4.0 Planning Users, Groups, and LDAP Synchronization

Most TeamWorks deployments use one or more existing LDAP sources, such as GroupWise, eDirectory, and Active Directory to control user access to the system.

The following sections help you ensure that TeamWorks includes the users and groups that will use its services.

LDAP Planning Tips and Considerations

  • LDAP and TeamWorks: As you plan and deploy LDAP and TeamWorks, be aware of the following:

    • Synchronization Is One-way: LDAP synchronization is only from the LDAP directory to your TeamWorks site. If you change user information on the TeamWorks site, the changes are not synchronized back to your LDAP directory.

    • Multi-Value Attributes Not Supported: If your LDAP directory contains multi-value attributes, TeamWorks recognizes only the first attribute.

      For example, if your LDAP directory contains multiple email addresses for a given user, only the first email address is synchronized to TeamWorks.

    • LDAP Must Be Online: LDAP-imported users always authenticate to TeamWorks via the LDAP source. If the LDAP source is unavailable for any reason, the LDAP-imported users cannot log in to TeamWorks.

    • Multiple Connections Are Supported, but you should never configure multiple LDAP connections to point to the same location on the same LDAP directory. If you need a failover solution, you should use a load balancer.

Table 4-1 Worksheet 4—GroupWise LDAP Server

Heading, Label, or Topic:

Information and Instructions:

Tree Name:

  1. Record the name of the tree in which the GroupWise server is located.

Server Information tab

  1. Using the information in Server Information tab in the TeamWorks 18.2: Administrative UI Reference, record information for the following:

    • LDAP server URL:

    • User DN (Admin App [LDAP proxy user]):

    • Password (for Admin App:

    • Directory Type:

    • Guid attribute:

    • TeamWorks account name attribute:

    • LDAP attribute mappings:

Users tab:

  1. Make as many copies of the Users tab section as needed to identify all of the post offices that contain users. (Nested containers are covered by subtree searching.)

  2. Using the information in LDAP Search dialog (User Version) in the TeamWorks 18.2: Administrative UI Reference, record the following information for each OU that contains user objects within its substructure.

    • Base DN

    • Filter (auto-generated should work in most cases)

    • Search subtree

    • Number of Users

      NOTE:A dark-gray background with white text indicates a formulaic field.

      Type the number of users if you want the worksheet to use it in estimating hardware resource needs.

Groups tab:

For help, see Groups tab in the TeamWorks 18.2: Administrative UI Reference.

  1. Make as many copies of the Groups tab section as needed to identify all of the post offices that contain groups.

  2. Using the information in LDAP Search Dialog (Group Version) in the TeamWorks 18.2: Administrative UI Reference, record the following information for each OU that contains group objects within its substructure.

    • Base DN

    • Filter (auto-generated should work in most cases)

    • Search subtree

Table 4-2 Worksheet 4—eDirectory LDAP Server

Heading, Label, or Topic:

Information and Instructions:

Tree Name:

  1. Record the name of the tree in which the eDirectory server is located.

Configuration Details:

  1. Note important details about how the directory is configured, such as whether it has replicas, whether it is split over multiple sites, and so on.

Server Information tab

  1. Using the information in Server Information tab in the TeamWorks 18.2: Administrative UI Reference, record information for the following:

    • LDAP server URL:

    • User DN (LDAP proxy user):

    • Password (for LDAP proxy user):

    • Directory Type:

    • Guid attribute:

    • TeamWorks account name attribute:

    • LDAP attribute mappings:

Users tab:

  1. Make as many copies of the Users tab section as needed to identify all of the non-nested organizational units (OUs) in your directory that contain users. (Nested OUs are covered by subtree searching.)

  2. Using the information in LDAP Search dialog (User Version) in the TeamWorks 18.2: Administrative UI Reference, record the following information for each OU that contains user objects within its substructure.

    • Base DN

    • Filter (auto-generated should work in most cases)

    • Search subtree

    • Number of Users

      NOTE:A dark-gray background with white text indicates a formulaic field.

      Type the number of users if you want the worksheet to use it in estimating hardware resource needs.

Groups tab:

For help, see Groups tab in the TeamWorks 18.2: Administrative UI Reference.

  1. If your LDAP structure contains group objects in non-nested organizational units (OU), make as many copies of the Groups tab section as needed to identify them all.

  2. Using the information in LDAP Search Dialog (Group Version) in the TeamWorks 18.2: Administrative UI Reference, record the following information for each OU that contains group objects within its substructure.

    • Base DN

    • Filter (auto-generated should work in most cases)

    • Search subtree

Table 4-3 Worksheet 4—Active Directory LDAP Server

Heading, Label, or Topic:

Information and Instructions:

Forest Name:

  1. Record the name of the forest in which the Active Directory server is located.

Configuration Details:

  1. Note any important details about how the directory is configured.

Server Information

  1. Identify and record the following information.

Server Information tab:

  1. Using the information in Server Information tab in the TeamWorks 18.2: Administrative UI Reference, record information for the following:

    • LDAP server URL:

    • User DN (LDAP proxy user):

    • Password (for LDAP proxy user):

    • Directory Type:

    • Guid attribute:

    • TeamWorks account name attribute:

    • LDAP attribute mappings:

Users tab:

For help, see Users tab in the TeamWorks 18.2: Administrative UI Reference.

