eGuide is an LDAP client application. It can target data in eDirectory and other LDAP-compliant data sources. For more information about eDirectory, see the eDirectory documentation.
This section explains how to access and configure LDAP data sources.
Part of configuring eGuide involves identifying the LDAP data source and specifying how eGuide accesses that data source.
This section provides only a brief explanation of the following data source access methods. You should be familiar with these methods before you configure eGuide:
LDAP servers can access data sources using an Anonymous bind. A bind is a connection between logical units. You can think of Anonymous as a guest account, where you can access LDAP data without identifying yourself. LDAP servers typically provide limited access to the data when you use Anonymous. This means you can access only some of the objects and only some of the attributes within those objects.
eGuide primarily uses LDAP for search operations. Search operations require Read rights to the attribute being searched. For example, to search for all users with the surname Jones requires that the LDAP connection has Read rights to the attribute surname. The Browse rights provided by the default [Public] object are insufficient for LDAP search operations.
By default, Anonymous has the same rights to objects in the directory as [Public]. When you create a tree, [Public] is automatically granted Browse rights to the root of that tree. These default rights allow Anonymous LDAP connections to navigate through the tree, seeing the list of objects and their names. However, Anonymous LDAP connections are not able to view any of the attributes of those objects.
You can use iManager to specify [Public] as trustee to sections of the tree with specific rights for objects and attributes of those objects. For more information, see the iManager documentation.
You can also specify an LDAP Proxy user. If you do this, Anonymous Bind uses the rights of the Proxy object instead of the rights granted to [Public]. Use iManager to create an LDAP Proxy user, and make that object a trustee for a portion of the tree with specific rights for objects and attributes of those objects. Edit the LDAP Group object to specify the DN of the LDAP Proxy object. The LDAP Proxy object should have a null password.
With eDirectory, Anonymous users have the rights assigned to either the pseudo object named [Public] or the rights of an LDAP Proxy user object. If you are using eDirectory as the LDAP data source, selecting Using Anonymous during the configuration permits eGuide to search the tree using the rights assigned to [Public] or the LDAP Proxy user.
Another method for accessing an LDAP data source is to create an eGuide Proxy user and make it a trustee for a portion of the tree with specific rights for objects and attributes of those objects. The eGuide Proxy user serves the same function as the LDAP Proxy user except that an LDAP Proxy applies to all LDAP anonymous binds, and the eGuide Proxy user is unique to the eGuide application.
When you configure eGuide, you must specify whether it should bind to the LDAP directory as Anonymous or use an eGuide Proxy user. For information about Anonymous, see Anonymous Bind.
If you are unable to search using eGuide it might be that the account used to grant rights for eGuide has insufficient rights.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and internet users. TLS is based on Secure Socket Layer (SSL), which is another Internet security protocol. When you configure eGuide to use TSL, you enable the Secure Sockets Layer setting in the Quick Setup wizard, see Running the eGuide Quick Setup Wizard.
As you configure eGuide, you need to understand how the target LDAP system handles secure connections between the eGuide application and the LDAP Service. If the LDAP service is configured to use a secure connection, eGuide must also use a secure connection. This is done by selecting Enable SSL (Secure Sockets Layer) in the eGuide Quick Setup Wizard.
eDirectory 8.7 uses Transport Layer Security (TLS) to provide a secure LDAP connection.
The LDAP Service for eDirectory has two options that apply to TLS:
By default, eDirectory 8.7 requires TLS for simple binds with password. You can change this setting by editing the LDAP group object for your LDAP service. We recommend that this setting be set to On so that passwords used to bind to the LDAP service are encrypted.
You can view or modify this option using iManager by editing the LDAP Server object for your LDAP service. When it is On, all LDAP request and reply operations are encrypted. By default, this option is Off.
If TLS option 1 or option 2 is On, and the client application (eGuide in this case) binds to the LDAP service, it must do so using TLS. If the client application attempts to bind without TLS, it receives an error: "Invalid authentication proxy credentials, could not authenticate to the server."
When you configure eGuide using the Quick Setup Wizard, there is a check box labeled Enable SSL. If your LDAP service has either TLS option set, you must also select the Enable SSL check box in the eGuide Quick Setup Wizard.
If you use Anonymous, then a password is not used for the LDAP simple bind, and you are not required to select the Enable SSL check box in the Quick Setup Wizard.
TLS imposes a significant performance impact. If eGuide and eDirectory are both running on servers in the same secure domain, you might consider disabling TLS to get better performance.
LDAP can locate information from many sources. Before you use eGuide, you need to configure at least one LDAP data source in order to access the information you need.
