SecureTransport 5.4 Administrator Guide Save PDF Selected topic Selected topic and subtopics All content ICAP settings The Internet Content Adaptation Protocol (ICAP) settings allow the administrator to configure ICAP engines to be used as part of the SecureTransport file transfer processes so that data loss prevention (DLP) is achieved and anti-virus (AV) scans are completed. SecureTransport allows the administrator to use the ICAP connector to set up a SecureTransport server to scan (with external DLP engine) files and AdHoc messages when delivering them to the recipient folder or mailbox. ICAP server scan is executed when a file is going to be (therefore before it is) delivered. Prior to configuring ICAP scanning, verify that ICAPScan is enabled. For information on enabling ICAPScan, refer to Enable a rules package. Note The SecureTransport administrator can edit the entire DLP/AV ICAP URL in the following format icap://dlpav-address:port/servicename. Both the Symantec anti-virus AVSCAN and AVSCANREQ are supported, though AVSCANREQ is preferred. Note SecureTransport will scan received AdHoc messages and attachments when recipients open a message or download an attachment. - An AdHoc message, identified as blocked by the DLP policy, will be displayed but the content will be changed to a notification stating that you are not allowed to view this message because it was blocked by the DLP policy. Subjects of messages remain changed. - When downloading message attachments, identified as blocked by DLP policy, they will be successfully downloaded but the content will be changed to a notification stating that you are not allowed to view the file because it is blocked by the DLP policy. This applies for all file types regardless if they are text files or not. File extensions will not be changed. The ICAP Server(s) provide Multiple ICAP servers Incoming and outgoing ICAP scanning for all file and message transfers Scanning policy support ICAP headers reporting: X-Authenticated-User, X-Client-IP, X-Server-IP Note X-Server-Icap header reports the SecureTransport local IP address with each scanning request. If multiple network interfaces are available on the machine, the reported IP may not match the actual one. Custom HTTP headers reporting Certain variables are now exposed to Advanced Routing Setup of ICAP servers Multiple ICAP servers can be configured. There is no limitation about the number of servers. Scanning will be performed only by ICAP servers which are enabled. There will be no prioritization – all the servers will be used for scanning files and messages. If a server along the chain returns a negative result from scanning - the other servers will not be used and the transfer will be denied. Navigate to Setup > ICAP Settings. The ICAP Servers List page presents a list of ICAP servers with basic management controls plus the option to create (add) a new server. Click Add new ICAP server to open the ICAP Server Settings page with multiple sets of options. Basic ICAP settings Enter the ICAP server name. It must be unique and there cannot be two ICAP servers with the same name. Enter the ICAP server type. It can be INCOMING, OUTGOING or BOTH.INCOMING means that scanning will be performed by this ICAP server for all Incoming transfers: File upload, AdHoc message creation, Server-initiated pull (for example from a Transfer Site)OUTGOING means that scanning will be performed by this ICAP server for all Outgoing transfers: File download, Reading of an AdHoc message, Server-initiated push (for example in the Advanced Router step: Send to Partner or Publish to Account)BOTH means that scanning will be performed by this ICAP server for all types of transfers Enter the ICAP URL. Enter the DLP/AV ICAP URL in the following format:icap://dlpav-address:port/servicenameThe servicename can be the same as the mode of operation - REQMOD or RESPMOD, or something custom and vendor-specific.For the exact servicename, refer to the Data Loss Prevention (DLP) or Anti-virus (AV) documentation.If the default ICAP port (1344) is used, leave the port blank - it will be auto-populated.Examples:icap://dlpav-address:1344/AVSCANicap://dlpav-address:1344/REQMODicap://dlpav-address:1344/RESPMODUse Secure ICAP connection for a secure connection to the ICAP server.Select Verify certificate to use certificate verification to secure the connection to the ICAP server.Select Enable FIPS Transfer Mode to enable transfers to the ICAP server to be in accordance with the Federal Information Processing Standard (FIPS).Note: