Enabling LDAP Authentication with GroupWise 6
Novell Cool Solutions: Tip
Digg This -
Posted: 2 Aug 2002
Configuring the GroupWise Post Office for LDAP using SSL:
In ConsoleOne, right-click the Post Office object > click Properties.
Click GroupWise > Security to display the Security page.
For Security Level, select High.
In the High Security Options box, select LDAP Authentication.
If the LDAP server requires an SSL connection, select Use SSL > browse to and select the SSL key file generated by the LDAP server. (see instruction for Generating the SSL Key File below).
Provide the LDAP server address information.
Specify the IP address or DNS host name of the LDAP server.
If you selected Use SSL in Step 5 above, the LDAP Port field defaults to 636 (the standard port for SSL). If you do not select Use SSL, the LDAP Port field defaults to 389 (the standard port for LDAP).
If the default port number is already in use for something else on the LDAP server, provide a unique port number.
For LDAP Username and Password, it is not necessary but strongly suggested. If used will increase performance if the LDAP server is located on a different server than the POA.
Click OK to save the LDAP server information.
NOTE 1: When an LDAP username and password is used, an NDS user with an expired password will be able to use LDAP to authenticate. The LDAP user stays bound and only does a compare of the password attribute. If the user isn't cached, then it does a full LDAP bind and will see an expired password. This has been reported to LDAP Development.
NOTE 2: To use the LDAP Username you need eDirectory 8.5 or higher. If you are using the bind per user (the LDAP user name and password are blank on the PO LDAP configuration) and you are using GroupWise 6.0 SP1 then it should work with any version 3 LDAP server which includes NDS 8.
Generating the SSL Key File (trusted root certificate):
- In ConsoleOne, right-click the LDAP Server object.
- Click the SSL Configuration tab.
- Enter the SSL port number for the LDAP services on an eDirectory server.
Make sure the Disable SSL Port is NOT checked and it matches the port used in the Post Office Security
- LDAP Server Address. Make note of the SSL Certificate name ie: SSL Certificate DNS. Close the LDAP Server properties.
- Go to the Properties of the NDS SSL Certificate (The name you noted above SSL Certificate DNS or whatever)
- Click Certificates > Trusted Root Certificate.
- Click Export and save the file in binary DER format (choose a location and filename the POA will have access to. ie: x:\system\GWCert.Der).
- Make note of this path and filename as it will need to be input in the Post Office Properties > Security > SSL Key File as mentioned above.
Note: When the Trusted Root Certificate is Exported, it needs to have an 8.3 filename, or it will not work with GroupWise.
- See Enhancing POA Security with SSL
- TUT222 Securing Your GroupWise System - BrainShare Tutorial
- Common LDAP Errors reported on the POA.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com