1.1 Creating a Directory Service Configuration

When you create a directory service configuration for a directory, you define the connection information for the Management Service to access the directory and identify the users or computers to whom policies can be published.

If necessary, you can create multiple directory service configurations to support publishing of policies to users or computers in different directories.

The following sections provide instructions for creating configurations for the two directory services:

1.1.1 Defining eDirectory as the Directory Service

  1. In the Management Console, make sure the New Directory Service Configuration Wizard is displayed.

    If the wizard is not displayed, launch the Management Console by double-clicking the ESM Management Console icon on the desktop or by selecting the Start menu > All Programs > Novell > ESM Management Console > Management Console.

  2. Complete the wizard. The following table provides information for each of the pages.

    Wizard Page

    Explanation

    Configure Server

    Select Novell eDirectory.

    In the Name field, specify a name that identifies this configuration in the Management Console. When users log in through the Security Client, the must select the directory service configuration that represents the directory service in which their user account exists. If you will have multiple directory service configurations, we recommend that the names you provide for the configurations are the same as or similar to the eDirectory tree names so that users recognize which configuration to select.

    Connect to Server

    Host Name: Specify the DNS name or IP address of an eDirectory server.

    Port: Specify the eDirectory server port. The default is 389 (non-secure) or 636 (secure).

    Enable Encryption for this session using TLS/SSL: Select this option if you want to use either TLS or SSL to encrypt the current session. Encrypting the session ensures that the eDirectory data imported by the Management Console is secure during transmission.

    Provide Credentials

    The Management Console requires a user account for authentication to eDirectory.

    User Name: Specify the login name of a user who has permission to view the entire directory.

    Password: Specify the password for the user account.

    Context: Specify the user’s context.

    Select Directory Partition(s)

    To receive security policies, the Security client must authenticate to eDirectory through a user or workstation account. You must identify the location of the users or workstations that you want to be able to authenticate. The first step is to select the partitions that contain the users or workstations.

    Select Client Context(s)

    The second step in identifying the location of the users or workstations that you want to be able to authenticate is to select the containers in which the users or workstations reside.

    Select Context(s) for Synchronization

    To publish a security policy to a user or workstation, the user or workstation must be available in the Management Console. There are two ways a user or workstation becomes available in the console:

    • You use this page to synchronize the Management Console with eDirectory. To do so, select the eDirectory containers with users or workstations you want to populate into the Management Console. You can synchronize only the containers you selected as Client contexts (the previous page).

    • Wait for the user or workstation to authenticate through the Security Client. When the user or workstation checks in, it is automatically added to the Management Console.

    Synchronizing containers prepopulates the Management Console so that you can immediately publish security policies to individual users or workstations. If you don’t synchronize containers, you must publish security policies at the container level (which means all users or workstations in the container receive the policies) or wait for individual users or workstations to authenticate and be added to the Management Console.

  3. If you have not already done so, click Finish to complete the directory service configuration.

    The directory is added to the Directory Service Configurations list.

    If you selected containers to synchronize, the Management Console begins the synchronization. You can double-click in the Windows* notification area to display the Directory Services Synchronization dialog box.

    The synchronization occurs in the background. If you exit the Management Console, the synchronization stops. When you open the Management Console again, the synchronization resumes where it left off.

1.1.2 Defining Active Directory as the Directory Service

  1. In the Management Console, make sure the New Directory Service Configuration Wizard is displayed.

    If the wizard is not displayed, launch the Management Console by double-clicking the ESM Management Console icon on the desktop or by selecting the Start menu > All Programs > Novell > ESM Management Console > Management Console.

  2. Complete the wizard. The following table provides information for each of the pages.

    Wizard Page

    Explanation

    Configure Server

    Select Microsoft Active Directory.

    In the Name field, specify a name that identifies this configuration in the Management Console. When users log in through the Security Client, the must select the directory service configuration that represents the directory service in which their user account exists. If you will have multiple directory service configurations, we recommend that the names you provide for the configurations are the same as or similar to the Active Directory domain names so that users recognize which configuration to select.

    Connect to Server

    Host Name: Specify the DNS name or IP address of an Active Directory server. By default, the field is populated with the address of an Active Directory server in the Management Console’s domain. To select a different Active Directory server, click Browse.

    Port: 3268 (the default) is the Active Directory Global Catalog server port. If the specified Active Directory server is not a Global Catalog server, specify a different port (for example, 389).

    Enable Encryption: Select this option if you want to use either Kerberos* or NTLM to encrypt the current session. Encrypting the session ensures that the Active Directory data imported by the Management Console is secure during transmission.

    Provide Credentials

    The Management Console requires a user account for authentication to Active Directory.

    User Name: Specify the login name of a user who has permission to view the entire directory. We recommend that you use the domain administrator.

    Password: Specify the password for the user account.

    Domain: Select the user’s domain.

    Authentication Method: Select the authentication method required by the Active Directory server (Basic, Kerberos, NTLM, Negotiate).

    Locate Account Entry

    This page is displayed only If the administrator account you specified is not in a standard Active Directory user container. Expand the directory tree to locate and select the administrator’s container.

    Select Authenticating Domain(s)

    To receive security policies, the Security client must authenticate to Active Directory through a user or computer account. You must identify the location of the users or computers that you want to be able to authenticate. The first step is to select the domains that contain the users or computers.

    Select Client Container(s)

    The second step in identifying the location of the users or computers that you want to be able to authenticate is to select the containers in which the users or computers reside.

    Select Container(s) for Synchronization

    To publish a security policy to a user or computer, the user or computer must be available in the Management Console. There are two ways a user or computer becomes available in the console:

    • You use this page to synchronize the Management Console with Active Directory. To do so, select the Active Directory containers with users or computers you want to populate into the Management Console. You can synchronize only the containers you selected as Client containers (the previous page).

    • Wait for the user or computer to authenticate through the Security Client. When the user or computer checks in, it is automatically added to the Management Console.

    Synchronizing containers prepopulates the Management Console so that you can immediately publish security policies to individual users or computers. If you don’t synchronize containers, you must publish security policies at the container level (which means all users or computers in the container receive the policies) or wait for individual users or computers to authenticate and be added to the Management Console.

  3. If you have not already done so, click Finish to complete the directory service configuration.

    The directory is added to the Directory Service Configurations list.

    If you selected containers to synchronize, the Management Console begins the synchronization. You can double-click in the Windows notification area to display the Directory Services Synchronization dialog box.

    The synchronization occurs in the background. If you exit the Management Console, the synchronization stops. When you open the Management Console again, the synchronization resumes where it left off.