Verify certificate and Enable FIPS Transfer Mode can be selected together or individually depending on the level of security needed for the ICAP server connection. Enter Max file size (MB). The default maximum file size is 10 MB. If the actual file size is larger than the maximum file size, SecureTransport will send up to the maximum configured file size to the ICAP server. Enter Preview Size (KB).The default preview size is 10 KB. If the ICAP server requires more data, SecureTransport will send it up to the maximum configured file size.Select Deny file transfer on connection error.If the Deny file transfer on connection error option is selected, file transfers will be denied on a connection error to the ICAP serverSelect Enable e-mail notifications on ICAP error.If the Enable e-mail notifications on ICAP error is selected, notification emails will be sent when there is a connection failure to the ICAP server. Select Enable e-mail notifications on ICAP denied.If the Enable e-mail notifications on ICAP denied is selected, notification emails will be sent when there is a deny by the ICAP server. ICAP scan filtering settings Select Scan Policy Expression if you want to perform scanning only under specific circumstances. When you select the Scan Policy Expression checkbox, the text box field allows you to use SecureTransport Expression Language. If both settings are disabled, scanning will always be performed. Sample usage - do not scan if the transfer is taking place over SSH protocol: ${session.protocol ne 'ssh'}Refer to the ICAP scan policy expression language subtopic for the complete list of available expressions. Select Perform scanning only if there is a partner recipient.This field enables or disables ICAP scanning for AdHoc messages if at least one of the recipients is external. User type - internal or external- is controlled by the account setting Account Type. Possible values are Internal - internal accounts - and Partner - external accounts.If the type of a recipient cannot be identified or is set to Unspecified, the account will be considered External. If both the filtering settings are enabled, this particular setting will be applied over AdHoc messages. Select Scan Without BU to choose whether or not to enable ICAP scanning for accounts with no Business Unit assigned. Ignored File Types Enter a list of file extensions, separated by comma. Files with these extensions will not be scanned. Custom ICAP header settings This allows you to specify any additional custom headers that must be passed to the ICAP server when making requests, along with their values. The Header value fields can either have a static value or a ST expression-based one. Expressions allow you to dynamically set a value, based on a specific context, by utilizing the SecureTransport session or environment variables.By default, there aren't any custom headers configured, but you can add any number of headers by selecting Add custom headers mapping.If a header value is not present or can’t be resolved, the header will be added with an empty or null value, when sending the request.Example: Header Name: X-Account-Name Header Value: ${account.name} If a user with name - user1 has logged in and the ICAP scan is performed, the Header:Value will be evaluated to X-Account-Name = user1 and it will be reported to the ICAP server(s). Advanced connection settings By selecting Show advanced connection settings you can see the additional server configuration options for connection. Connection timeout. This is the maximum connection timeout in seconds that the server will wait until it stops trying to reconnect. Read timeout. This is the maximum read timeout in seconds. Enabled Ciphers. This is a list of ciphers to be used for an SSL connection. The ciphers must be comma-separated. The default ciphers are:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_EMPTY_RENEGOTIATION_INFO_SCSV Enabled Protocols. This is a list of SSL protocols to be enabled. The protocols must be comma separated. The default value is: TLSv1.2. Advanced ICAP settings By selecting Show advanced ICAP settings you can see the additional server configuration options.Select Enable WindowsNt format. With this setting you can choose whether or not to report X-Authenticated-User in WinNT format in case of LDAP authentication.X-Authenticated-UserX-Authenticated-User is reported with each LDAP request. The header is reported differently depending on user type. Below are the supported X-Authenticated-User formats:User with a local account and a