1.4 Configuring the Mobility Admin Console

1.4.1 Adjusting the Mobility Admin Console Polling Rate for Groups of Users

During installation of the Mobility Service, you selected the source (LDAP or GroupWise) from which users and groups of users can be added to your Mobility system. For background information, see Selecting the User Source for Your Mobility System in the GroupWise Mobility Service 18 Installation Guide.

If you selected LDAP as your user source, groups of users in your Mobility system correspond to LDAP groups. The Admin console polls only the groups in containers that it has been configured to search. For more information, see Searching Multiple LDAP Contexts for Users and Groups.

If you selected GroupWise as your user source, groups of users in your Mobility system correspond to GroupWise groups (distribution lists in older GroupWise systems). The Mobility Admin console locates GroupWise groups based on their group_name.post_office.domain location in your GroupWise system

When you add a group of users to your Mobility system, the group’s existing members are added to the group as displayed in the Mobility Admin console. Subsequently, the Mobility Admin console polls for updates to group membership. This ensures that the group membership that is displayed in the Mobility Admin console always matches the membership in the LDAP directory or the GroupWise system.

By default, the Mobility Admin console polls the user source for changes in group membership every 1800 seconds (30 minutes).

  1. In the Mobility Admin console, click Config> User Source.

  2. Adjust the poll rate as needed to synchronize the group membership in the Mobility Admin console with current group membership in the LDAP directory or the GroupWise system.

  3. Click Save to save the new setting(s).

  4. Restart the Mobility Service:

    rcgms restart

1.4.2 Using the Mobility Admin Console with a Single Sign-On Solution

If you are using a single sign-on solution such as NetIQ Access Manager or KeySheild SSO, the Mobility Admin console does not require authentication when you are already logged in to the single sign-on solution.

  • For Access Manager, no extra configuration is required.

  • For KeyShield SSO, you must provide Keyshield SSO settings on the Single Sign-On page in the Mobility Admin console. For more information, see KeyShieldSSO.

1.4.3 Changing between LDAP and GroupWise as the User Source

Regardless of the user source that you selected during installation (LDAP or GroupWise), you can change to the other user source at any time. For background information, see Selecting the User Source for Your Mobility System in the GroupWise Mobility Service 18 Installation Guide.

  1. In the Mobility Admin console, click Config> User Source.

  2. In the Provisioning field, select LDAP or GroupWise as the source from which you want the Mobility Admin console to obtain users and groups of users to add to your Mobility System.

    If you selected GroupWise as the user source when you installed your Mobility system and you now select LDAP, you must provide the configuration information for the LDAP server in order to change from GroupWise to LDAP provisioning in the Mobility Admin console.

    You can also use GroupWise LDAP to provision users after the install. For more information on using GroupWise LDAP, see Configuring GroupWise LDAP Provisioning.

    If you have set up your Mobility system so that some users are provisioned from LDAP and others are provisioned from GroupWise, you can mouse over each user on the Users page to display the LDAP context or GroupWise user_name.post_office.domain location.

  3. (Conditional) If you selected LDAP in the Provisioning field, select LDAP or GroupWise in the Authentication field to select the password that is required for mobile devices to log in to your Mobility system.

    IMPORTANT:If you are using GroupWise LDAP, you must select GroupWise in the Authentication field.

    If you select LDAP, mobile devices use LDAP passwords as provided by the LDAP server that your Mobility system is configured to access. If you select GroupWise, device authentication is provided through the GroupWise POA. The POA can be configured to provide either GroupWise authentication or LDAP authentication for GroupWise users and devices.

    If you selected GroupWise in the Provisioning field, you cannot select LDAP in the Authentication field because the Device Sync Agent would have no way to contact an LDAP server for password information for the user.

  4. Click Save to save the new setting(s).

  5. Restart the Mobility Service:

    rcgms restart

1.4.4 Modifying LDAP Information in Relation to Your Mobility System (Optional)

If you are using LDAP as your user source, you might need to change LDAP information over time.

