1.4 Configuring the Mobility Admin Console

1.4.1 Adjusting the Mobility Admin Console Polling Rate for Groups of Users

During installation of the Mobility Service, you selected the source (LDAP or GroupWise) from which users and groups of users can be added to your Mobility system. For background information, see Selecting the User Source for Your Mobility System in the GroupWise Mobility Service 2.1 Installation Guide.

If you selected LDAP as your user source, groups of users in your Mobility system correspond to LDAP groups. The Admin console polls only the groups in containers that it has been configured to search. For more information, see Searching Multiple LDAP Contexts for Users and Groups.

If you selected GroupWise as your user source, groups of users in your Mobility system correspond to GroupWise groups (distribution lists in older GroupWise systems). The Mobility Admin console locates GroupWise groups based on their group_name.post_office.domain location in your GroupWise system

When you add a group of users to your Mobility system, the group’s existing members are added to the group as displayed in the Mobility Admin console. Subsequently, the Mobility Admin console polls for updates to group membership. This ensures that the group membership that is displayed in the Mobility Admin console always matches the membership in the LDAP directory or the GroupWise system.

By default, the Mobility Admin console polls the user source for changes in group membership every 1800 seconds (30 minutes).

  1. In the Mobility Admin console, click Service Configuration Service Configuration icon, then click User Source.

    User Source page
  2. Adjust the poll rate as needed to synchronize the group membership in the Mobility Admin console with current group membership in the LDAP directory or the GroupWise system.

  3. Click Save to save the new setting(s).

  4. Restart the Mobility Service to put the new setting(s) into effect:

    rcgms restart
    

1.4.2 Using the Mobility Admin Console with a Single Sign-On Solution

If you are using a single sign-on solution such as NetIQ Access Manager or KeySheild SSO, the Mobility Admin console does not require authentication when you are already logged in to the single sign-on solution.

  • For Access Manager, no extra configuration is required.

  • For KeyShield SSO, you must provide Keyshield SSO settings on the Single Sign-On page in the Mobility Admin console. For more information, see KeyShieldSSO.

1.4.3 Changing between LDAP and GroupWise as the User Source

Regardless of the user source that you selected during installation (LDAP or GroupWise), you can change to the other user source at any time. For background information, see Selecting the User Source for Your Mobility System in the GroupWise Mobility Service 2.1 Installation Guide.

  1. In the Mobility Admin console, click Service Configuration Service Configuration icon, then click User Source.

    User Source page
  2. In the Provisioning field, select LDAP or GroupWise as the source from which you want the Mobility Admin console to obtain users and groups of users to add to your Mobility System.

    If you selected GroupWise as the user source when you installed your Mobility system and you now select LDAP, you must provide the configuration information for the LDAP server in order to change from GroupWise to LDAP provisioning in the Mobility Admin console.

    If you have set up your Mobility system so that some users are provisioned from LDAP and others are provisioned from GroupWise, you can mouse over each user on the Users page to display the LDAP context or GroupWise user_name.post_office.domain location.

  3. (Conditional) If you selected LDAP in the Provisioning field, select LDAP or GroupWise in the Authentication field to select the password that is required for mobile devices to log in to your Mobility system.

    If you select LDAP, mobile devices use LDAP passwords as provided by the LDAP server that your Mobility system is configured to access. If you select GroupWise, device authentication is provided through the GroupWise POA. The POA can be configured to provide either GroupWise authentication or LDAP authentication for GroupWise users and devices.

    If you selected GroupWise in the Provisioning field, you cannot select LDAP in the Authentication field because the Device Sync Agent would have no way to contact an LDAP server for password information for the user.

  4. Click Save to save the new setting(s).

  5. Restart the Mobility Service to put the new setting(s) into effect:

    rcgms restart
    

1.4.4 Modifying LDAP Information in Relation to Your Mobility System (Optional)

If you are using LDAP as your user source, you might need to change LDAP information over time.

Setting Up Multiple Mobility Administrator Users

During installation, you establish the initial LDAP user who can access the Mobility Admin console. After installation, you can grant this right to additional users.

  1. In a terminal window on the Mobility server, become root by entering su - and the root password.

  2. Change to the following directory:

    /etc/datasync/configengine
    
  3. Open the configengine.xml file in a text editor.

  4. Locate the following section:

    <admins>
         <dn>cn=user_name,ou=organizational_unit,o=organization</dn> 
    </admins> 
    

    This section identifies the original Mobility administrator user that you established during installation.

  5. Copy the line for the original Mobility user to a new line between the <admins> tags, then modify it as needed to identify an additional Mobility administrator user.