This section contains the following LDAP data source configuration options:
When you add an LDAP data source, eGuide creates a User category for the new directory. To create the category, eGuide uses the User attribute settings and mappings in the first directory that was added when you ran the eGuide Setup Wizard. We recommend that you make any desired changes to the initial directory's User attribute settings and mappings before you add other directories. For details, see Editing LDAP Attributes.
You can use directory configurations to increase search performance by taking advantage of eGuide's multithreaded search capability. For example, you can break up a single large directory into multiple directory configurations within eGuide, with each pointing to a different search root. If the directory you are splitting up in this way requires user authentication, be sure to designate each directory configuration as part of the authentication group. For details on the Authentication Group feature, see Changing a Directory's Authentication Settings.
To add an LDAP data source configuration to the list of directories eGuide searches:
In the Administration utility, click LDAP Data Sources, then click New.
On the LDAP Settings page, specify at least the directory name, the hostname (DNS name or IP address), and the port number.
All other settings are optional. For details, see Editing LDAP Settings.
IMPORTANT: The directory name can contain only letters, numbers, and the underscore (_) character. This name is used only as an identifier within the Administration utility and cannot be changed after the directory has been added.
Click Save.
You must provide the mandatory information and click Save before you can access the Attributes or Advanced page.
Click Attributes, then configure the LDAP attributes you want eGuide users to be able to view and search on.
For details, see Editing LDAP Attributes.
Click Save.
Click LDAP Data Sources, then make desired changes to the Login Server, Authentication Group, and Enabled settings for the directory you just added.
For details on these settings, see Changing a Directory's Authentication Settings and Enabling/Disabling an LDAP Data Source.
Click Save.
The Enabled setting determines whether a directory is available for user searches.
In the Administration utility, click LDAP Data Sources.
Click Login Server for the directory you want to designate as the login (authentication) server.
The distinguished names and passwords for all users and user administrators who must authenticate to eGuide must reside in the login server directory. Authentication is required, for example, if users or user administrators want to modify editable attributes. You can also choose to require authentication before users can access eGuide. For details, see Restrictions.
WARNING: Changing the login server designation to a different directory could invalidate your Administration Roles settings if the distinguished names of all user administrators and eGuide administrators are not in the newly designated directory.
(Conditional) If you changed the Login Server designation, complete the following steps:
Click LDAP Data Sources > Edit (for the directory newly designated as the login server) > LDAP Settings.
Make the appropriate changes to the Authentication User Name, Authentication Password, and Authentication Search Root settings, then click Save.
For details, see Editing LDAP Settings.
Select General, select a valid User Authentication Key, then click Save.
Click Administration Roles, then make the needed changes to the administrator role lists with users from the new login server.
Select or deselect Authentication Group for the desired directory.
When Authentication Group is selected, users' authenticated credentials are used for searches in this directory. A directory must be part of the authentication group if you want users and user administrators to be able to modify editable attributes in that directory.
IMPORTANT: Make sure you select Authentication Group for a directory only if intended users' distinguished names and passwords are applicable within both that directory and the login server directory.
If Authentication Group is deselected, the directory's default proxy credentials are used.
Click Save.
Configuring an LDAP data source for use in eGuide includes adjusting various settings, mapping attributes to template key names, deciding which attributes you want to allow users to search on, and deciding which attributes you want to allow users to modify themselves.
In the Administration utility, click LDAP Data Sources, click Edit (for the desired directory), then click LDAP Settings.