Setting Up Multiple Mobility Administrator Users

During installation, you establish the initial LDAP user who can access the Mobility Admin console. After installation, you can grant this right to additional users.

  1. In a terminal window on the Mobility server, become root by entering su - and the root password.

  2. Change to the following directory:

    /etc/datasync/configengine
  3. Open the configengine.xml file in a text editor.

  4. Locate the following section:

    <admins>
         <dn>cn=user_name,ou=organizational_unit,o=organization</dn> 
    </admins> 

    This section identifies the original Mobility administrator user that you established during installation.

  5. Copy the line for the original Mobility user to a new line between the <admins> tags, then modify it as needed to identify an additional Mobility administrator user.

  6. Save the configengine.xml file, then exit the text editor.

  7. Restart the Mobility Service:

    rcgms restart

Searching Multiple LDAP Contexts for Users and Groups

During installation, you specify one LDAP container to search in order to get user information and another container to search in order to get group information. After installation, you can add more containers for the Mobility Admin console to search for users and groups when you need to add users and groups to your Mobility system.

IMPORTANT:Subcontainers are also searched, so you do not need to add them separately.

  1. In the Mobility Admin console, click Config > User Source.

  2. To search in an additional container for users, specify the container context in the text entry field under Base User DNs.

  3. To search in an additional container for groups, specify the container context in the text entry field under Base Group DNs.

  4. Click Save to save the new setting(s).

  5. Restart the Mobility Service:

    rcgms restart

Enabling and Disabling SSL for the Mobility Service LDAP Connection

During installation, you chose whether to use SSL for the connection between the Mobility Admin console and the LDAP directory. You can change the setting after installation as needed.

  1. In the Mobility Admin console, click Config > User Source.

  2. Select or deselect Secure to enable or disable SSL.

  3. In the Port field, adjust the port number as needed to match the port number used by the LDAP server.

    The default secure SSL port is 636. The default non-secure port is 389.

  4. Click Save to save the new setting(s).

  5. Restart the Mobility Service:

    rcgms restart

Changing the LDAP Server for Provisioning and Authentication

During installation, you selected an LDAP server for the Mobility Admin console to communicate with when authenticating to the LDAP directory. You can change the LDAP server after installation as needed.

  1. In the Mobility Admin console, click Config > User Source.

  2. In the IP Address field, specify the IP address or DNS hostname of the LDAP server that you want to use for provisioning or authentication.

  3. (Conditional) If needed for the new LDAP server, adjust the port number and secure SSL setting.

    The default secure SSL port is 636. The default non-secure port is 389.

  4. (Conditional) If needed for the new LDAP server, adjust the LDAP base DNs for users and groups.

  5. (Conditional) If needed for the new LDAP server, adjust the LDAP administrator DN and password.

    If you accidentally change any LDAP server information so that you are prevented from logging in to the Mobility Admin console using the new LDAP information, you can still log in using the root user name and password. For instructions, see Accessing the Mobility Admin Console When the LDAP Server Is Inaccessible.

  6. Click Save to save the new setting(s).

  7. Restart the Mobility Service:

    rcgms restart

Updating the LDAP Password

If you change the administrator password on your LDAP server, you must reconfigure your Mobility server to match the new password.

  1. (Conditional) If you cannot access the Mobility Admin console because the LDAP server password has already changed, follow the instructions in Accessing the Mobility Admin Console When the LDAP Server Is Inaccessible.

  2. In the Mobility Admin console, click Config > User Source.

  3. In the Admin Password field, specify the new password.

  4. Click Save to save the new setting(s).

  5. Restart the Mobility Service:

    rcgms restart

Accessing the Mobility Admin Console When the LDAP Server Is Inaccessible

Occasionally, you might need to log in to the Mobility Admin console when the LDAP server is unavailable. At all times, you can log in to the Mobility Admin console using the root user name and password.

