LDAP Servers Topics

LDAP Servers

LDAP servers house LDAP directories such as NetIQ eDirectory and Microsoft Active Directory, which provide two important services to your GroupWise system:

  • User Synchronization: User synchronization transfers modified user information from the LDAP directory to GroupWise for display in the GroupWise Address Book.

    The LDAP directory is the primary location for user information. Any changes to user information made in the GroupWise Admin console are not synchronized back to the directory.

    The MTA performs user synchronization for all users in the domain serviced by the MTA. The MTA then replicates the user information to all domains in your GroupWise system.

  • LDAP Authentication: LDAP authentication requires that GroupWise users provide their directory (network login) passwords instead of GroupWise passwords in order to access their mailboxes.

    The POA performs LDAP authentication on behalf of the GroupWise client, the GroupWise Web Application, and the GWIA when these programs need to authenticate users to GroupWise.

Directories/Servers List: Lists the LDAP directories and LDAP servers that are defined for use with your GroupWise system. Click a directory or server to edit its configuration.

Unless you have selected GroupWise Authentication (Post Office object > Security tab), you must configure at least one LDAP directory for use with your GroupWise system.

New Directory: Click New Directory to define a new LDAP directory (NetIQ eDirectory, Microsoft Active Directory, or generic LDAP).

New LDAP Server: Click New LDAP Server to define a new LDAP server.

You must configure one or more LDAP servers, in addition to an LDAP directory when one or both of the following situations exist:

  • You want to configure a pool of LDAP servers to provide redundancy for LDAP authentication (Post Office object > Security tab).

  • You want to provide GroupWise users in a remote location with a local LDAP server and directory replica to facilitate prompt LDAP authentication.

Delete: Select one or more directories or servers, then click Delete to remove them from the list.

LDAP Servers > New/Edit Directory > General

You can use NetIQ eDirectory, Microsoft Active Directory, or a generic LDAP directory with GroupWise. GroupWise and the directory interact in the following ways:

  • User Synchronization: User synchronization transfers modified user information from the LDAP directory to GroupWise for display in the GroupWise Address Book.

    The LDAP directory is the primary location for user information. Any changes to user information made in the GroupWise Admin console are not synchronized back to the directory.

    The MTA performs user synchronization for all users in the domain serviced by the MTA. The MTA then replicates the user information to all domains in your GroupWise system.

  • LDAP Authentication: LDAP authentication requires that GroupWise users provide their directory (network login) passwords instead of GroupWise passwords in order to access their mailboxes.

    The POA performs LDAP authentication on behalf of the GroupWise client, the GroupWise Web Application, and the GWIA when these programs need to authenticate users to GroupWise.

  • Email Publishing: GroupWise can be the primary location for users’ email addresses, rather than the LDAP directory. You can configure GroupWise to synchronize email addresses to the directory when they are changed in the GroupWise Admin console (System > Internet Addressing > Email Publishing tab and System > LDAP Servers > directory > Email Publishing tab.

Name: For a new LDAP directory, specify a unique and descriptive name by which you want the directory to be known in your GroupWise system. You cannot edit an existing name.

Description: (Optional) Provide additional helpful information about the LDAP directory.

Type: Select the type of directory that you are defining for use with GroupWise.

NetIQ eDirectory and Microsoft Active Directory are fully supported for use with GroupWise. Other LDAP directories should work successfully if they use standard LDAP attributes.

LDAP Image Attribute: Allows you to select the image attribute that corresponds to the photos you want imported from your directory. If you are using Active Directory, your options are thumbnailPhoto or jpegPhoto. If you are using eDirectory, your options are jpegPhoto or photo. GroupWise automatically scales the imported photos to 64 pixels by 64 pixels.

Host Name: Specify either the IP address or the DNS hostname of the LDAP server where the directory is located.

If your network uses IPV6, you must specify the DNS hostname.

Port: Specify the TCP port number on which the MTA can communicate with the LDAP server.

If SSL is required, the default LDAP port number is 636. If SSL is not required, the default LDAP port number is 389.

Use SSL: Indicates that the MTA must use Secure Socket Layer (SSL) protocol when communicating with the LDAP server where the directory is located.

SSL Certificate: For access by GroupWise agents, upload the SSL certificate file into GroupWise. For access by legacy GroupWise agents, specify the full path name of the SSL certificate file.

The LDAP root certificate provided by the LDAP server contains only pubic information. Therefore, for convenience, it can be safely uploaded into a domain database. This replicates it throughout your GroupWise system, so that it is available to all MTAs and POAs that rely on LDAP services.