locally stored password: Local://<account name>Real OS user: Local://<login name>Non LDAP user mapped to a template (SiteMinder or SSO): Local://<login name>LDAP user options:If WinNT format is not enabled for the server: LDAP://<LDAP domain name>/<user DN>*If WinNT format is enabled for the server: WinNT://<LDAP domain name>/<login name>Note For more information about user DN format, see User DN format.Select Stop transfers modify or not handled to choose whether or not to stop the transfer if ICAP server returns a MODIFY result or an unhandled status.Select Treat modify as Block to choose whether or not to treat the ICAP MODIFIED action as block. To enable or disable an ICAP server, mark the preferred ICAP server and select the Enable or Disable button. To delete an ICAP server, mark the preferred ICAP server and select the Delete button. To edit an ICAP server, click on the record in the list of ICAP servers displayed on the page. ICAP legacy system import and upgrade Mapping between old ICAP options and new ICAP server during legacy system import and upgrade from 5.3.6 GA to 5.4: ICAP Server Old Configuration option icapServer.connectionTimeout icap.First/SecondServer.ConnectTimeout icapServer.enabledCiphers icap.First/SecondServer.EnabledCipherSuites icapServer.enabledProtocols icap.First/SecondServer.EnabledProtocols icapServer.fipsEnabled icap.First/SecondServer.enableFipsMode icapServer.scanWithoutBu icap.First/SecondServer.enableScanForAccountsWithoutBusinessUnit icapServer.useSecure icap.First/SecondServer.enableSecureConnection icapServer.ignoredFileTypes icap.First/SecondServer.IgnoredFileTypes icapServer.mailAddressesOnIcapError icap.First/SecondServer.mailtoAddressesForMailsIfIcapErrors icapServer.mailAddressesOnIcapDenied icap.First/SecondServer.mailtoAddressesForMailsIfTransferDeniedByIcap icapServer.maxSize icap.First/SecondServer.MsgMaxSize icapServer.previewSize icap.First/SecondServer.PreviewSize icapServer.readTimeout icap.First/SecondServer.ReadTimeout icapServer.enabled icap.First/SecondServer.ScanEnabled icapServer.sendEmptyPreview icap.First/SecondServer.sendEmptyPreview icapServer.notifyOnIcapErrors icap.First/SecondServer.sendMailsIfIcapErrors icapServer.notifyOnIcapDenied icap.First/SecondServer.sendMailsIfTransferDeniedByIcap icapServer.denyOnConnectionError icap.First/SecondServer.stopTransfersIfIcapErrors icapServer.stopModifyOrNotHandled icap.First/SecondServer.stopTransfersIfIcapResultModifyOrNotHandled icapServer.treatModifyAsBlock icap.First/SecondServer.treatModifyAsBlock icapServer.url icap.First/SecondServer.Url icapServer.certVerify icap.First/SecondServer.verifyCertificate icapServer.id runtime generated value icapServer.enableWinNtFormat false (0) icapServer.headersMapping NULL icapServer.name Name mapping (ex. i_cap.FirstServer.Url_ FirstServer) icapServer.scanOnlyIfPartnerRecipient false (0) icapServer.scanPolicyExpression NULL icapServer.type INCOMING icapServer.customAttributesId NULL On legacy system import: If the value of configuration option FirstServer.Url_ is not empty, the new ICAP server entity with name FirstServer _ will be created, if an ICAP server with the same name exists - the legacy system import will fail. If the value of configuration option SecondServer.Url_ is not empty, the new ICAP server entity with name SecondServer_ will be created, if an ICAP server with same name exist - the legacy system import will fail. On upgrade from 5.3.6 GA: If the value of configuration option icap.FirstServer.Url is not empty, the new ICAP server entity with name FirstServer will be created. If the value of configuration option icap.SecondServer.Url is not empty, the new ICAP server entity with name SecondServer will be created. User DN format User DN is reported when authenticating over LDAP. There are 2 supported formats for User DN. If no additional configuration is performed user DN contains the exact attribute containing the user login name, for example: LDAP://elf/CN=test User DN can be configured to contain the full DN of the logged in user or the value of any existing LDAP attribute. Below are the configuration steps: Navigate to the desired LDAP domain. Go to the Attributes List section. Add a new attribute with an ST Attribute Name that equals DN. The value of the LDAP Attribute Name can be any LDAP attribute. To display the complete DN of the logged in user, type in the attribute that contains the complete DN of the logged-in user. (for example distinguishedName). Click Map to Schema and save.Example: LDAP://userDirectory/CN=exampleuser,CN=Users,DC=example,DC=com Related Links