  6. Save the configengine.xml file, then exit the text editor.

  7. Restart the Mobility Service to put the new setting(s) into effect:

    rcgms restart
    

Searching Multiple LDAP Contexts for Users and Groups

During installation, you specify one LDAP container to search in order to get user information and another container to search in order to get group information. After installation, you can add more containers for the Mobility Admin console to search for users and groups when you need to add users and groups to your Mobility system.

IMPORTANT:Subcontainers are also searched, so you do not need to add them separately.

  1. In the Mobility Admin console, click Service Configuration Service Configuration icon, then click User Source.

    User Source page with LDAP options
  2. To search in an additional container for users, specify the container context in the text entry field under Base User DNs.

  3. To search in an additional container for groups, specify the container context in the text entry field under Base Group DNs.

  4. Click Save to save the new setting(s).

  5. Restart the Mobility Service to put the new setting(s) into effect:

    rcgms restart
    

Enabling and Disabling SSL for the Mobility Service LDAP Connection

During installation, you chose whether to use SSL for the connection between the Mobility Admin console and the LDAP directory. You can change the setting after installation as needed.

  1. In the Mobility Admin console, click Service Configuration Service Configuration icon, then click User Source.

    User Source page with LDAP options
  2. Select or deselect Secure to enable or disable SSL.

  3. In the Port field, adjust the port number as needed to match the port number used by the LDAP server.

    The default secure SSL port is 636. The default non-secure port is 389.

  4. Click Save to save the new setting(s).

  5. Restart the Mobility Service to put the new setting(s) into effect:

    rcgms restart
    

Changing the LDAP Server for Provisioning and Authentication

During installation, you selected an LDAP server for the Mobility Admin console to communicate with when authenticating to the LDAP directory. You can change the LDAP server after installation as needed.

  1. In the Mobility Admin console, click Service Configuration Service Configuration icon, then click User Source.

    User Source page with LDAP options
  2. In the IP Address field, specify the IP address or DNS hostname of the LDAP server that you want to use for provisioning or authentication.

  3. (Conditional) If needed for the new LDAP server, adjust the port number and secure SSL setting.

    The default secure SSL port is 636. The default non-secure port is 389.

  4. (Conditional) If needed for the new LDAP server, adjust the LDAP base DNs for users and groups.

  5. (Conditional) If needed for the new LDAP server, adjust the LDAP administrator DN and password.

    If you accidentally change any LDAP server information so that you are prevented from logging in to the Mobility Admin console using the new LDAP information, you can still log in using the root user name and password. For instructions, see Accessing the Mobility Admin Console When the LDAP Server Is Inaccessible.

  6. Click Save to save the new setting(s).

  7. Restart the Mobility Service to put the new setting(s) into effect:

    rcgms restart
    

Updating the LDAP Password

If you change the administrator password on your LDAP server, you must reconfigure your Mobility server to match the new password.

  1. (Conditional) If you cannot access the Mobility Admin console because the LDAP server password has already changed, follow the instructions in Accessing the Mobility Admin Console When the LDAP Server Is Inaccessible.

  2. In the Mobility Admin console, click Service Configuration Service Configuration icon, then click User Source.

    User Source page with LDAP options
  3. In the Admin Password field, specify the new password.

  4. Click Save to save the new setting(s).

  5. Restart the Mobility Service to put the new setting(s) into effect:

    rcgms restart
    

Accessing the Mobility Admin Console When the LDAP Server Is Inaccessible

Occasionally, you might need to log in to the Mobility Admin console when the LDAP server is unavailable. At all times, you can log in to the Mobility Admin console using the root user name and password.

1.4.5 Adding GroupWise Users as Mobility Administrators

By default, when you use GroupWise as your Mobility system’s user source, you must log in to the Mobility Admin console using the root user name and password.

You can configure the Mobility Service to allow specific users to log in using their GroupWise username and password. Then the root user name and password can continue to be used as well.

  1. In a terminal window on the Mobility server, become root by entering su - and the root password.

  2. Change to the following directory:

    /etc/datasync/configengine
    
  3. Open the configengine.xml file in a text editor.

  4. Add the following section:

    <gw>
       <admins>
           <username>GroupWise_Username</username>
           <username>GroupWise_Username</username> 
       </admins>
       <enabled>true</enabled>
    </gw>
    

    Replace GroupWise_Username with the appropriate GroupWise user name. You can add as many GroupWise users as needed.

  5. Save the configengine.xml file, then exit the text editor.

  6. Restart the Mobility Service to put the new settings into effect:

    rcgms restart