Implementing LDAP Referrals in eDirectory 8.7
Novell Cool Solutions: Feature
By Ted Haeger
Digg This -
Posted: 19 Feb 2003
This short article quickly discusses a new feature to eDirectory 8.7 that could solve all your worldly woes if you are faced with tying eDirectory to another LDAP server. To get the full "how to", please read the Novell documentation for LDAP referrals. (That's where I stole one of the graphics used below.)
The ongoing push for applications to use LDAP as the basic authentication method for user identities has created the possibility of having multiple directories in and around your organization. However, these various LDAP-accessible directories may not be part of your enterprise, or be anywhere within your realm of control.
A simple example: You run a department that uses eDirectory; a related department uses Sun ONE Directory Server. You need an application to provide authentication for users for both of these two separate directories. How can you provide a single authentication experience for two LDAP authorities?
In a university, government, or business-to-business scenarios, this kind of situation is pretty common. So let's look at a cool new LDAP trick available in eDirectory 8.7.
You can tie your eDirectory LDAP server to another LDAP source by implementing LDAP referrals. That means you can authenticate through eDirectory to any other LDAP-enabled directory available. (Even other eDirectory trees.)
Implementing this feature requires you to log in to Novell iManager as a user who is assigned to the LDAP Management role. Under the role's task list, click the LDAP Overview task > click the Tab for View LDAP Servers > click the LDAP server on which you want to enable referrals > click the Referrals link in the sub-tab options. This will bring you to the LDAP Referrals configuration page for your eDirectory LDAP server. (Note that if you want globally to configure the external referral for multiple LDAP servers in your eDirectory tree, you can also configure the Referral page on the LDAP Group object for those servers.)
The configuration interface looks like this:
As you can see from the screenshot, configuring referrals is as simple as specifying the URL to the LDAP server, specifying conditions for when to make a referral, and then telling what referral method to use, chaining or referral.
For the record, chaining is where the eDirectory LDAP server returns LDAP information to the client application as though the information were part of the local LDAP system. A referral is used by the LDAP server to redirect the client application to go directly to the other LDAP server for LDAP operations on data that is not in eDirectory.
Some final notes:
Using LDAP referrals is not always the best solution. Consolidating LDAP directories into a single (or even a few) eDirectory trees may be the right answer. For doing this, Novell provides the ICE utility (Import, Convert, Export) with eDirectory 8.7. With ICE you can import LDAP information from an external LDAP server before taking that server permanently offline.
If consolidating directories is not the right option, you may want to synchronize your directories instead of performing referrals. (A good example of this would be if you have applications, such as ZENworks or iFolder, that require information to be inside eDirectory, but you already have a different directory as your authoritative enterprise directory. For such situations, using DirXML can provide the synchronization your organization needs with the flexibility to define rules for how synchronization occurs.
You can contact Ted with questions about this article at: thaegerTAKETHISOUT@novell.com
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com