ICAP settings The Internet Content Adaptation Protocol (ICAP) settings allow the administrator to configure ICAP engines to be used as part of the SecureTransport file transfer processes so that data loss prevention (DLP) is achieved and anti-virus (AV) scans are completed. SecureTransport allows the administrator to use the ICAP connector to set up a SecureTransport server to scan (with external DLP engine) files and AdHoc messages when delivering them to the recipient folder or mailbox. ICAP server scan is executed when a file is going to be (therefore before it is) delivered. Prior to configuring ICAP scanning, verify that ICAPScan is enabled. For information on enabling ICAPScan, refer to Enable a rules package. Note The SecureTransport administrator can edit the entire DLP/AV ICAP URL in the following format icap://dlpav-address:port/servicename. Both the Symantec anti-virus AVSCAN and AVSCANREQ are supported, though AVSCANREQ is preferred. Note SecureTransport will scan received AdHoc messages and attachments when recipients open a message or download an attachment. - An AdHoc message, identified as blocked by the DLP policy, will be displayed but the content will be changed to a notification stating that you are not allowed to view this message because it was blocked by the DLP policy. Subjects of messages remain changed. - When downloading message attachments, identified as blocked by DLP policy, they will be successfully downloaded but the content will be changed to a notification stating that you are not allowed to view the file because it is blocked by the DLP policy. This applies for all file types regardless if they are text files or not. File extensions will not be changed. The ICAP Server(s) provide Multiple ICAP servers Incoming and outgoing ICAP scanning for all file and message transfers Scanning policy support ICAP headers reporting: X-Authenticated-User, X-Client-IP, X-Server-IP Note X-Server-Icap header reports the SecureTransport local IP address with each scanning request. If multiple network interfaces are available on the machine, the reported IP may not match the actual one. Custom HTTP headers reporting Certain variables are now exposed to Advanced Routing Setup of ICAP servers Multiple ICAP servers can be configured. There is no limitation about the number of servers. Scanning will be performed only by ICAP servers which are enabled. There will be no prioritization – all the servers will be used for scanning files and messages. If a server along the chain returns a negative result from scanning - the other servers will not be used and the transfer will be denied. Navigate to Setup > ICAP Settings. The ICAP Servers List page presents a list of ICAP servers with basic management controls plus the option to create (add) a new server. Click Add new ICAP server to open the ICAP Server Settings page with multiple sets of options. Basic ICAP settings Enter the ICAP server name. It must be unique and there cannot be two ICAP servers with the same name. Enter the ICAP server type. It can be INCOMING, OUTGOING or BOTH.INCOMING means that scanning will be performed by this ICAP server for all Incoming transfers: File upload, AdHoc message creation, Server-initiated pull (for example from a Transfer Site)OUTGOING means that scanning will be performed by this ICAP server for all Outgoing transfers: File download, Reading of an AdHoc message, Server-initiated push (for example in the Advanced Router step: Send to Partner or Publish to Account)BOTH means that scanning will be performed by this ICAP server for all types of transfers Enter the ICAP URL. Enter the DLP/AV ICAP URL in the following format:icap://dlpav-address:port/servicenameThe servicename can be the same as the mode of operation - REQMOD or RESPMOD, or something custom and vendor-specific.For the exact servicename, refer to the Data Loss Prevention (DLP) or Anti-virus (AV) documentation.If the default ICAP port (1344) is used, leave the port blank - it will be auto-populated.Examples:icap://dlpav-address:1344/AVSCANicap://dlpav-address:1344/REQMODicap://dlpav-address:1344/RESPMODUse Secure ICAP connection for a secure connection to the ICAP server.Select Verify certificate to use certificate verification to secure the connection to the ICAP server.Select Enable FIPS Transfer Mode to enable transfers to the ICAP server to be in accordance with the Federal Information Processing Standard (FIPS).Note: Verify certificate and Enable FIPS Transfer