Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.13
  3. Installation and Configuration
  4. Configuration
  5. Connecting to your company directories
  6. Connect to an LDAP directory

Connect to an LDAP directory

  • Create an LDAP account for 
    BlackBerry UEM
     that is located in the relevant LDAP directory. The account must meet the following requirements:
    • The account has permission to read all users in the directory.
    • The account's password never expires and the user is not required to change the password at next login.
  • If the LDAP connection is SSL encrypted, make sure that you have the server certificate for the LDAP connection and that the LDAP server supports TLS 1.2. If SSL is enabled, the LDAP connection to 
    BlackBerry UEM
     must use TLS 1.2.
  • Verify the LDAP attribute values that your organization uses (the steps below give examples for typical attribute values). You must specify the LDAP attribute values at step 11 and on.
  1. On the menu bar, click 
    Settings > External integration > Company directory
    .
  2. Click 
    Add an LDAP connection
    .
  3. In the 
    Directory connection name
     field, type a name for the directory connection.
  4. In the 
    LDAP server discovery
     drop-down list, perform one of the following actions:
    • To automatically discover the LDAP server, click 
      Automatic
      . In the 
      DNS domain name
       field, type the domain name for the server that hosts the company directory.
    • To specify a list of LDAP servers, click 
      Select server from list below
      . In the 
      LDAP server
       field, type the name of the LDAP server. To add more LDAP servers, click The Add icon.
  5. In the 
    Enable SSL
     drop-down list, perform one of the following actions:
    • If the LDAP connection is SSL encrypted, click 
      Yes
      . Beside the 
      LDAP server SSL certificate
       field, click 
      Browse
       and select the LDAP server certificate.
    • If the LDAP connection is not SSL encrypted, click 
      No
      .
  6. In the 
    LDAP Port
     field, type the TCP port number for communication. The default values are 636 for SSL enabled or 389 for SSL disabled.
  7. In the 
    Authorization required
     drop-down list, perform one of the following actions:
    • If authorization is required for the connection, click 
      Yes
      . In the 
      Login
       field, type the DN of the user that is authorized to log in to LDAP (for example, an=admin,o=Org1). In the 
      Password
       field, type the password.
    • If authorization is not required for the connection, click 
      No
      .
  8. In the 
    User Search base
     field, type the value to use as the base DN for user information searches.
  9. In the 
    LDAP user search filter
     field, type the LDAP search filter that is required to find user objects in your organization's directory server. For example, for an 
    IBM Domino Directory
    , type 
    (objectClass=Person)
    .
    If you want to exclude disabled user accounts from search results, type 
    (&(objectclass=user)(logindisabled=false))
    .
  10. In the 
    LDAP user search scope
     drop-down list, perform one of the following actions:
    • To search all objects following the base object, click 
      All levels
      . This is the default setting.
    • To search objects that are one level directly following the base DN, click 
      One level
      .
  11. In the 
    Unique identifier
     field, type the name of the attribute that uniquely identifies each user in your organization's LDAP directory (must be a string that is immutable and globally unique). For example, 
    dominoUNID
     in 
    IBM Domino
     LDAP 7 and later.
  12. In the 
    First name
     field, type the attribute for each user’s first name (for example, 
    givenName
    ).
  13. In the 
    Last name
     field, type the attribute for each user’s last name (for example, 
    sn
    ).
  14. In the 
    Login attribute
     field, type the login attribute to use for authentication (for example, 
    uid
    ).
  15. In the 
    Email address
     field, type the attribute for each user's email address (for example, 
    mail
    ). If you do not set the value, a default value is used.
  16. In the 
    Display name
     field, type the attribute for each user's display name (for example, 
    displayName
    ). If you do not set the value, a default value is used.
  17. In the 
    Email profile account name
     field, type the attribute for each user’s email profile account name (for example, 
    mail
    ).
  18. In the 
    User Principal Name 
     field, type the user principal name for SCEP (for example, 
    mail
    ).
  19. To enable directory-linked groups for the directory connection, select the 
    Enable directory-linked groups
     check box. 
    Specify the following information:
    • In the 
      Group search base
       field, type the value to use as the base DN for group information searches.
    • In the 
      LDAP group search filter
       field, type the LDAP search filter that is required to find group objects in your company directory. For example, for 
      IBM Domino Directory
      , type 
      (objectClass=dominoGroup)
      .
    • In the 
      Group Unique Identifier
       field, type the attribute for each group's unique identifier. This attribute must be immutable and globally unique (for example, type 
      cn
      ).
    • In the 
      Group Display name
       field, type the attribute for each group's display name (for example, type 
      cn
      ).
    • In the 
      Group Membership attribute‎
       field, type the attribute for each group's membership identifier. This attribute must be immutable and globally unique (for example, type 
      member
       ).
    • In the 
      Test Group Name‎
       field, type an existing group name for validating the group attributes specified.
  20. Click 
    Save
    .
  21. Click 
    Close
    .
If you want to add a directory synchronization schedule, see Add a synchronization schedule.