  1. If your LDAP structure contains user objects in non-nested organizational units (OU), make as many copies of the Users tab section as needed to identify them all.

  2. Using the information in LDAP Search dialog (User Version) in the TeamWorks 18.2: Administrative UI Reference, record the following information for each OU that contains user objects within its substructure.

    • Base DN

    • Filter (auto-generated should work in most cases)

    • Search subtree

    • Number of Users

      NOTE:A dark-gray background with white text indicates a formulaic field.

      Type the number of users if you want the worksheet to use it in estimating hardware resource needs.

Groups tab:

For help, see Groups tab in the TeamWorks 18.2: Administrative UI Reference.

  1. If your LDAP structure contains group objects in non-nested organizational units (OU), make as many copies of the Groups tab section as needed to identify them all.

  2. Using the information in LDAP Search Dialog (Group Version) in the TeamWorks 18.2: Administrative UI Reference, record the following information for each OU that contains group objects within its substructure.

    • Base DN

    • Filter (auto-generated should work in most cases)

    • Search subtree

Table 4-4 Worksheet 4—Duplicate User and Group Accounts

Heading, Label, or Topic:

Information and Instructions:

Duplicate User or Group Accounts

TeamWorks doesn’t accommodate duplicate user or group account names. Each LDAP-imported and manually created account must have a unique name.

You must eliminate all duplications before importing or adding users or groups.

For example, let’s say that joe_user exists in both Active Directory and GroupWise, and Joe also needs a manually created TeamWorks account. You might change the Active Directory name to j_user and specify JoeU for the manual TeamWorks account.

WARNING:Attempts to import duplicate accounts always fail, and in some cases they cause access problems for previously created accounts.

Do the following:

  1. Identify any users and/or groups that have duplicate names in multiple identity stores.

  2. Copy as many rows as needed. For help, see Adding Rows in Worksheet Sections.

  3. Identify which identity store to change the name in and record the change in the applicable table cell.

Table 4-5 Worksheet 4—User Names with Invalid Characters

Heading, Label, or Topic:

Information and Instructions:

User Names with Invalid Characters

For LDAP user names to be usable in TeamWorks, they must contain only alpha-numeric characters:

  • Upper- and lower-case letters

  • Numerals 0 - 9

If they contain ASCII or special characters, such as / \ * ? " < > : | , then although they will synchronize as TeamWorks user names, the associated users won’t be able to log in.

TeamWorks uses synchronized user names to set paths to each user workspace in the file system. However, Linux and Windows file systems don’t support special characters, rendering TeamWorks’s path statements unresolvable.

Do the following:

  1. Identify any user names that contain special characters.

  2. Record a revised name and context.

  3. Identify other services affected by the change.

  4. Notify users of pending name changes.

  5. Change the names in the directory service.

  6. Resolve any issues with other services.

Table 4-6 Worksheet 4—Non-LDAP Users

Heading, Label, or Topic:

Information and Instructions:

Non-LDAP Users

  1. Identify and record the non-LDAP users that you will need to create manually.

    For example, plan to include industry partners or others who are outside of your organization.

    IMPORTANT:When planning and creating non-LDAP, manual accounts, make sure you don’t duplicate an LDAP name. See the information and instructions for Duplicate User and Group Accounts.

Table 4-7 Worksheet 4—Non-LDAP Groups

Heading, Label, or Topic:

Information and Instructions:

Non-LDAP Groups

  1. Identify and record the non-LDAP groups that you will need to create manually.

  2. You can create two types of non-LDAP groups:

    • Static groups consist of users and groups and you specifically assign. Group membership only changes as you add or remove users or groups.

    • Dynamic groups are populated by LDAP queries that you specify. As LDAP changes, group membership changes as well.

    IMPORTANT:When planning and creating non-LDAP, manual accounts, make sure you don’t duplicate an LDAP name. See the information and instructions for Duplicate User and Group Accounts.

  3. For more information, see Static Membership for Group dialog and Edit Dynamic Membership dialog in the TeamWorks 18.2: Administrative UI Reference.

Table 4-8 Worksheet 5—LDAP Synchronization

Heading, Label, or Topic:

Information and Instructions:

Nested Groups:

  1. Determine whether your LDAP identity stores include nested groups (groups inside other groups), then mark the appropriate option on the planning sheet.

  2. If you have groups that are contained in other groups, you must plan to synchronize LDAP at least two or more times until all of the nested groups and their users are synchronized.

  3. After this initial synchronization, standard settings will keep nested groups synchronized.

Frequency of LDAP Changes:

  1. Consult with the LDAP administrator to determine how often LDAP information changes so that it needs to be synchronized with TeamWorks. This will inform the schedule plans you make in the next row.

Synchronization Schedule tab

  1. Your LDAP integration plan must include LDAP synchronization.

  2. The synchronization schedule you set here applies to all of your LDAP servers. For most organizations, daily synchronizations are sufficient, for others they aren’t.

  3. TeamWorks must synchronize with its LDAP directory stores to know about changes to

    • User and group lists

    • Password changes

    • File and folder access rights

  4. For more information, see Synchronization Schedule tab in the TeamWorks 18.2: Administrative UI Reference