This article provides details on managing and configuring your user datastores/ directories which is all done from the Directories page. In most cases the default settings will be sufficient.
Directories
The Directories page contains configuration details on all your user datastores, from here you can manage each one as well as execute a manual reconcile.
This page is split into three areas:
- A list of directories
- Details of selected directory
- Configuration options of selected directory
Each sections is detailed below with the final section broken down into its constituent parts.
List of User Directories
From here you can see all your configured user directories, the admin account and reconciliation status. You can execute the following actions:
- Delete: clicking the
icon will delete this configured directory - Reconcile: clicking the refresh icon will start a manual partial reconciliation of the user directory
Directory Status
The second segment details the selected directory.
This provides details such as identity count, reconciliation status and the password policy currently configured. If you happen to change your password policy after a reconcile a new reconcile will need to be run in order for Nervepoint Access Manager to pick up any changes.
Directory Configuration
The third part is the is broken down into several configuration tabs each one allowing you to configure specific parts of your directory. Access Manager supports a number of different types of user databases, for the purpose of this article the Windows Active Directory configuration tabs are shown, depending on the directory you selected these tabs might be different.
Each configuration tab for Windows Active Directory is detailed below.
Active Directory General Configuration
All of these settings will have been configured at the time of installation, some will have been manually entered while others automatically configured based on what Nervepoint Access Manager could determine of your directory.
- Domain Controller: Hostname of your directory
- Backup Controllers: Any backup domain controllers that are in you network
- Domain: Domain name of the Active Directory
- Service Account Credentials: The username and password of a user with administrative rights against the datastore (you can also use a user who is part of the domain admin or account operators group also a user with delegated permissions to manage user accounts and passwords for the OUs. We recommend during installation you use the AD administrator account to get the system up and running and then change this later).
If any of these settings are changed hit 'Save' to save changes and then 'Synchronize' to reconcile the changes.
Active Directory Advanced Configuration
More specific items can be configured from this tab which all affect the way in which Nervepoint Access Manager will reconcile with your Active Directory datastore. These should only be changed if you what you are doing or have been been advised by support
- Protocol: This the protocol used to connect to the Domain Controller
- Timeout: This defines how long to wait before Nervepoint Access Manager will timeout after getting no response from your Windows Active Directory
- Page Size: This defines how data will be fetched during reconciliation
- BaseDN: This is the baseDN of your Active Directory and the location from which reconciliation will be done
- Use pre-Windows 2000 user logon name: If you are using pre-Windows 2000 operating system such as Windows-NT enable this to tell Nervepoint Access Manager to read this username instead, also known as the SAMAccountName.
- Follow Referrals: Allows the directory to follow referral links to other servers within the domain.
- Enforce Rules on Reset: Allows Access Manager to enforce the Password Policy to Password Reset actions that would normally bypass the requirement due to administration rights.
- Global Catalog Servers: If you wish to add any Global Catalog servers from your domain to the configuration you can add them to this table.
If any of these settings are changed hit 'Save' to save changes and then 'Synchronize' to reconcile the changes.
Filters Configuration
In the case you are using an Active Directory forest then these settings will help notify Nervepoint Access Manager of all the components so reconciliation can work successfully.
- Include/ Exclude DN Filters: Here you can specify specific OUs you wish to reconcile against allowing you to narrow down what Nervepoint Access Manager manages. For example to add an OU using the above configuration you would enter, OU=Example. You can also exclude OUs this way as well. You do not need to add the baseDN values if your baseDN is set at the root level.
- Group filter mode: Specifies the group naming method that is used for the Group filters.
- Include / Exclude Users with Groups: Similar to the DN Filters these allow you to defin user access through groups in the domain
- Include built-in groups: Disable this to remove built-in AD groups
- Include standard users and groups: Disable this to remove standard users
- Group pre-loading: Enabling this will have Access Manager begin processing group memberships at the start of a synchronization rather than during, this only needs to be enabled if you are using group filters.
If any of these settings are changed hit 'Save' to save changes and then 'Synchronize' to reconcile the changes.
Synchronization Configuration
The final tab on the Windows Active Directory datastore configures synchronization details.
- Synchronization Interval: By default this value is set to 15 minutes and in most cases is sufficient. If you wish to increase or decrease the automatic reconciliation period adjust this value, the value is in minutes.
