This article details using Directory Synchronization with LDAP enrollment for Encryption Desktop clients with Symantec Encryption Management Server (previously PGP Universal Server).
Directory Synchronization allows you to assign a consumers to a specific consumer group based on their membership in a specified LDAP directory, or based on matching directory attributes you specify.
Enabling Directory Synchronization allows you to do multiple things:
Include consumers found in specified directories as internal users or managed devices.
Prevent specified consumers found in the directories from becoming members of any group except the Excluded group.
Include only specified consumers from the directories, allowing them to be added to the server as internal users or managed devices, and excluding consumers that do not match the criteria.
Match certain consumers, based on their attributes in the specified directories, with a consumer policy group you create.
When you enable Directory Synchronization, Symantec Encryption Management Server (SEMS) uses the LDAP directory to help create and enroll internal users.
Note: Users can be enrolled with the server using Directory Synchronization using either LDAP directory enrollment or email enrollment. If you do not select Enroll clients using directory authentication for Directory Synchronization, users enroll via email enrollment.
When using LDAP directory enrollment, clients enroll using directory authentication with an LDAP server such as Active Directory. LDAP enrollment requires certain attributes in the directory to bind the client to the SEMS.
When using LDAP enrollment, users are prompted to enter just their domain user name and password to enroll the client.
Note: Make sure that port 443 is open between the client computer and the server. Clients use this port to retrieve policy information and encryption keys from SEMS. Enrollment fails if port 443 is unavailable.
The following articles detail how to configure Directory Synchronization using LDAP directory enrollment: