6.5 Configuring the iFolder Enterprise Server with Active Directory as an LDAP source

This section describes the steps to configure iFolder with Active Directory as an LDAP source. Before proceeding with the configuration, review Active Directory guidelines in the section Section 5.4, Active Directory.

  1. If you plan to use an NSS volume as the System Store Path for the users’ iFolder data, use iManager to create the NSS volume, then create a directory on the volume.

    For information, refer to Managing NSS Volumes in the OES 2015: NSS File System Administration Guide for Linux.

  2. Log in to the server as the root user, or open a terminal console, enter su, then enter the root password.

  3. Start YaST, follow the YaST on-screen instructions to finish the installation. For more information see Step 1 through Step 7 in the section Section 6.1, Installing iFolder on an Existing OES Server.

  4. Select Use Following Configuration and click Novell iFolder to change the default configuration settings for iFolder.

  5. Follow the YaST on-screen instructions to proceed through the iFolder 3 configuration. The following table summarizes the decisions you make.

    HINT:If the iFolder configuration fails at any stage, refer to the /var/log/YaST2/y2log file to analyze and troubleshoot the issues.

    Settings

    Description

    iFolder components

    • Select the iFolder components to be configured: Select the components you want to configure. You can choose any combination of iFolder components from the given options. The corresponding screens are displayed depending on your selection.

    • iFolder Server: Select the iFolder Server check box to configure iFolder server.This option lets you configure the settings for the iFolder server. It is the central repository for storing user iFolders and synchronizing files for enterprise users.

    • iFolder Web Admin (optional): Select the iFolder Web Admin check box to configure the iFolder Web Admin server. This option lets you create and configure settings for the Administrator user. The iFolder Admin user is the primary administrator of the iFolder Enterprise Server. The Web Admin server does not need to be configured on the iFolder Enterprise Server. Devoting a separate server to the Web Admin application improves the performance of the iFolder Enterprise Server by reducing the admin traffic.

    • iFolder Web Access (optional): Select the iFolder Web Access check box to configure iFolder Web Access server. This option lets you configure the Web Access server, which is an interface that lets users have remote access to iFolders on the enterprise server. The Web Access server lets users perform all the operations equivalent to those of the iFolder client using a standard Web browser. The Web Access server does not need to be configured on the same iFolder Enterprise Server. Channeling the user tasks to a separate server and thereby reducing the HTTP requests helps to improve the performance of the iFolder Enterprise Server.

    iFolder System Configuration

    • Name Used to Identify the iFolder System to Users: A unique name to identify your iFolder 3 server.

      For example, iFolder Server.

    • System Description: A descriptive label for your iFolder 3 server. For example, iFolder3 Enterprise Server

    • Path to the Server Data File: Specify the case-sensitive address of the location where the iFolder enterprise server stores iFolder application files as well as the users' iFolders and files.

      For example, /var/simias/data/simias. This location cannot be modified after install.

    • Path to the Recovery Agent Certificates (optional): Specify the path to the recovery agent certificates that are used for recovering the encryption key. After you configure the path to the Recovery Agent, you must load the Agent certificates to this location. For more information, see Section 6.7, Recovery Agent Certificates .

      By default, eDirectory CA certificate is copied in this location with the name sscert. You can export the private key of this certificate using iManager. For informtaion, see Section 6.7.6, Exporting eDirectory CA Certificate Using iManager.

    iFolder System Configuration

    • Name of iFolder Server: Specify a unique name to identify your iFolder server. For example, IF3EastS

    • iFolder public URL Host or IP Address: Specify the public URL to reach the iFolder server.

      IMPORTANT:You must specify the DNS name of the server as iFolder Public URL to connect the client to the server using a DNS name. In this case, users need not remember all the IP addresses they are provisioned to. A single DNS name can map them to the respective server IP based on their location as in office or home.

    • iFolder private URLHost or IP Address: Specify the private URL corresponding to the iFolder server to allow communication between the servers within the iFolder domain. The Private URL and the Public URL can be the same.