In order to upload the LDAP root certificate into a domain database, you must be able to browse to the certificate file from your workstation. You might need to transfer the certificate file from the LDAP server to your local workstation or to the GroupWise server that the Admin console is connected to.

View: Click View View icon to view the LDAP root certificate that is stored in the domain database for this LDAP server.

Delete: Click Delete Delete iconto remove the LDAP root certificate that is stored in the domain database for this LDAP server.

Upload: Click Select Select icon to browse to and select the LDAP root certificate file. You can browse your local file system to locate the file, or you can access it on the GroupWise server that the Admin console is currently connected to.

LDAP User: Specify the user name for authenticating to the LDAP server.

Specify the information in the format used by the LDAP server. For example:

cn=user_name,ou=org_unit,o=organization|
cn=user_name,ou=users,dc=server_name,dc=company_name,dc=com

MTAs authenticate to the LDAP server to perform user synchronization.

LDAP User Password: Specify the password for the LDAP user.

Base DN: (Optional) Specify the base context under which users to synchronize are located in the LDAP directory, for example:

ou=users,ou=org_unit,o=organization
cn=users,dc=server_name,dc=company_name,dc=com

Sync Domain: Select the domain whose MTA you want to perform user synchronization with the LDAP directory.

The domain’s MTA must be configured to perform user synchronization (MTA object > Scheduled Events tab). User information obtained from the directory by this MTA then automatically replicates throughout your GroupWise system.

Enable Synchronization: Authorizes the LDAP directory to communicate with the MTA in order to perform user synchronization.

Sync: Performs user synchronization immediately, regardless of the next MTA scheduled event for user synchronization.

LDAP Servers > New/Edit Directory > LDAP Authentication

You can configure your GroupWise system to use GroupWise authentication or LDAP authentication when users log in to their mailboxes (Post Office object > Security tab).

  • GroupWise Authentication: GroupWise authentication uses GroupWise-specific passwords that are stored with users’ mailboxes.

  • LDAP Authentication: LDAP authentication requires that GroupWise users provide their directory (network login) passwords instead of GroupWise passwords in order to access their mailboxes.

    The POA performs LDAP authentication on behalf of the GroupWise client, the GroupWise Web Application, and the GWIA when these programs need to authenticate users to GroupWise.

User Authentication Method: Select how you want the LDAP server to interact with POAs when authenticating GroupWise users:

  • Bind: Select Bind if you want the POA to bind as the GroupWise user to the LDAP server in order to authenticate the user's password. Using Bind, most LDAP servers enforce password policies such as grace logins and intruder lockout, if such policies have been implemented for the LDAP server.

    For Microsoft Active Directory, only Bind is available.

  • Compare: Select Compare if you want the LDAP server to compare the password offered by the POA with the user's password in the LDAP directory, and then return the results of the comparison, in order to authenticate the user's password. Using Compare provides faster access because there is less overhead.

LDAP User: Specify the user name for authenticating to the LDAP server.

Specify the information in the format used by the LDAP server. For example:

cn=user_name,ou=org_unit,o=organization|
cn=user_name,ou=users,dc=server_name,dc=company_name,dc=com

If you want POAs to access the LDAP server with specific rights to the directory, specify an LDAP user that has the desired rights.

If you do not provide an LDAP user name, POAs access the LDAP server with a public or anonymous connection for a Compare connection or with the GroupWise user's user name for a Bind connection. The connection type is configured for the LDAP server on the General tab.

LDAP User Password: (Conditional) If the LDAP user name requires a password, specify the password.

Disable LDAP Password Changing: Prevents GroupWise users from changing their LDAP directory (network) passwords by using the Password dialog box in the GroupWise client or GroupWise Web.

If you deselect this option, GroupWise client users can use Tools > Options > Security > Password to change their GroupWise passwords and their LDAP directory (network) passwords at the same time. GroupWise Web users can use the Settings icon Options icon > Password.

LDAP Servers > New/Edit Directory > Email Publishing

When your GroupWise system relies on an LDAP directory (such as NetIQ eDirectory or Microsoft Active Directory) to supply user information (System > LDAP Servers), GroupWise databases and the directory both contain information about users’ email address formats.

When you change the format settings for users' GroupWise email addresses in the Admin console, you can publish the changes to the LDAP directory so that user email address information matches in both places.