Configuring GroupWise LDAP Provisioning

GroupWise 18 LDAP provisioning can be used in place of the standard GroupWise provisioning. You configure GroupWise LDAP the same as you would regular LDAP in Mobility, but must use GroupWise for authentication. For information on enabling GroupWise LDAP on the MTA, see Configuring the LDAP Server Capabilities in the GroupWise 18 Administration Guide. The LDAP server must use SSL for provisioning to work. You also need to know the IP address of the MTA server where LDAP is enabled. Use the information below to setup GroupWise LDAP in Mobility:

Creating an Admin App in GroupWise

You need to create an admin app for Mobility using the GroupWise Admin service. To create the admin app user, run the following curl command on your GroupWise primary domain server:

curl -k --user gw_sys_admin:admin_password -X POST -H "Content-Type:application/json" --data "{\"name\":\"admin_app\",\"password\":\"admin_app_password\",\"description\":\"app_description\"}" https://GW_domain_ip:9710/gwadmin-service/system/adminapps

The following items need to be replaced in the curl command:

  • gw_sys_admin: Specify your GroupWise system admin username.

  • admin_password: Specify the password of your GroupWise system admin.

  • admin_app: Specify a name for your admin app.

  • admin_app_password: Specify a password for your admin app.

  • app_description: Specify the purpose of the admin app. In this case it is for GMS.

  • GW_domain_ip: Specify the IP address of your GroupWise primary domain server.

NOTE:If you are running this command on a Windows server, curl may not be available. You can download curl from here if needed.

The admin app is then used to authenticate to GroupWise LDAP. You need the admin app name and password. The name of the admin app needs to be specified in Mobility as follows:

cn=admin_app_user

Gathering the GroupWise Base DN

The Base DN is used to search for users and groups in LDAP. The Base DN is your GroupWise System Name which can be found in the GroupWise Admin console > System > Information. It is listed at the top of the pop up window as Information - system_name. Using that, the Base DN should be specified as follows:

o=system_name

Setting Up GroupWise LDAP Provisioning

After you making sure create the admin app and get the system name, you are ready to configure GroupWise LDAP provisioning.

  1. In the Mobility Console > Config > User Source, set Provisioning to LDAP.

    IMPORTANT:Make sure Authentication is set to GroupWise.

  2. Use the table below to enter in the GroupWise LDAP information:

    Field

    Value

    IP Address

    Enter the IP address of the MTA server.

    Port

    SSL Port used by GroupWise LDAP. The default GroupWise SSL port is 636.

    Secure

    Must be enabled as SSL must be used.

    Admin Full DN

    Enter in the admin app domain name as specified in Creating an Admin App in GroupWise. For example:

    cn=admin_app

    Admin Password

    Enter the admin app password.

    Base User DNs

    Enter the system name as specified in Gathering the GroupWise Base DN. For example

    o=system_name

    Base Group DNs

    Enter the system name as specified in Gathering the GroupWise Base DN. For example

    o=system_name
  3. Click Save.

1.4.5 Adding GroupWise Users as Mobility Administrators

By default, when you use GroupWise as your Mobility system’s user source, you must log in to the Mobility Admin console using the root user name and password.

You can configure the Mobility Service to allow specific users to log in using their GroupWise username and password. Then the root user name and password can continue to be used as well.

  1. In a terminal window on the Mobility server, become root by entering su - and the root password.

  2. Change to the following directory:

    /etc/datasync/configengine
  3. Open the configengine.xml file in a text editor.

  4. Add the following section:

    <gw>
       <admins>
           <username>GroupWise_Username</username>
           <username>GroupWise_Username</username> 
       </admins>
       <enabled>true</enabled>
    </gw>

    Replace GroupWise_Username with the appropriate GroupWise user name. You can add as many GroupWise users as needed.

  5. Save the configengine.xml file, then exit the text editor.

  6. Restart the Mobility Service to put the new settings into effect:

    rcgms restart