3.5 Planning Filr Users and Groups

IMPORTANT:We recommend that you review the following information in the online documentation to prepare for planning your Filr Users and Groups:

The following sections identify best practices for ensuring that Filr includes the users and groups that will use its services.

3.5.1 LDAP Proxy User Role and Rights

Filr synchronizes LDAP users by leveraging proxy users that have sufficient rights in the targeted LDAP directories to read the user and group information required by Filr.

Currently, eDirectory and Active Directory are supported as LDAP identity stores.

The rights required for LDAP synchronization are platform-specific, and for Active Directory they vary depending on whether read access restrictions are in place, as illustrated in Figure 3-2.

Figure 3-2 Rights Required for LDAP Proxy Users

3.5.2 Watching Out for Duplicate Accounts

Sometimes, organizations that utilize both eDirectory and Active Directory as identity stores, have accounts for the same individuals or groups of individuals in both directory services.

If you are importing users and groups from eDirectory and from Active Directory, be aware that Filr doesn’t allow duplicate accounts. For example, joe_user in both eDirectory and Active Directory will not be allowed, but joe_user and j_user will. If you have duplicate accounts that need to be imported, you will need to change the name in one of the directory services.

3.5.3 Avoiding Problems with User and Group Imports

The following points are critical to Net Folder creation and the synchronization of access privileges.

  • Import Both Groups and Users: If you import only LDAP users and not the groups they belong to, then file system group permissions won't map to Filr group permissions when Net Folders are created. See LDAP Server Configurations Must Include Both Users and Groups.

  • Register User Profiles Automatically (default): If you deselect this option, then users won't be created until after they log in. This causes the following issues:

    • You must wait until users log in to their home folders before you can configure the proxy users and passwords for any HOME Net Folder Servers.

    • Net Folder access permissions that key off user-based file system permissions will not be set or updated during Net Folder Synchronizations.

  • Register Group Profiles Automatically (default): If you deselect this option, groups will not be created and Net Folder access permissions that key off group-based file system permissions will not be set or updated during Net Folder Synchronizations.

3.5.4 Allowing Enough Time to Import Users

The time required to import LDAP user and group objects is greatly improved in Filr 1.1. For example, in an internal Novell test, importing 40,000 objects took approximately 20 minutes.

The improvement ratio between 1.0.1 and 1.1 is greater as the number of objects being imported increases, as follows:

  • 1 to 10,000 objects: ~300%

  • 10,000 to 30,000 objects: ~500%

  • 30,000 to 60,000 objects: ~1,000%

Depending on the number of users you need to import, you might need to consider running the import process overnight.

3.5.5 Recording User and Group Information

Most Filr deployments use an existing LDAP source, such as eDirectory or Active Directory, to control user access to the system.

  1. On the worksheet, identify the directory services that your organization currently uses.

    IMPORTANT:eDirectory running on a Windows file server that contains Windows file shares is not supported as an LDAP source.

  2. Note important details about how the directory is configured, such as whether it is split over multiple sites.

  3. Identify the information required to import each LDAP user/group container, including:

    • The path to the container

    • The proxy user name, password, and rights required to import LDAP users and groups from the container

    • The number of users and groups

    • Home directory information, such as the LDAP attribute used and the average number of files for each user

  4. If applicable, identify and record non-LDAP users and groups that will need to be created manually.

  5. If applicable, identify and record duplicate eDirectory and Active Directory user and group accounts that need name adjustments prior to performing the LDAP import operation.

3.5.6 Planning for User and Group Synchronization

Synchronizing LDAP users and groups is a straight-forward process. Keep the following things in mind.

LDAP Server Configurations Must Include Both Users and Groups

When setting up your LDAP server connections, ensure that you also specify information for both users and groups. It is common for new Filr administrators to overlook the need to specify the contexts for groups only to discover later that file system rights assigned to users based on group membership are not recognized in Filr because groups were not imported.

Nested Groups Require Multiple Initial Synchronizations

If you have groups that are contained in other groups, you will need to synchronize LDAP at least twice and more times if required until all of the nested groups and their users are synchronized.

After the initial synchronization is completed, no special configurations are required to keep nested groups synchronized.

Planning the LDAP Synchronization Schedule

As you set up your LDAP configuration, you will probably want to enable LDAP synchronization.

LDAP synchronization is required when users are added or removed, or when group memberships change in the LDAP identity store.LDAP synchronization is essential to keeping file and folder access rights current. For most organizations, it is usually sufficient to synchronize LDAP once a day. A few require more frequent synchronization to keep Filr abreast of changes in their identity stores.

  1. On the worksheet, identify how frequently information changes in your identity stores.

  2. Specify the settings you will configure for LDAP synchronization.