76.3 Authenticating to GroupWise with Passwords Stored in an LDAP Directory

Enabling LDAP authentication for the POA is independent of these LDAP address book features. You need to enable LDAP authentication when you want the POA to authenticate the user’s password in an LDAP directory rather than looking for a password in the user’s GroupWise account information. The POA can make use of the following LDAP capabilities:

When you understand these LDAP capabilities, you are ready to set up LDAP authentication for your GroupWise users. See Section 36.3.4, Providing LDAP Authentication for GroupWise Users.

76.3.1 Access Method

On a server-by-server basis (ConsoleOne > Tools > GroupWise System Operations > LDAP Servers), you can specify whether you want each LDAP server to respond to authentication requests using a bind or a compare.

  • Bind: With a bind, the POA essentially logs in to the LDAP server. When responding to a bind request, most LDAP servers enforce password policies such as grace logins and intruder lockout, if such policies have been implemented by the LDAP directory.

  • Compare: With a compare, the POA provides the user password to the LDAP server. When responding to a compare request, the LDAP server compares the password provided by the POA with the user’s password in the LDAP directory, and returns the results of the comparison. Using a compare connection can provide faster access because there is typically less overhead involved because password policies are not being enforced.

Regardless of whether the POA is submitting bind requests or compare requests to authenticate GroupWise users, the POA can stay connected to the LDAP server as long as authentication requests continue to occur before the connection times out. This provides quick response as users are accessing their mailboxes.

76.3.2 LDAP Username

On a post office-by-post office basis (ConsoleOne > Post Office object > Properties > GroupWise > Security), you can decide what username you want the POA to use when accessing the LDAP server.

  • LDAP Username Login: If you want the POA to access the LDAP server with specific rights to the LDAP directory, you can provide a username for the POA to use when logging in. The rights of the user determine what information in the LDAP directory will be available during the authentication process.

  • Public or Anonymous Login: If you do not provide a specific LDAP username as part of the post office LDAP configuration information, then the POA accesses the LDAP directory with a public or anonymous connection. Only public information is available when using such a login.