Publish Email Addresses to This Directory: Allows the LDAP directory to receive email addresses published by using System > Internet Addressing > Email Publishing.

Override Addressing Formats Defined at the System Level: Allows you to override the system-level settings (System > Internet Addressing > Email Publishing) for this directory.

Publish the Preferred Email Address Only: Publish users' email addresses to the LDAP directory only in the format established in the Preferred Address Format field on the Internet Addressing > Addressing Formats tab. This publishes one email address per user in the preferred format established for your GroupWise system.

Publish All Allowed Addresses: Publish users' email addresses to the LDAP directory in any formats selected in the Allowed Address Formats list on the Internet Addressing > Address Formats tab. This publishes one or more email addresses per user in all formats allowed for your GroupWise system.

Publish the Following Addresses: Select which email addresses and formats to publish. The available formats default to the list selected on the Internet Addressing > Address Formats tab. This publishes one or more email addresses per user in the specifically selected formats.

Publish Nickname Addresses: Publish any email addresses in the formats selected above that include nicknames. Nicknames are established on the Nickname tab of User objects and can be managed by clicking Nicknames on the Administration menu.

Publish Gateway Alias Addresses: Publish any email addresses in the formats selected above that include gateway aliases. Gateway aliases are established on the Gateway Aliases tab of User objects. Where possible, use preferred email IDs rather than gateway aliases.

LDAP Servers > New/Edit LDAP Server > General

You must configure one or more LDAP servers, in addition to an LDAP directory when one or both of the following situations exist:

  • You want to configure a pool of LDAP servers to provide redundancy for LDAP authentication (Post Office object > Security tab).

  • You want to provide GroupWise users in a remote location with a local LDAP server and directory replica to facilitate prompt LDAP authentication.

Name: For a new LDAP server, specify a unique and descriptive name by which you want the server to be known in your GroupWise system. This name appears in the list of LDAP servers that is available when you configure LDAP authentication (Post Office object > Security tab). You cannot edit an existing name.

Description: (Optional) Provide additional helpful information about the LDAP server.

Directory: Select the LDAP directory on the LDAP server.

The directory must already be defined for use with GroupWise by using System > LDAP Servers > New Directory.

Host Name: Specify either the IP address or the DNS hostname of the LDAP server.

If your network uses IPV6, you must specify the DNS hostname.

Port: Specify the TCP port number on which POAs and MTAs can communicate with the LDAP server.

If SSL is required, the default LDAP port number is 636. If SSL is not required, the default LDAP port number is 389.

Use SSL: Indicates that POAs and MTAs must use Secure Socket Layer (SSL) protocol when communicating with the LDAP server.

SSL Certificate: For access by GroupWise agents, upload the SSL certificate file into GroupWise. For access by legacy GroupWise agents, specify the full path name of the SSL certificate file.

The LDAP root certificate provided by the LDAP server contains only pubic information. Therefore, for convenience, it can be safely uploaded into a domain database. This replicates it throughout your GroupWise system, so that it is available to all MTAs and POAs that rely on LDAP services.

In order to upload the LDAP root certificate into a domain database, you must be able to browse to the certificate file from your workstation. You might need to transfer the certificate file from the LDAP server to your local workstation or to the GroupWise server that the Admin console is connected to.

View: Click View View icon to view the LDAP root certificate that is stored in the domain database for this LDAP server.

Delete: Click Delete Delete iconto remove the LDAP root certificate that is stored in the domain database for this LDAP server.

Upload: Click Select Select icon to browse to and select the LDAP root certificate file. You can browse your local file system to locate the file, or you can access it on the GroupWise server that the Admin console is currently connected to.

LDAP Servers > New/Edit LDAP Server > Post Offices

You must configure one or more LDAP servers, in addition to an LDAP directory when one or both of the following situations exist:

  • You want to configure a pool of LDAP servers to provide redundancy for LDAP authentication (Post Office object > Security tab).

  • You want to provide GroupWise users in a remote location with a local LDAP server and directory replica to facilitate prompt LDAP authentication.

Selected Post Offices: Lists the post offices that are currently using this LDAP server for LDAP authentication.

Available Post Offices: Lists the post offices that are not yet associated with an LDAP server.

Select a post office, then click an arrow button to move it from one list to another.

Move post offices from the Available Post Offices list to the Selected Post Offices list to assign post offices to this LDAP server.

You can also assign LDAP servers to post offices at the post office level (Post Office object > Security tab).

For trademark and copyright information, see Legal Notices.