      NOTE:You can use a single URL for the iFolder server if it is accessed only inside the corporate firewall. If the server needs to be accessed outside the firewall, you must provide two different URLs: Private and Public. The private URL is used for server to server communication within the corporate firewall and this should not be exposed to outside of the firewall. The public URL is used for the iFolder clients that can communicate from outside the corporate firewall. The clients can be inside or outside of the firewall and based on this, you can use private or public URL, or use public URL all the time.

    iFolder System Configuration

    • Configure SSL for iFolder: There are three options to select from.

      • SSL: Select SSL to enable a secure connection between the iFolder server, iFolder Web Admin server, iFolder Web Access server, and the iFolder clients. On selecting this option, iFolder uses the HTTPS channel for communication.

      • Non SSL: Select Non SSL to enable unsecured communication between the iFolder server, Web Admin server, Web Access server and the clients. On selecting this option, iFolder uses the HTTP channel for communication.

      • Both: This option is selected by default. Selecting Both enables you to select secure or non secure channel for communication between the iFolder server, Web Admin server, Web Access server and the clients. By default, these components use the HTTPS (secure) communication channel. However, all components can also be configured to use the HTTP channel.

    • iFolder Port to Listen On: Specify the port for the iFolder to Listen On. Port 443 is the default for SSL.

    • Install into Existing iFolder Domain: If left unselected, this server becomes the Master iFolder server. Select this option when you want to use an existing iFolder domain and provide the Master server information.

      IMPORTANT:You must ensure that the server you install and the current iFolder domain are in the same LDAP tree.

      • Private URL of the Master Server: Specify the private URL of the Master iFolder server that holds the master iFolder data for synchronization to the current iFolder Server. For example: https://127.0.1.1. For more information, see the Section 6.2.2, Configuring the iFolder Slave Server.

    • Configure LDAP Groups plugin: Select this option to configure the LDAP Groups plug-in. If this option is left unselected, iFolder will not have the LDAP Groups support enabled.

    iFolder LDAP Configuration

    • Use alternate LDAP server: To use Active Directory as an LDAP source, select this check box. On selecting this check box, the subsequent fields get enabled.

    • Alternate Directory Server Address: Specify the host or IP address of the Active Directory server that iFolder must use.

    • LDAP port: Specify the LDAP port to use for the alternate server.

    • LDAP secure port: Specify the LDAP secure port to use for the alternate server.

    • Admin name and context: Specify the full distinguished name of the LDAP administrator for the Active Directory server. For example, cn=Administrator,cn=Users,dc=winad2k3,dc=com.

      You must ensure that the LDAP administrator has admin rights for the user container (for example, cn=Administrator,cn=Users,dc=winad2k3,dc=com). This is required because iFolder creates iFolder admin and iFolder proxy user objects under this container. The administrator must also have admin rights to the schema naming context (for example, cn=Schema,cn=Configuration,dc=winad2k3,dc=com). This is required as iFolder extends user object schema

    • Enter the admin password: Enter the password of the LDAP admin of the Active Directory server.

    iFolder System Configuration

    • The iFolder Default Administrator: Specify the username for the default iFolder Admin user. Use the full distinguished name of the iFolder Admin user. For example, cn=Administrator,cn=Users,dc=winad2k3,dc=com.

      NOTE:The iFolder default administrator and the LDAP administrator need not be the same. iFolder does not require admin rights for iFolder admin user in Active Directory.

    • iFolder Admin Password: Specify a password for the iFolder Admin user.

    • Verify iFolder Admin Password: Type the password for the iFolder Admin user again.

    • LDAP Proxy User: Specify the full distinguished name of the LDAP Proxy user. For example: cn=iFolderproxy,cn=Users, dc=winad2k3,dc=com. The LDAP Proxy user is used for provisioning the users between the iFolder Enterprise Server and the LDAP server. If the Proxy user does not exist, it is created. However, you must ensure that the iFolder proxy user has read permissions to all user containers configured and attributes of user objects.

    iFolder System Configuration

    • LDAP Proxy User Password: Specify a password for the LDAP Proxy user. You must ensure that the password that you specify conforms to the Active Directory password policy guidelines.

    • Verify LDAP Proxy User Password: Type the password for the LDAP Proxy User again.

