3.5 iFolder User Account Considerations

This section describes iFolder user account considerations.

3.5.1 Preventing the Propagation of Viruses

Because iFolder is a cross platform, distributed solution there is a possibility of virus infection on Windows machines when migrating data across the iFolder server to other platforms, and vice versa. You should enforce server-based virus scanning to prevent viruses from entering the corporate network.

You should also enforce client-based virus scanning. For information, see Configuring Local Virus Scanner Settings for iFolder Traffic in the Novell iFolder 3.9.2 Cross-Platform User Guide.

3.5.2 Synchronizing User Accounts with LDAP

You can specify any existing containers and groups in the Search DNs field of the iFolder LDAP settings. Based on the Search DNs, users are automatically provisioned with accounts for iFolder services.

The list of iFolder users is updated periodically when the LDAP synchronization occurs. New users are added to the list of iFolder users. Deleted users are removed from the list of iFolder users. (This might create orphaned iFolders if the deleted user owned any iFolders). If by mistake user is deleted from the LDAP, you can create that user again with the same FDN within the Delete member grace interval so that you can recover the user’s iFolders. For more information on this, see Step 7 in the Accessing and Viewing the Server Details Page.

IMPORTANT:Whenever you move a user between contexts and you want to provide continuous service for the user, make sure to add the target context to the list of LDAP Search DNs before you move the User object in eDirectory.

The LDAP synchronization tracks a user object’s eDirectory GUID to identify the user in multiple contexts. It tracks as you add, move, or relocate user objects, or as you add and remove contexts as Search DNs.

The following guidelines apply:

  • If the user is added to an LDAP container, group, or user that is in the Search DN, the user is added automatically to the iFolder user list.

  • If a user is moved to a different container, and the new container is also in the Search DN, the user remains in the iFolder user list.

    If you intend to keep the user as an iFolder user without interruption of service and loss of memberships and data, the new container must be added as a Search DN before the user is moved.

    If the user is moved to a different container that is not specified as a Search DN before the user is moved, the user is removed from the iFolder user list. The user’s iFolders are orphaned and the user is removed as a member of iFolders owned by others. If the new container is later added as a Search DN, the user is treated as a new user, with no association with previous iFolders and memberships.

  • If the user appears in multiple defined Search DNs, and if one or more DNs are removed from the LDAP settings, the user remains in the iFolder user list if at least one DN containing the user remains.

  • If the user is deleted from LDAP or moved from all defined Search DNs, the user is removed as an iFolder user. The user’s iFolders are orphaned and the user is removed as a member of iFolders owned by others.

  • The iFolder Admin user and iFolder Proxy user are tracked by their GUIDs, whether their user objects are in a context in the Search DN or not.

3.5.3 Synchronizing LDAP Group Accounts with LDAP

You can specify any existing containers and groups in the Search DNs field of the iFolder LDAP settings. Based on the Search DNs, LDAP Groups are automatically provisioned with accounts for iFolder services.

The list of LDAP Group is updated periodically when the LDAP synchronization occurs. New LDAP Groups are added to the list of iFolder users. Deleted LDAP Groups are removed from the list of iFolder users. (This might create orphaned iFolders if the deleted LDAP Group owned any iFolders). If by mistake LDAP Group is deleted from the LDAP, you can create that LDAP Group again with the same FDN within the Delete member grace interval so that you can recover the user’s iFolders. For more information on this, see Step 7 in the Accessing and Viewing the Server Details Page.

IMPORTANT:Whenever you move a LDAP Group between contexts and you want to provide continuous service for the LDAP Group, make sure to add the target context to the list of LDAP Search DNs before you move the LDAP Group object in eDirectory.

The LDAP synchronization tracks a LDAP Group object’s eDirectory GUID to identify the LDAP Group in multiple contexts. It tracks as you add, move, or relocate LDAP Group objects, or as you add and remove contexts as Search DNs.

The following guidelines apply:

  • If the LDAP Group is added to an LDAP container, group, or LDAP Group that is in the Search DN, the LDAP Group is added automatically to the iFolder LDAP Group list.

  • Any changes to the LDAP Group member list are automatically synchronized during next synchronization cycle.

  • If an LDAP Group is moved to a different container, and the new container is also in the Search DN, the LDAP Group remains in the iFolder LDAP Group list.

    If you intend to keep the LDAP Group as an iFolder LDAP Group without interruption of service and loss of memberships and data, the new container must be added as a Search DN before the LDAP Group is moved.

    If the LDAP Group is moved to a different container that is not specified as a Search DN before the LDAP Group is moved, the LDAP Group is removed from the iFolder LDAP Group list. The LDAP Group’s iFolders are orphaned and the LDAP Group is removed as a member of iFolders owned by others. If the new container is later added as a Search DN, the LDAP Group is treated as a new LDAP Group, with no association with previous iFolders and memberships.

  • If the LDAP Group appears in multiple defined Search DNs, if one or more DNs are removed from the LDAP settings, the LDAP Group remains in the iFolder LDAP Group list if at least one DN containing the LDAP Group remains.

  • If the LDAP Group is deleted from LDAP or moved from all defined Search DNs, the LDAP Group is removed as an iFolder LDAP Group. The LDAP Group’s iFolders are orphaned and the LDAP Group is removed as a member of iFolders owned by others.

  • The iFolder Admin LDAP Group and iFolder Proxy LDAP Group are tracked by their GUIDs, whether their LDAP Group objects are in a context in the Search DN or not.

NOTE:LDAP groups are not supported for OpenLDAP.

3.5.4 Setting Account Quotas

You can restrict the amount of space each user account is allowed to store on the server by setting an account quota. The account quota applies to the total space consumed by the iFolders the user owns. If the user participates in other iFolders, the space consumed on the server is billed to the owner of that iFolder. You can set quotas at the system or user level. Within a give account quota, you can also set a quota for any iFolder.