Setting Up LDAP Authentication on a GroupWise System

Novell Cool Solutions: Feature
By Dave Simons

Digg This - Slashdot This Posted: 10 Jul 2007

Introduction

As I wrote earlier in an earlier AppNote (http://www.novell.com/coolsolutions/appnote/18520.html), I think security in e-mail is one of the most important things to consider. You can create a GroupWise password policy with IDM, or you can use LDAP authentication for your GroupWise system. With the LDAP method, GroupWise uses the eDirectory password to authenticate to your GroupWise PostOffice.

In this article I explain how to set up LDAP authentication on a GroupWise system.

Authentication Setup

1. Create an LDAP server in the GroupWise configuation.

2. To select the primary domain in ConsoleOne, go to the menu bar and click Tools > GroupWise System Operations > LDAP Servers.

Figure 1 - LDAP Server list

3. Click Add to create a new LDAP server.

Figure 2 - Adding an LDAP server

4. Enter a name for the LDAP Server. I called mine "LDAP Test". Make sure that you select a correct LDAP Server IP Address.

5. Leave all the other settings as they are and click OK.

You will see this screen:

Figure 3 - LDAP Test server on the list

6. Select the LDAP Test server and click Edit.

7. In the next screen, click Select Post Offices.

Figure 4 - Selecting the Post Office

8. From the available Post Offices, select a PO that needs to use LDAP authentication. I'm using the DOM01.LDAP Post Office.

9. Click Close.

10. Open the GroupWise view and select the Post Office you like to use LDAP Authentication.

Figure 5 - Post Office for LDAP Authentication

11. Right-click on the Post Office and select Properties.

12. From the GroupWise Tab, select Security.

You will see this screen:

Figure 6 - LDAP Security properties

13. Make sure you select the LDAP Authentication checkbox.

14. Click the Select Server button.

Figure 7 - Selected LDAP server

15. Make sure LDAP Test Server is selected and moved under Selected Server window.

16. Click Close.

Testing the LDAP Authentication

Now you are ready to test your LDAP authentication. I test it with my GroupWise WebAccess interface.

1. Open your WebAccess login page. I log in with the username and eDirectory password.

Figure 8 - WebAccess login page

You will notice that you can now log in now with your eDirectory password. If you try to log in with your GroupWise password, you will get an error.

Also, take a look at your POA Server screen when you are logged in:

Figure 9 - POA Server screen

You will see a line like this:

C/S Login WebAccess  ::GW Id=ldap :: 10.100.20.254 [10.100.1.5]

This tells you that the WebAccess agent is logging in through an LDAP server.

If you see an error in the POA screen, you can change the login from normal to verbose or diagnostic.

Reader Comments

• Very useful. One question though. Can we exclude some users from this and allow them to use a "GroupWise" password?
• just what i needed
• You mention that security in e-mail is one of the most important things to consider, yet you are not using LDAPS (Exporting the Trusted Root cert, etc... it's in the docs for those who are interested.) If you want some users to use GW authentication and exclude them from the LDAP authentication, set them up as GW External Entities. This way, they will have a GW account, but will not have a corresponding eDirectory (LDAP) account to use for authentication, so they are "stuck" with only GW authentication.
• This document does a good job if you do not require SSL for your LDAP connections. If you require SSL, you’ll need to export the “SSL CertificateIP” or “SSL CertificateDNS” for each of your LDAP servers and save them with 8.3 naming and in “.der” format. For NetWare you can put them almost anywhere, I put them in the PO directory. For Linux, they need to be at /opt/novell/groupwise/agents/lib/nldap. When creating your LDAP server in step three, add the appropriate information and you shouldn’t have a problem.
• Thanks. Nice to see it spelt out in a simple article.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com