Make the desired changes as shown in the following table:
| Setting | Purpose |
|---|---|
Enabled |
Select to make the directory searchable. The Enabled setting also appears on the LDAP Data Sources page. |
Directory Name |
Specified when the directory was added and cannot be changed. |
Host Name |
Specify either the LDAP server's IP address or DNS hostname. IMPORTANT: You can change the hostname to refer to a different LDAP server after initial configuration if the new server has the same schema configuration. If it does not, remove the current directory and add a new one with the new hostname information. |
Port |
Specify the LDAP server's port number. |
Enable SSL |
Select to enable SSL. IMPORTANT: Enabling SSL works only if you have already set up SSL on the LDAP server. |
Secure Port |
If Enable SSL is selected, specify the secure port number. |
Search Root |
Specify the distinguished name of the container you want as the search root (o=acmecorp, for example). |
Search Subcontainers |
Specify which subcontainers within the root container to include in searches. Choose one of the following options:
|
Max Search Entries |
Specify the maximum number of search result entries you want returned with each search. For greatest search efficiency, use a setting of 100 to 200. Do not set to more than 1000. |
Proxy User Name |
Specify the search proxy distinguished name using LDAP format (for example, cn=admin,o=acmecorp). If you leave this field blank, Novell eGuide uses anonymous credentials or the LDAP server's proxy credentials (if defined) on LDAP queries. |
Proxy Password |
Specify the search proxy password. |
Authentication Group |
Select to include the directory in the authentication group. eGuide uses the user's authenticated credentials to access directories in the authentication group. For those directories not included in the authentication group, eGuide uses default proxy credentials. |
Authentication User Name |
Available only when configuring the directory designated as the login server. Specify the distinguished name of the authentication proxy using LDAP format (for example, cn=admin,o=acmecorp). eGuide uses this User object to search for and identify fully distinguished names during a contextless login. If you leave this field blank, eGuide uses anonymous credentials on all contextless login attempts. IMPORTANT: The User object assigned as the authentication proxy must have the Read right to all distinguished names and to the attribute designated in eGuide as the user authentication key on the login server. For details on the user authentication key, see Changing General Customization Settings. |
Authentication Password |
Available only when configuring the directory designated as the login server. Specify the authentication user's password. |
Authentication Search Root |
Available only when configuring the directory designated as the login server. Specify the distinguished name of the container where the authentication credentials search should begin. |
Click Save.
IMPORTANT: Whenever you make changes to attribute mappings and settings, be sure to check all other eGuide settings where those attributes are referenced, especially in Display Layout.
In the Administration utility, select the search category you want to edit attributes for.
Unless you have added a search category (see Modifying Search Categories) only the default User category is available.
Click LDAP Data Sources, click Edit (for the desired directory), then click Attributes.
Make the desired changes as shown in the table:
| Setting | Purpose |
|---|---|
Enable |
Select to add this attribute to the Details panel displayed when a user clicks a search results entry. IMPORTANT: To avoid XSL/browser rendering errors, do not enable attributes containing binary information. For example, the login script attribute is binary. To see the data source type, click More Options on the attribute, and the information type appears in the attribute title. The only exception to this rule is the Photo attribute, which eGuide treats differently than other binary attributes. |
Template Key |
Provides a means for eGuide to treat similar attributes from different LDAP directories the same even though they have different names in their respective directories. For example, if one LDAP data source uses LastName and another uses SN for the attribute containing users' last names, you could create a template key name, such as LastName, and map both the LastName and SN attributes to that same key name. By default, eGuide uses the Novell eDirectoryTM attribute names as the template key names for the User category of the first directory you add when running the eGuide Setup Wizard. IMPORTANT: Do not assign the same template key name to more than one attribute. |
Searchable |
Select to add this attribute to the search filter list, thus allowing users to search on the attribute. |
Editable |
Available only for directories designated as the login server or as part of the authentication group. For details, see Changing a Directory's Authentication Settings. Select if you want to allow users and user administrators to edit this attribute. For details on enabling self-administration, see Restrictions. For details on designating user administrators, see Administration Roles. IMPORTANT: Selecting Editable for an attribute in eGuide does not grant users and user administrators the necessary rights within the LDAP data source. You must have already granted those rights at the directory level for this feature to work properly. You must also enable Self Administration if you want users to be able to edit the attribute. For details, see Restrictions. |
Click Save (at the bottom of the page).
If you want users to have the ability to send instant messages and start a NetMeeting directly from the eGuide Details panel, you must map several template key names and enable the associated attributes.
By default, the instant messaging attributes are already mapped and you can select these features in the LDAP attributes screen. Mapping template key names is necessary only if you want to display multiple attributes, change attribute data, or display a different attribute.
To map template key names:
In the Administration utility, click LDAP data sources.
Locate the user you want to set up instant messaging and NetMeeting for, click Edit, and then click Attributes.
Specify a key name in the Template field of any LDAP attribute.
You can use any LDAP attribute you want; just change the default setting to the key name you want in the Template Key field next to the attribute. For example, specify InstantMessagingID in the Company attribute Template Key field. You need to ensure that you enter the key name correctly. For example:
Click Enable, click Editable, then click Save.
Return to the Template Key field you changed and click More Options, then click Attribute settings.
Select the name of the feature you want to display, then click Save.
eGuide reads the schema of an LDAP data source only when you first add the directory. If you make a change to the schema (such as adding an attribute to a schema class) and want that change reflected in eGuide, you must refresh the schema.
In the Administration Utility, click LDAP Data Sources, click Edit (for the desired directory), then click LDAP Settings.
Click Refresh Schema.
NOTE: eGuide never changes an LDAP data source's schema. You must make the change and refresh the schema.