HOW TO: Obtain correct syntax for Base DN, Bind DN or Attributes with LDAP for Directory Synchroni

ation !uestion Enrollment issues or issues related to Directory Synchronization can be impossible to solve if the LDAP syntax is incorrect. This document describes some basic steps in obtaining ase D!" ind D! and Attributes or #alues for correct usage for enrollment or P$P policies.
This ans%er pertains to P$P &niversal Server '.x.x.

Details
(f Active Directory '))) or '))* is used" the &ser Principal !ame can be entered for the ind D! field in place of typing the entire Distinguished !ame for the +uery user. &ser Principal !ames,&P!- often follo% the syntax of the users email address for the particular user listed in the screenshot belo%.

Section "#Definin$ Base DN and Bind DN for Directory Synchroni ation This document is geared to%ard /icrosoft Active Directory and the Softerra ldap bro%ser to obtain correct syntax for Directory Synchronization used in P$P &niversal Server. 0o%ever" the same concepts can be applied to other ldap directories as %ell. Starting from the basics of Active Directory. elo% is a screenshot of a basic tree in Active Directory. This is a basic configuration"

but the ind D! is derived by using ldap syntax and going up the tree starting at the user. 1or example" the user user1 is contained in Users" under example.com. The corresponding ind D! is going to be CN=user1, CN=Users,DC=example,DC=com" but this %ill be discussed in more detail in the follo%ing steps.

An easy %ay to find the ind D! that is needed for the P$P &niversal Server can be performed by +uerying the Active Directory of a 2indo%s '))* Server. The +uery is performed at the command prompt of the 2indo%s '))* Server. (n the follo%ing example" the domain is example.com in finding the Distinguished !ame , ind D! field for the P$P &niversal Server- for user1. After obtaining the correct Distinguished !ame"

Softerra can be utilized to find users" attributes or values. The +uery is detailed belo% and can be used %ith Active Directory '))* only. Type the follo%ing command and press %nter dsquery user dc=example,dc=com,-name user1* If your user has a long name, the * will do a wildcard match for that user. 3r dsquery user dc=example,dc=com -name "user1" These commands %ill return the correct ind D! for Directory Synchronization on the P$P &niversal Server. 45!6user7"5!6&sers"D56example"D56com4

&nless Active Directory '))* is being used" it %ill be necessary to find the ind D! manually. &sing an ldap bro%ser such as Softerra ,belo%-" can help out. 2hen using Softerra" the credentials %ill need to be entered for the user binding to the ldap directory %hen you create a ne% profile.

Although Softerra will not tell you the exact Bind DN needed for PGP Universal Server, it will let you know immediately if the lda syntax is incorrect as stated !elow and hel in your trial and error rocess" #he fields necessary to find correct syntax is the hostname of the lda directory, the User DN $Distinguished Name%, and the assword $don&t use anonymous !ind as this will not show you accurate 'uery results%"

3nce the ldap syntax is correct" a successful bind %ill sho% you the directory similar to ho% it appears in Active Directory.

elo% is an example of the properties for the user user" and ho% the Distinguished !ame corresponds to the ind D! in Directory Synchronization.

Below is a !reak(down of how user credentials are translated within lda $very !asic exam le%" #he Bind DN is com rised of the user and the location of the user in the lda directory tree"

)ach element of the Distinguished Name is ointed out" #he first art is the user *N+user," #he second art is the container *N+Users, the third art is the domain D*+exam le and D*+com"#herfore, the Bind DN is *N+user,,*N+Users,D*+exam le,D*+com" -f the domain was exam le"net, the syntax would !e D*+exam le,D*+net" D* is used for the domain credentials" *N is used for the User credentials"

5ompare %hat is in Softerra as in the screenshots in previous examples and %hat is in P$P &niversal Server8the credentials should match exactly. A copy and paste %ill ensure no typos are made. 2hen bro%sing to the user as in the previous screenshot" the Distinguished !ame is %hat defines the ind D! inside of Directory Synchronization.

.nce you have defined the Bind DN inside of PGP Universal Server, you can also enter the Base DN, which is the latter art of the Bind DN" #his will start the 'uery from the to level down, !ut this can !e configured to search lower in the tree/

. /ultiple P$P Des9top policies are going to be used. 5onfiguring attributes and values can help assign users into groups dynamically instead of creating many custom preset policies. Section & # Definin$ Attributes and 'a(ues for Des)to* *o(icies on the P+P ,ni-ersa( Ser-er.
Defining Attri!utes would only !e used in the following scenarios/ A" PGP Universal Server in Gateway de loyment where all users0 emails will !e rocessed !y the PGP Universal Server, !ut only a certain amount of users should !e encry ting" Defining attri!utes can allow only certain users to !e ena!led or disa!led so encry tion will occur for some and not for others" B" 1ulti le PGP Deskto olicies are going to !e used" *onfiguring attri!utes and values can hel assign users into grou s dynamically instead of creating many custom reset olicies" .nce you have the Base and Bind DN entered into Directory Synchroni2ation correctly, the next ste is to define Attri!utes for the Users" S ecifying Attri!utes and 3alues in the individual PGP Deskto olicies will allow PGP Universal Server to assign individual users into se arate olicies that have !een created"

4or the exam le !elow, a &mem!er.f& Attri!ute is s ecified for the user in the &israel5team& grou " #hese Attri!utes and 3alues are also s ecified on the PGP Universal Server" PGP Universal Server will then 'uery AD to assign users into s ecific PGP Deskto Policies" #he Name in the exam le !elow is the Attri!ute within PGP Universal Server and the 3alue is in fact, the 3alue inside of PGP Universal Server/

Again" compare %hat is in Softerra and %hat is in P$P &niversal Server. The Attributes and #alues should match exactly. A copy and paste %ill ensure no typos are made.

.nce you have followed these !asic guidelines, you should !e a!le to get Users to !e assigned to your s ecific PGP olicies once enrollment com letes or in Gateway lacement when users send email through the Universal server"

Note/ ldifde 6f c/7filename"txt