54.6 Changing the LDAP Directory Association of Users

If you set up a new GroupWise system by manually creating GroupWise users in the GroupWise Administration Console, you can later associate those GroupWise users with users in an LDAP directory. The directory then becomes the primary location for user information. User synchronization updates the user information in GroupWise based on the information in the LDAP directory. It can also publish users’ email addresses to the LDAP directory.

54.6.1 Associating GroupWise Users with an LDAP Directory

To associate GroupWise users with an LDAP directory:

  1. In the GroupWise Administration Console, configure your GroupWise system to communicate with the LDAP directory.

    For instructions, see Setting Up an LDAP Directory.

  2. Click System > Directory Associations.

  3. (Conditional) If you have multiple LDAP directories, select the one where you want to associated the GroupWise users.

  4. (Conditional) If the context of the User objects is under the Base DN, browse to and select the LDAP context where User objects are located.

  5. (Optional) Specify an LDAP filter and select additional options as needed.

  6. Click Preview to list the users who will be associated with LDAP directory objects.

  7. (Conditional) As needed, adjust the filter and options, and then click Update Preview until you are satisfied with the list.

  8. When you are satisfied with the list, click Associate.

    The GroupWise users are associated with their LDAP directory counterparts.

54.6.2 Migrating From eDirectory to Active Directory

The process of migrating from NetIQ eDirectory to Microsoft Active Directory is straightforward. Before you start the migration, ensure that both directories are stable.

Preparing for the Migration

The Active Directory object in your GroupWise system must be properly configured to support the migration process.

  1. In the GroupWise Administration Console, click System > LDAP Servers.

  2. Click the name of the Active Directory object.

  3. Verify that the Base DN field displays the location where you plan to create the Active Directory User objects for the GroupWise users. Update it if necessary.

  4. Verify that the Sync Domain field displays the domain where the users’ post office and GroupWise mailboxes are located.

  5. Verify that Enable Synchronization is selected.

  6. On the Email Publishing tab, verify that Publish Email Addresses to This Directory is selected.

  7. Click OK, and then click Close.

  8. Continue with Creating the Directory Associations.

Creating the Directory Associations

To create a directory association:

  1. Create a User object in Active Directory for each GroupWise user.

    IMPORTANT:Ensure that, on each new Active Directory User object, the User logon name (pre-Windows 2000) field (the sAMAccountName property in Active Directory) exactly matches the GroupWise user name (the uniqueID property in eDirectory). Any user for whom these names do not match must be manually migrated.

  2. In the GroupWise Administration Console, click System > Directory Associations.

  3. Select the LDAP directory that you verified in Preparing for the Migration.

  4. (Conditional) If the context of the User objects is under the Base DN, browse to and select the LDAP context where User objects are located.

  5. Select Override Existing Association.

    By default, existing users retain their existing associations. The migration process requires that eDirectory associations be replaced with Active Directory associations.

  6. (Optional) Specify an LDAP filter and select additional options as needed.

  7. Click Preview to list the users who will be migrated from eDirectory to Active Directory.

  8. (Conditional) As needed, adjust the filter and options, and then click Update Preview until you are satisfied with the list.

    HINT:Initially, migrate only a small number of users to ensure that the migration process is working as expected.

  9. Click Associate.

  10. Continue with Verifying the Directory Associations.

Verifying the Directory Associations

When the associations between GroupWise and Active Directory are properly set up, GroupWise data synchronizes reliably between the two systems.

  1. In Active Directory, verify that the user’s GroupWise information has synchronized to Active Directory:

    1. On the General tab of a GroupWise User object, verify that the Email Address field displays the user’s GroupWise email address.

    2. To provide a test of user synchronization from Active Directory to GroupWise, modify the user’s phone number.

  2. In the GroupWise Administration Console, ensure that the MTA console is password protected so that you can control the MTA in your web browser:

    1. Browse to and click the MTA that synchronizes GroupWise data with Active Directory.

    2. Click the Agent Settings tab, and then verify that the HTTP section shows that the MTA is configured with an HTTP user name and password.

    3. (Conditional) If necessary, provide a user name and password.

    4. Click Save, and then click Close to return to the main Administration Console window.

  3. In the MTA console, perform user synchronization between GroupWise and Active Directory:

    1. When prompted, provide the user name and password that are required for controlling the MTA in the MTA console.

    2. On the Configuration tab, click Directory User Synchronization.

    3. Select Perform GroupWise Directory Synchronization Now, and then click Submit.

    4. Click the Log Files tab, and then view the most recent log file to look for lines similar to the follow example:

  4. In the GroupWise Administration Console, verify that the user’s information in Active Directory has synchronized to GroupWise:

    1. Click Users, and then click the name of the user whose phone number you modified in Active Directory in Step 1.b.

    2. On the General tab, verify that the user’s phone number matches what is in Active Directory.

    3. Change the user’s phone number back, and then click Save.

  5. Continue with Verifying Successful Authentication.

Verifying Successful Authentication

When the associations are correctly set up, GroupWise users can log in to their mailboxes by using LDAP authentication.

  1. In the GroupWise Administration Console, verify that the post office of the migrated users is configured for LDAP authentication:

    1. Browse to and click the name of the post office.

    2. On the Security tab, verify that LDAP Authentication is selected.

  2. Start the GroupWise client for a user that has been migrated to Active Directory.

  3. Verify that the user credentials provided by Active Directory result in a successful login into the GroupWise mailbox.

  4. Continue with Verifying a Complete User Migration.

Verifying a Complete User Migration

After you have used the Directory Associations tool to migrate all of your users from eDirectory to Active Directory, you can verify that, in fact, no more users remain in eDirectory.

  1. In the GroupWise Administration Console, click Users to list all of your GroupWise users.

  2. Use the Search User Name field to check for users that might have been missed:

    1. Use the following filter to search for users who are not currently associated with any LDAP directory:

      directory = null

    2. Use the following filter to search for users who are not associated with Active Directory:

      directory != active_directory_name

  3. (Conditional) If your searches revealed orphan users that no longer need GroupWise accounts, plan to disable their accounts at an appropriate time.

    For instructions, see Disabling and Enabling GroupWise Accounts.

  4. (Conditional) If your searches revealed users whose Active Directory logon name did not match their GroupWise user name, you can associate them manually:

    1. After searching for the unassociated users, click a user name.

    2. Click More > Associate.

    3. Select the LDAP directory where you want to associate the user.

    4. Browse to and select the user in the LDAP directory.

    5. Click OK.

When you are sure that you no longer need the User objects in eDirectory, you can delete them.

Using an SSL connection between GroupWise and Active Directory is strongly recommended. The process for establishing an SSL connection is beyond the scope of the GroupWise product documentation.

54.6.3 Dissociating GroupWise Users from an LDAP Directory

To disassociate GroupWise users from an LDAP directory:

  1. In the GroupWise Administration Console, browse to and click the name of the User that you want to dissociate from the LDAP directory.

  2. Click More > Dissociate.

  3. Verify that the right user information is displayed, and then click OK.

    The user is still a GroupWise user, but the user is no longer associated with a User object in an LDAP directory.