About Directory Services

User authentication and authorization can be managed using an LDAP or Active Directory. Directory Services makes it easier to manage large numbers of Signiant users. Upon initial login by an unregistered user, the manager presents logon credentials to the selected directory service; users are authenticated using a trusted corporate service rather than the Signiant Manager itself.

Authentication Service

Directory authentication uniquely identifies a Signiant user using their corporate User Name and Password. Users do not have to manage a separate User Name and Password for Signiant and corporate standard for password management can be enforced.

Signiant user authorization rights are determined by Access Control Lists or Permissions on Signiant managed objects (e.g. users, groups, jobs, packages). Although access can be configured for each user, managing access through user group membership is the recommended best practice. Signiant synchronizes user group membership in the directory with user group membership in Signiant. As such, access to objects in Signiant can be managed through the directory. This feature can be used, for example, to control who users can send Media Exchange packages to.

Signiant supports multiple directories. When a user logs in to the Manager or the Media Exchange is searched in order for a matching User Name. When a match is found, a login is attempted using the supplied Password. Maintaining unique User Names across directory services is the recommended best practice, but when this is not possible, the enforce domain credentials option can be used. When this option is enabled users must specify domain qualified User Names when logging in to Signiant.

Best Practices

The Native Signiant User Directory is always enabled and provides user management without a corporate directory service. It is a best practice to have a minimum of one administrative user defined in the Native Directory for managing basic configuration including directory services.

First Time Logon

When a user logs in for the first time using a directory account their group membership and user attributes (e.g. First Name, Last Name, Phone Number) are copied to a directory account stub created in the Signiant Database. This account can be updated or deleted like a native account with the exception that the password cannot be set and group membership is synchronized with the directory each time the user logs in. A directory account stub is also created when a Media Exchange package is sent to a directory user that has not previously logged in to Signiant.

Whether or not directory users are allowed to log into the Signiant Manager interface or the Media Exchange interface is determined by global and directory specific settings. For example, a directory service can be setup such that users are only allowed to log into the Media Exchange interface by disabling the Manager login setting.

When an unregistered user first logs in, and more than one directory service is listed, authentication searches the services in the order in which they appear in the list. It is possible to change the order in which the directory services appear, so that the authentication scans the most common one first. The default method for user authentication is called Native Product Authentication; this is set up during installation.

When you add a directory service, you need to specify information such as a name for the service, the server name/IP address, and port number. You can also edit this information after you have specified a directory service. The Native Product Authentication service does not have any configuration settings, but users can edit the name, test user and test password fields. Blank passwords are not supported for Enterprise LDAP/LDAPS Authentication. If a user has a blank password and tries to authenticate, the user will be denied access.

When an Active Directory or LDAP user belongs to a group that also exists in the Signiant group list (that is, with the same name), a synchronization occurs between the Signiant group and the Active Directory group. All existing group membership that does not match a directory group is removed. This happens with all groups except the default user group defined using the directory management service.

After users login and are identified in the Manager database, you may want to edit their user information (such as telephone number, email address, access control list and so on). Signiant maps and synchronizes the following LDAP and Active Directory fields to these corresponding Signiant fields:

LDAP and Active Directory fieldSigniant field
mailemail
givenNamefirst_name
snlast_name
telephoneNumberphone
facsimileTelephoneNumberfax
Mobilemobile
Titletitle

Directory Services Dashboard

Within the Directory Services dashboard, you can do the following:

  • Add directory services
  • Edit directory services
  • Delete directory services

Delete directory services
When you delete a network directory service, user names and passwords associated with that type are no longer able to login to the Manager UI. Any users currently logged on using the selected configuration type are not affected. Once they log out they are not able to log back in to the deleted directory service. You will also lose all of the information associated with the directory service. If you want to stop using that directory service temporarily and do not want to delete it, you can Disable the type. When disabled, the directory service is still available and can be turned back on easily by clicking Enable, but user names associated with the type cannot login.

To delete a directory service, select the directory service, click Delete and when prompted, click Yes.

Disable or Enable directory services
Disabling a directory service does not remove it from the authentication configuration, disabling turns it off so that the directory service is no longer used for user authentication. Any users currently logged on using the selected authentication service are not affected. Once they log out they are not able to log back in with the disabled directory service. You cannot disable Signiant Native Product Authentication.

To disable a directory service, click Disable.
To reactivate the directory service, click Enable.

Move Up or Move Down directory services
When the Manager Authentication Service authenticates a user, it runs through the list of directory services in the order in which they appear in this list. To change the order in which the directory services appear, so that the Manager scans the most common directory service in your network first select the directory service name you want to move and click either Move Up or Move Down.

Configure system-wide Settings
System-wide user settings are default user information that becomes automatically associated with a user the first time the user logs in to the Manager UI. Each time a user who is not already in the Manager database logs in, the default actions specified in the system-wide user settings will occur. Click Settings and configure the following settings in the Directory Services Settings dialog:

  • Default User Group: from the drop-down list, select the user group to which you want users to be assigned to by default when they first login. When Auto Register New Users is enabled, users are automatically assigned to any groups in the Signiant Manager that match the groups with which the user is associated in their directory service. If no matching groups exist, users are assigned to the default group selected here. To specify that no default user group be assigned, select Do not use a default User Group.