Mode can be selected together or individually depending on the level of security needed for the ICAP server connection. Enter Max file size (MB). The default maximum file size is 10 MB. If the actual file size is larger than the maximum file size, SecureTransport will send up to the maximum configured file size to the ICAP server. Enter Preview Size (KB).The default preview size is 10 KB. If the ICAP server requires more data, SecureTransport will send it up to the maximum configured file size.Select Deny file transfer on connection error.If the Deny file transfer on connection error option is selected, file transfers will be denied on a connection error to the ICAP serverSelect Enable e-mail notifications on ICAP error.If the Enable e-mail notifications on ICAP error is selected, notification emails will be sent when there is a connection failure to the ICAP server. Select Enable e-mail notifications on ICAP denied.If the Enable e-mail notifications on ICAP denied is selected, notification emails will be sent when there is a deny by the ICAP server. ICAP scan filtering settings Select Scan Policy Expression if you want to perform scanning only under specific circumstances. When you select the Scan Policy Expression checkbox, the text box field allows you to use SecureTransport Expression Language. If both settings are disabled, scanning will always be performed. Sample usage - do not scan if the transfer is taking place over SSH protocol: ${session.protocol ne 'ssh'}Refer to the ICAP scan policy expression language subtopic for the complete list of available expressions. Select Perform scanning only if there is a partner recipient.This field enables or disables ICAP scanning for AdHoc messages if at least one of the recipients is external. User type - internal or external- is controlled by the account setting Account Type. Possible values are Internal - internal accounts - and Partner - external accounts.If the type of a recipient cannot be identified or is set to Unspecified, the account will be considered External. If both the filtering settings are enabled, this particular setting will be applied over AdHoc messages. Select Scan Without BU to choose whether or not to enable ICAP scanning for accounts with no Business Unit assigned. Ignored File Types Enter a list of file extensions, separated by comma. Files with these extensions will not be scanned. Custom ICAP header settings This allows you to specify any additional custom headers that must be passed to the ICAP server when making requests, along with their values. The Header value fields can either have a static value or a ST expression-based one. Expressions allow you to dynamically set a value, based on a specific context, by utilizing the SecureTransport session or environment variables.By default, there aren't any custom headers configured, but you can add any number of headers by selecting Add custom headers mapping.If a header value is not present or can’t be resolved, the header will be added with an empty or null value, when sending the request.Example: Header Name: X-Account-Name Header Value: ${account.name} If a user with name - user1 has logged in and the ICAP scan is performed, the Header:Value will be evaluated to X-Account-Name = user1 and it will be reported to the ICAP server(s). Advanced connection settings By selecting Show advanced connection settings you can see the additional server configuration options for connection. Connection timeout. This is the maximum connection timeout in seconds that the server will wait until it stops trying to reconnect. Read timeout. This is the maximum read timeout in seconds. Enabled Ciphers. This is a list of ciphers to be used for an SSL connection. The ciphers must be comma-separated. The default ciphers are:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_EMPTY_RENEGOTIATION_INFO_SCSV Enabled Protocols. This is a list of SSL protocols to be enabled. The protocols must be comma separated. The default value is: TLSv1.2. Advanced ICAP settings By selecting Show advanced ICAP settings you can see the additional server configuration options.Select Enable WindowsNt format. With this setting you can choose whether or not to report X-Authenticated-User in WinNT format in case of LDAP authentication.X-Authenticated-UserX-Authenticated-User is reported with each LDAP request. The header is reported differently depending on user type. Below are the supported X-Authenticated-User formats:User with a local account and a locally stored password: Local://<account