    • LDAP Search Context Click Add, then specify an LDAP tree context to be searched for users that are to be provisioned to iFolder. For example, cn=Users,dc=winad2k3,dc=com. You must ensure that the LDAP Search Context field does not remain empty. If the field is empty, the iFolder installation fails. You can modify the search context even after the configuration is complete by using the web admin console. For more information, see Accessing and Viewing the Server Details Page.

      IMPORTANT:You must ensure the following:

      • The LDAP search context that you specify must be present in the LDAP server. If the LDAP search context is not present, the iFolder installation fails.

      • In a multi-server setup, all the search contexts of the slave servers must be present in the master server as well.

      • You must ensure that the search context that you specify is a user container.

      • If you specify multiple search contexts, you must ensure that the iFolder proxy user has read permissions for all those contexts/containers and attributes of all the user objects under those containers.

    • LDAP Naming Attribute: Specify which LDAP attribute of the User account to apply when authenticating users. Each user enters a Username in this specified format at login time. To set mail as an LDAP naming attribute, you must select the others option and specify mail in the Select an alternate LDAP attribute field. Similarly, you can set sAMAccountName as the LDAP naming attribute.

    • Require a secure connection between the LDAP server and the iFolder Server: Select this option to establish a secure connection between the LDAP server and the iFolder server. This option is selected by default. If the LDAP server co-exists on the same machine as the iFolder server, an administrator can disable SSL, which increases the performance of LDAP authentications.

    iFolder Web Access Configuration

    • An Apache alias that will point to the iFolder Web Access Application: Specify an Apache alias to point to the iFolder Web Access application. This is an admin-friendly pointer for the Apache service. For example, /access

    • The host or IP address of the iFolder server that will be used by the iFolder Web Access application: Specify the hostname or IP address of the iFolder Enterprise Server to be used by the iFolder Web Access application. This Web Access application performs all the user-specific iFolder operations on the host that runs the iFolder Enterprise Server

    • Connect to iFolder server using SSL: This option is selected by default to establish a secure connection between iFolder enterprise server and the iFolder Web Access application.

    • iFolder server port to connect on: Specify the port for the iFolder server to connect to the Web Access application. Port 443 is the default. Port 80 is the default value for non-SSL communication.

    • Require a secure connection between the browser and the iFolder Web Access application: Select the check box to establish a secure connection between the Web browser and the iFolder Web Access application. This enables a secure SSL channel between the two.

    iFolder Web Admin Configuration

    • An Apache alias that will point to the iFolder Web Admin Application: Specify the Apache alias to point to the iFolder Web Admin Application. This is a user-friendly pointer for the Apache service. For example, /admin

    • The host or IP address of the iFolder server that will be used by the iFolder Web Admin application: Specify the host or IP address of the iFolder Enterprise Server to be managed by the iFolder Web Admin application.

    • Connect to iFolder server using SSL: This option is selected by default to establish a secure connection between iFolder enterprise server and the iFolder Web Admin application.

    • iFolder server port to connect on: Specify the port for the iFolder server to connect to the Web Admin application. Port 443 is the default. Port 80 is the default value for non-SSL communication.

    • Require a secure connection between the browser and the iFolder Web Admin application: Select the check box to establish a secure connection between the Web browser and the iFolder Web Admin application. This enables a secure SSL channel between the two.

  6. When the system prompts you to restart the Apache server, accept the option by clicking Yes, then restart the Apache server. This is necessary to use the new settings.

    To manually restart the Apache Web server,

    1. Open a terminal console, then log in as the root user.

    2. Stop the Apache server by entering either of the following commands at the prompt:

      /etc/init.d/apache2 stop
      
      rcapache2 stop
      
    3. Start Apache by entering either of the following commands at the prompt:

      /etc/init.d/apache2 start
      
      rcapache2 start
      
  7. Go to Novell iManager to install the iFolder plug-in or to manage iFolder services.

  8. If you are using an NSS volume to store user data, you must set up NSS file system trustee rights for the Web server user object wwwrun before restarting your web server. At a terminal console prompt, log in as the root user or equivalent, then enter

    rights -f /media/nss/NSSVOL -r rwfcem trustee wwwrun.ou.o.treename
    

    If you ever get An Internal Error has occurred error message within the iManager plug-in, this is a sure sign that you have not set up file system trustee rights within NSS properly.