  • Auto Register New Users: enable this option to automatically register new users. This requires the selected directory service to accept the user's authentication credentials. To ensure that not everyone in your organization has access to the Signiant Manager, we suggest you disable this option once all users have logged in once.

  • Allow Administrative Login: enable this option to allow users to access the Signiant Manager. If most of your users are Media Exchange users, you may want to disable this option.

  • Organization for Auto Registered Users: from the drop-down list, select the organization to which users are automatically registered with when they first login. When No Organization is selected, user accounts are created in the Signiant Manager's System organization and are not displayed unless this organization has been granted to the administrator.

  • Organization for Auto Registered Manager UI Users Based On Group Membership: enable this option to allow all auto-registered Signiant Manager users to be assigned to the organization associated with the Signiant group that matches the group with which the user is associated in their directory service. This option does not apply to auto-registered Media Exchange users. If a user belongs to a group in their directory service that matches a group name in the Signiant Manager, the organization associated with that group is assigned to the user. For example, if you have a Signiant group called "Accountants" whose associated organization is "Accounting", all auto-registered users who belong to the "Accountants" group in their directory service are automatically assigned to the "Accounting" organization upon first login to the Signiant Manager.

    Note: Enabling this option overrides Default User Group and Organization for Auto Registered Users. Users who match are NOT assigned to the default user group or organization specified above.

  • Cache Passwords For Logged In Users: enable this option to ensure that when a user's password changes, any jobs associated with the user still run. The Signiant Manager will update the cached password.

  • Enable Active Directory Users Synchronization: this applies only to Active Directory users. Once enabled, you must configure the Synchronization period in days.

Configuring Directory Services

The following section describes how to add a directory service.

Adding a Directory Service

To add a network directory service:

  1. From the Manager, select Administration>Users>Directory Services and click Add.

  2. On the Settings tab, complete the following fields:

    • Type: this is the type of directory service you're adding. Select Enterprise Active Directory Authentication or Enterprise LDAP/LDAPS Authentication.
    • Name: a logical name for the directory service.
    • Active Directory Name: this is displayed only if you selected Enterprise Active Directory Authentication. Type the Windows domain name (for example abc.company.com) associated with the directory service. If you don't know the Server Name/IP, the Signiant Manager queries the DNS for your Active Directory server. If you have multiple Active Directory servers, you can provide some redundancy to your configuration by completing only the Active Directory Name field and leaving the Server Name/IP field blank.
    • Server Name/IP: this is the server name or IP address of your authentication server. If you don't know this information and have entered the Active Directory Name, the Signiant Manager queries the DNS for your Active Directory server. If you have multiple Active Directory servers, you can provide some redundancy to your configuration by completing only the Active Directory Name field and leaving the Server Name/IP field blank.
    • Port: select one of the listed ports to enable connection to your authentication server. The options are: 389 (Std. Non-Secure),636 (Std. Secure) and Other.
    • Timeout: use this to configure the read timeout value for your directory server. By default this is set to 10 seconds.
    • Search Base: this is displayed only if you selected Enterprise LDAP/LDAPS Authentication. This is the point within the authentication hierarchy at which to start the search. For example, cn=Users, dc=company, dc=somewhere, dc=com.
    • Secure Connection: when enabled an SSL connection is used.
    • Synchronize User's information at log in: this is displayed only if you selected Enterprise Active Directory Authentication. When enabled, user Active Directory credentials are synchronized during log in. If you're managing your email addresses and users in Active Directory, enable this option to ensure that Signiant Manager is synchronized with any changes to this information.
    • Enforce Domain Credentials: enable this option to force users to include their domain name as part of their credentials during login. For example, joesmith@companyxyz.com instead of simply typing joesmith. If you are configuring directory services for external domains, Signiant strongly recommends that you enable this option. This guarantees the uniqueness of user accounts. While not enabling the enforcement of domain credentials may be more convenient, it may be less secure when there are multiple directory services. This is particularly important if you are using Signiant Media Exchange, which allows users to search directory services for users who are not in the local Signiant directory.
    • Restrict to Group Membership: type the name of the group to which the user must belong in order to be authenticated. If you want to allow any user to login regardless of group membership, leave this field blank.
    • Enable Support For Nested Groups: this is displayed only if you selected Enterprise Active Directory Authentication. Enable this option to ensure that all nested Active Directory groups are synchronized and updated in Signiant Manager.
    • Directory User: specifies the user as which a Media Exchange global directory recipient search occurs. The specified user must be valid in the directory service. If you do not specify a user, the directory will not be available for global recipient searching. The domain name should not be appended to the user name. For example, Administrator is valid, but administrator@my.company.com is not valid.
    • Password: type the password associated with the Directory User.
  3. If you selected Enterprise LDAP/LDAPS Authentication, select the Advanced LDAP Options tab and complete the following fields:

  4. Group Object Class: type the object class of the group class in the directory schema.

  5. Group Member Attribute: type the attribute of the group that contains the members.

  6. Group Naming Attribute: type the naming attribute associated with the group.

  7. User Object Class: type the user object class used in your schema.

  8. User Username Attribute: type the attribute associated with the username in your schema.

  9. On the Media Exchange tab, configure the following options:

  10. Ignore Group Access When Searching: this is displayed only if you selected Enterprise Active Directory Authentication. Enable this option to allow users to find any directory regardless of group access. New users are added to the default group specified in the Directory Services Setting page. If a default group is not defined and this option is enabled, the default group is automatically set to the system-created Media Exchange User group. When this option is not enabled, the search results are based on the group access set for the user performing the search.

  11. Enable Agent Mapping: enable this option to allow new users added to the Signiant Manager to use Media Exchange. This functionality is required to ensure directory services searching functionality for Media Exchange users. After enabling this option, click Add and configure the following:

    • Attribute: if the user has an attribute that matches the one specified in this field and the value associated with their attribute matches the one specified in equals, then the user's Media Exchange agent is set to the specified Agent and Home Directory values. Available attributes depend on the Directory Service you are using. The first attribute-value match for a given user is used to set the user's values. When matching a group in the Active Directory either the short form group name or the full group DN can be used for matching. Wildcard searching is performed automatically for the member of attribute. For example, "member of equals Sales" matches any groups that contain "Sales" (e.g. Sales Department, North American Sales). For all attributes,wildcard searching can be specified by inserting asterisks with the value (for example, Distinguished Name equals *CN=Users,DC=emea,-DC=company,DC=com).
    • equals: this field is used to match the value specified in the Attribute field. This field is used to indicate the value you want to map. For example, if Attribute is CO then equals could be UNITED STATES, then all users with a location of United States are mapped. This is not a case sensitive field.
    • Agent: from the drop-down list, select an agent.
    • Allow Agent Browsing: enable this option to allow users to browse the file system on their Media Exchange agent and to add files directly to packages without an upload. This option is useful if you would like your users to be able to send corporate content when roaming outside the office.
    • Home Directory: if you want to restrict agent browsing, type the folder values for the portion of the file system that is restricted. The possible folder values are: %USERLOGIN% %FIRSTNAME% %LAST_NAME%.
    • Allowed to create guest users: enable this option to allow Media Exchange users to create new users in this mapping.
    • Allowed to send packages: enable this option to allow new Media Exchange users to send Media Exchange packages.
    • Allowed to forward packages: enable this option to allow new Media Exchange users to forward Media Exchange packages.
  12. On the Test Settings tab, complete the following fields and then click Test:

    • Name: type the same name you typed in the Name field on the Settings tab. (You may need to try various account name options * e.g. {domain}{account}, {domain}@{account}, {account} in order to successfully authenticate.)
    • Serve Name/IP: type the same sever name/IP address in the Server Name/IP field on the Settings tab.
    • Test User: type a user name you can use to test the settings specified on this tab.
    • Test Password: type the password associated with the user you typed above.
    • Log: the log displays the test results.
  13. Click OK.

Media Exchange and Directory Services

Users of the Media Exchange application can benefit from a manager setup with directory services in two major ways:

  • Automatic user creation and assignment to Media Exchange enabled agents.
  • Directory searching for package recipients by Media Exchange users.

Assuming you have Media Exchange enabled on at least one agent, and have enabled agent mapping as detailed in step #4 above, Media Exchange users will see an additional search option when they select the 'Recipients' icon

Media Exchange Search

The presence of the 'drop-down' list as shown below indicates that a user can search the global directory.

Media Exchange Directory Services

The users that are returned are ones which contain email accounts in the directory.

If your directory does not contain email addresses (e.g. your organization uses an externally hosted email service) users are not displayed in the search list. Regular users can only find users within the user groups they belong to (i.e., unless the ignore group membership option is selected when configuring the directory service). Guest users are restricted from searching the directory. Additional, Media Exchange options - for example, the ability to assign new users to specific agents are described later in this section.

User Lockout

If authentication other than native authentication is used, you can lock yourself out of the Active Directory or LDAP/LDAPS account, under the following conditions:

  • the user schedules a job to run regularly as "logged in user"
  • the user subsequently changes their Active Directory/LDAP/LDAPS password and does not re-login to the Manager UI to re-cache their new password
  • the job runs the number of times that meet the criteria set on the Active Directory/LDAP/LDAPS server to lockout the user account

For example, if the lockout parameter is set at three incorrect logins, and you change your password and do not login to the Manager UI to cache the new password, and then the job runs three times using the old password, you are locked out of both the Manager UI and the Active Directory or LDAP/LDAPS account.

In addition, you can also lock yourself out of the network account if you login incorrectly to the Manager UI the number of times specified in the authentication profile. For example, if the lockout parameter is set to three incorrect logins and you log in to the Manager UI incorrectly three times, you will be locked out of the Active Directory or LDAP/LDAPS account.