8.6 Configuring LDAP Contextless Login for Use with NetStorage

When configuring LDAP contextless login, consider the following issues:

Primary Authentication Domain: The user must be authenticated to the Primary Authentication domain (an eDirectory server with a replica). You can provide more than one context in the Primary Authentication domain, resulting in each context being searched for the presence of the user. The search is performed through an LDAP search of the configured contexts.

Secondary Authentication Domain: After the user is authenticated to the Primary Authentication domain, the same username and password is used to authenticate to any Secondary Authentication domains. The search is performed through an LDAP search of the configured contexts for that domain. If authentication to any Secondary domains is unsuccessful, the user is still authenticated to the Primary Authentication domain. Authentication failure on a Secondary domain can cause a delay in the login process and is one of the most common causes of slow logins to NetStorage.

Enable TLS for Simple Binds with Passwords: Passwords are encrypted in eDirectory, so you must enable TLS for simple binds with passwords in LDAP.

LDAP needs Read and Browse rights to the entire tree. By default, when a user performs an anonymous bind (doesn’t specify a password), a special object in the directory calculates access control for that user. This object is termed [Public]. By default, this object can browse the entire tree hierarchy and read a limited number of attributes on entries.

If you want to have an anonymous bind use a different object in the tree, you can specify the object in the Proxy Username field. By doing this, you can restrict the types of objects and attributes that anonymous users can access by setting the appropriate access controls on the proxy User object. The proxy username must be a distinguished name. To easily select an object, click the directory browser button to the right of the text field on the LDAP Group Object. A dialog box appears that allows you to choose an object in the tree. Any eDirectory User object can be used and the anonymous access assumes the rights of that user.

IMPORTANT:A proxy user must have a blank password in order to work correctly. This is very different from having no password. If a user has no password, then he or she does not have a public/private key pair to compare against when attempting login. A blank password generates a public/private key pair, although the actual string for the password is empty.