the group's AD attributes. This is a quick way to determine whether a group exists in the directory.

The search supports exact match and wildcard pattern queries.

To run directory diagnostics:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Hover over the directory where you want to run directory diagnostics.

  3. Click the stethoscope icon. A window appears where the connectivity test occurs.

  4. If the test is successful, you can search for a user or group:

    1. To search for a user, enter a username in the provided field and click Search User.
    2. To search for a group, enter the group name in the provided field and click Search Group.
    3. To search for users or groups with a wildcard search query, add an asterisk (*) to one or both ends of your search terms.

Run a directory connectivity test

If an identity connector is associated with your directory, you can test directory connectivity when editing or managing a directory. This test confirms that the identity connector can communicate with your directory service.

To run a directory connectivity test:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the name of the directory that you want to edit.

  3. Click the stethoscope icon.

Overlay groups

You can use overlay groups to add a group to your AD, LDAP, or AD LDS directories. This feature provides a quick and easy way to manage directory users and groups in ETP without making changes to users or groups in your external directory service.

For example, if you want to create a new group that contains users who can access websites for a specific AUP category, you can create an overlay group, add the users you require, and then assign this overlay group to an AUP category. Just as you can select directory groups to define access in policy, you can select an overlay group from the same group menu.

Note these exceptions:

  • The overlay groups you create are only available in ETP. They are not available in the directory service itself.

  • You cannot use an overlay group that you create in one directory in another directory.

Add an overlay group

To add an overlay group:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the name of the directory where you want to add an overlay group.

  3. Click the Groups tab.

  4. Click the Overlay Groups tab.

  5. Click the plus sign icon to add an overlay group.

  6. Enter a name and description of the group, and click the check mark icon.

  7. Click Save.

Next steps

Add a user to an overlay group.

Add a user to an overlay group

Before you begin

Add an overlay group.

To add a directory user to the overlay group:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the name of the directory that you want to manage.

  3. Click the Groups tab.

  4. Click the Overlay Groups tab.

  5. In the User column, click the number of users in the overlay group.

  6. In the dialog that appears, search for the user that you want to add.

  7. Select the user or users that you want to associate with the overlay group and click Associate.

  8. Click Save.

Delete an overlay group

To delete an overlay group:

Note that you cannot delete an overlay group when the directory is associated to an IdP that's used in a policy.

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the name of the directory that contains the overlay group you want to delete.

  3. Click the Groups tab.

  4. Click the Overlay Groups tab.

  5. Hover over the overlay group that you want to delete.

  6. Click the trash bin icon. A confirmation window appears.

  7. Click Delete.

  8. Click Save.

Organizational units

An organizational unit is a subdivision or container in your network that's used to manage users, groups, or resources such as computers, servers, and more. Your enterprise may organize OUs based on department, geographic location, office branch, job function, and more.

In ETP, you can search for OUs in your AD, LDAP, or AD LDS directories and import them into ETP. When you define access in ETP policy, you can select the OU in the group menu just as you can select any imported groups or overlay group that you created.

Import an organizational unit from a directory

To find an OU in your enterprise and add it to your directory configuration:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the directory where you want to import an OU.

  3. Click the Groups tab.

  4. Click the OUs tab.

  5. Click the plus sign icon.

  6. In the provided field, enter the exact name of the organizational unit and click Add OU.

  7. Select the OU and click OK.

  8. Click Save.

Delete an OU

This operation deletes the OU from ETP. It does not delete the OU from the directory service.

To delete an OU from the directory configuration in ETP:

Note that you cannot remove an OU in ETP when the directory is associated to an IdP that's used in a policy.

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the name of the directory that contains the OU you want to delete.

  3. Click the Groups tab.

  4. Click the OUs tab.

  5. Hover over the OU that you want to delete.

  6. Click the trash bin icon. A confirmation window appears.

  7. Click Delete.

  8. Click Save.

Sync users to organizational units

To sync OUs from the directory service:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the name of the directory that contains the organizational unit you want to sync.

  3. Click the Groups tab.

  4. Click the OUs tab.

  5. Hover over the OU that you want to sync.

  6. Click the sync icon.


Did this page help you?