Using LDAP to Login to RetainServer When GroupWise No Longer Installed

  • 7019079
  • 02-Oct-2014
  • 07-Aug-2017

Environment


Retain 3.x
GroupWise

Situation

I no longer have GroupWise installed and I'm no longer archiving anything into Retain.  How can my users log into their Retain mailbox without having to set up each user password inside of Retain?

Resolution

You can use LDAP to eDirectory.  Here are the steps:

1.  Configure LDAP authentication in the GroupWise module inside the RetainServer admin UI.

2.  Go to the Management menu in the RetainServer navigation pane and select "Groups".  Edit the "default" group and set the "Authentication Method" to "LDAP authentication (GW)" and mark the box, "Use Exclusively".

2.  Edit .../RetainServer/WEB-INF/classes/config/misc.properties.

3.  Search for "custom.ldap.enable", which should take you down to the bottom section of the file.

4.  Edit the following lines to read as follows:

custom.ldap.enable=1

custom.ldap.attributes.requested=mail

custom.ldap.attributes.bind=email

custom.ldap.debug=1

custom.ldap.class=com.gwava.authenticate.gw.AlternativeGWLDAPAuthentication

5.  Restart Tomcat.

NOTE:  User then must login to RetainServer using their full GroupWise email address (user@domain.com). For example, jdoe@xyzcompany.com.


Custom LDAP Settings Explained

Many of these settings cannot be used. They are there for use in the future when this feature is more fully developed.  Features for future use that do not offer any functionality or if not fully understood are greyed out.

custom.ldap.enable= 0 | 1 (default = 0).
When set to 0 (default), Retain follows the normal GWLDAP Authentication path (where GroupWise is installed and running) and ignores the custom.ldap settings below.
Set to 1 to enable

custom.ldap.class=[className] (default = com.gwava.authenticate.gw.CustomLDAPAuthenticatorMethod).
The class of the modified java code. Keep it at the default.

custom.ldap.search=[LDAPQuery, using as placeholder for future]
Default is (&(objectClass=Person)(mail=)) Changing this for initial release is not supported.
DO NOT ENTER

custom.ldap.useuid=0 | 1 (default = 0).
If on, expects to have a UID entry. Otherwise currently expects to see an email entry in LDAP.
The name of the attribute is specified and bound elsewhere.
Set to 0.

custom.ldap.applicationuid=0 | 1 (default = 0).
Use if you are supplying an application UID not an internalUID.
It only matters when custom.ldap.useuid=1.
Set to 0.

custom.ldap.emailsystem=gw | exchange | etc (default = gw).
The type of messaging system this applies to. Initially only gw is supported.
Leave it at the default of "gw".

custom.ldap.attributes.requested=[comma delimited list] (default = mail)
This is a list of LDAP attributes you want requested. It is the user object's LDAP attribute name from eDirectory (and future, Active Directory, and others).
Case may matter depending on the LDAP server. For a standard GroupWise system, this is GUIDmail,or nGWObjectID. The mail attribute returns the user's Internet email address.
If requesting multiple attributes, list them in a single line separated by commas with no spaces between the attribute names and the commas (i.e., mail,nGWObjectID).
Recommended to leave at the default of mail.

custom.ldap.attributes.bind=[comma delimited list] (default = email)
This is a list of Retain address book attributes.  These attributes correspond with actual field names in the Retain database's t_abook field. Any one of the following can be listed and they are case sensitive:

This list must be exactly the same number of attributes as listed in the custom.ldap.attributes.requested and needs to be in the order in which you want each attribute to match.  For both attributes (LDAP and Retain), the value in the attribute listed in the first position should match the value in the other attribute.  Each item in ..attributes.bind maps to the LDAP attribute specified in ..attributes.requested, meaning that Retain will try to match what is returned from the custom.ldap.attributes.requested list with the custom.ldap.attributes.bind list; thus, they should also be in the order in which they should be mapped.  If you want the LDAP attribute of mail to map to the Retain attribute of email, they both should be listed at the first item in their respective lists.

EXAMPLE: 
If custom.ldap.attributes.requested reads has mail,nGWobjectID, then the custom.ldap.attributes.bind line must read email,mailbox in that order so that mail maps to email and nGWobjectID maps to mailbox.  If those values do not match, this will not work; thus, if John Doe's Internet email address (mail attribute) were jdoe@xyzcompany.com, then the Retain database's email attribute should also read jdoe@xyzcompany.com or else it will not be able to make a match.  Likewise, if nGWobjectID were "jdoe", then the Retain database's mailbox attribute better have "jdoe".

Recommended to leave at the default of email.
custom.ldap.debug=0 | 1 (default = 0)
Set to "1" to generate more diagnostic logging in the RetainServer log.

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 2377.