name>Real OS user: Local://<login name>Non LDAP user mapped to a template (SiteMinder or SSO): Local://<login name>LDAP user options:If WinNT format is not enabled for the server: LDAP://<LDAP domain name>/<user DN>*If WinNT format is enabled for the server: WinNT://<LDAP domain name>/<login name>Note For more information about user DN format, see User DN format.Select Stop transfers modify or not handled to choose whether or not to stop the transfer if ICAP server returns a MODIFY result or an unhandled status.Select Treat modify as Block to choose whether or not to treat the ICAP MODIFIED action as block. To enable or disable an ICAP server, mark the preferred ICAP server and select the Enable or Disable button. To delete an ICAP server, mark the preferred ICAP server and select the Delete button. To edit an ICAP server, click on the record in the list of ICAP servers displayed on the page. ICAP legacy system import and upgrade Mapping between old ICAP options and new ICAP server during legacy system import and upgrade from 5.3.6 GA to 5.4: ICAP Server Old Configuration option icapServer.connectionTimeout icap.First/SecondServer.ConnectTimeout icapServer.enabledCiphers icap.First/SecondServer.EnabledCipherSuites icapServer.enabledProtocols icap.First/SecondServer.EnabledProtocols icapServer.fipsEnabled icap.First/SecondServer.enableFipsMode icapServer.scanWithoutBu icap.First/SecondServer.enableScanForAccountsWithoutBusinessUnit icapServer.useSecure icap.First/SecondServer.enableSecureConnection icapServer.ignoredFileTypes icap.First/SecondServer.IgnoredFileTypes icapServer.mailAddressesOnIcapError icap.First/SecondServer.mailtoAddressesForMailsIfIcapErrors icapServer.mailAddressesOnIcapDenied icap.First/SecondServer.mailtoAddressesForMailsIfTransferDeniedByIcap icapServer.maxSize icap.First/SecondServer.MsgMaxSize icapServer.previewSize icap.First/SecondServer.PreviewSize icapServer.readTimeout icap.First/SecondServer.ReadTimeout icapServer.enabled icap.First/SecondServer.ScanEnabled icapServer.sendEmptyPreview icap.First/SecondServer.sendEmptyPreview icapServer.notifyOnIcapErrors icap.First/SecondServer.sendMailsIfIcapErrors icapServer.notifyOnIcapDenied icap.First/SecondServer.sendMailsIfTransferDeniedByIcap icapServer.denyOnConnectionError icap.First/SecondServer.stopTransfersIfIcapErrors icapServer.stopModifyOrNotHandled icap.First/SecondServer.stopTransfersIfIcapResultModifyOrNotHandled icapServer.treatModifyAsBlock icap.First/SecondServer.treatModifyAsBlock icapServer.url icap.First/SecondServer.Url icapServer.certVerify icap.First/SecondServer.verifyCertificate icapServer.id runtime generated value icapServer.enableWinNtFormat false (0) icapServer.headersMapping NULL icapServer.name Name mapping (ex. i_cap.FirstServer.Url_ FirstServer) icapServer.scanOnlyIfPartnerRecipient false (0) icapServer.scanPolicyExpression NULL icapServer.type INCOMING icapServer.customAttributesId NULL On legacy system import: If the value of configuration option FirstServer.Url_ is not empty, the new ICAP server entity with name FirstServer _ will be created, if an ICAP server with the same name exists - the legacy system import will fail. If the value of configuration option SecondServer.Url_ is not empty, the new ICAP server entity with name SecondServer_ will be created, if an ICAP server with same name exist - the legacy system import will fail. On upgrade from 5.3.6 GA: If the value of configuration option icap.FirstServer.Url is not empty, the new ICAP server entity with name FirstServer will be created. If the value of configuration option icap.SecondServer.Url is not empty, the new ICAP server entity with name SecondServer will be created. User DN format User DN is reported when authenticating over LDAP. There are 2 supported formats for User DN. If no additional configuration is performed user DN contains the exact attribute containing the user login name, for example: LDAP://elf/CN=test User DN can be configured to contain the full DN of the logged in user or the value of any existing LDAP attribute. Below are the configuration steps: Navigate to the desired LDAP domain. Go to the Attributes List section. Add a new attribute with an ST Attribute Name that equals DN. The value of the LDAP Attribute Name can be any LDAP attribute. To display the complete DN of the logged in user, type in the attribute that contains the complete DN of the logged-in user. (for example distinguishedName). Click Map to Schema and save.Example: LDAP://userDirectory/CN=exampleuser,CN=Users,DC=example,DC=com