14.1 Synchronizing Users and Groups from an LDAP Directory
Unless you are planning a very small Novell Filr site, the most efficient way to create Filr users is to synchronize initial user information from your network directory service (Novell eDirectory, Microsoft Active Directory, or other LDAP directory service) after you have installed the Filr software. Over time, you can continue to synchronize user information from the LDAP directory to your Filr site.
IMPORTANT:The following limitations apply when synchronizing user information to Filr from an LDAP directory service:
-
Filr performs one-way synchronization from the LDAP directory to your Filr site. If you change user information on the Filr site, the changes are not synchronized back to your LDAP directory.
-
Filr does not support multi-value attributes. If your LDAP directory contains multi-value attributes, Filr recognizes only the first attribute. For example, if your LDAP directory contains multiple email addresses for a given user, only the first email address is synchronized to Filr.
-
Users that are imported to Filr via LDAP are always authenticated to Filr via the LDAP source. If the LDAP source is unavailable for any reason, the LDAP-imported users cannot log in to Filr.
For information about known issues with LDAP synchronization in Filr, see LDAP Synchronization Issues
in the Novell Filr 1.0 Readme.
The following video walks you through the LDAP synchronization process:
To synchronize users and groups to the Filr site from an LDAP directory:
-
Log in to Filr as the Filr administrator.
-
Launch a web browser.
-
Specify one of the following URLs, depending on whether or not you are using a secure SSL connection:
http://filr_hostname:8443 https://filr_hostname:8443
Replace filr_hostname with the hostname or fully qualified domain name of the Filr server that you have set up in DNS.
Depending on how you have configured your Filr system, you may not be required to enter the port number in the URL, and if you are using NetIQ Access Manager, the Filr login screen is not used.
-
-
Click the link in the upper right corner of the page, then click the icon
.
-
Under , click .
-
Click , then use the following sections as a reference when filling in the necessary information:
If the search context of your LDAP synchronization contains an OES or Windows server that has a Home folder attribute associated with at least one user, a Net Folder Server is ready to be configured immediately after running the LDAP synchronization process. (For more information about configuring the Net Folder Server, see Section 5.3, Configuring and Managing Net Folder Servers.)
14.1.1 LDAP Connections
You can configure one or more LDAP connections. Each connection requires the following configuration information:
LDAP Server
In order to synchronize initial user information, Filr needs to access an LDAP server where your directory service is running. You need to provide the hostname of the server, using a URL with the following format:
ldap://hostname
If the LDAP server requires a secure SSL connection, use the following format:
ldaps://hostname
If the LDAP server is configured with a default port number (389 for non-secure connections or 636 for secure SSL connections), you do not need to include the port number in the URL. If the LDAP server uses a different port number, use the following format for the LDAP URL:
ldap://hostname:port_number ldaps://hostname:port_number
If the LDAP server requires a secure SSL connection, additional setup is required. You must complete the steps in Section 24.2, Securing LDAP Synchronization to import the root certificate for your LDAP directory into the Java keystore on the Filr server before you configure Filr for LDAP synchronization.
User DN (Proxy User for Synchronizing Users and Groups)
Filr needs the username and password of a user on the LDAP server who has sufficient rights to access the user information stored there.
The proxy user must have the following rights in order to view the user objects and their properties:
|
Directory Service |
Required Rights |
|---|---|
|
eDirectory |
Read, Write, Erase, Create, Modify, FileScan For eDirectory, if you use a subcontainer administrator as the proxy user, the subcontainer administrator must be given the appropriate rights. (For more information about subcontainer administrators in eDirectory, see |
|
Active Directory |
Modify, Read&Execute, Read, Write, ListFolderContents |
You need to provide the fully qualified, comma-delimited username, along with its context in your LDAP directory tree, in the format expected by your directory service.
|
Directory Service |
Format for the Username |
|---|---|
|
eDirectory |
cn=username,ou=organizational_unit,o=organization |
|
Active Directory |
cn=username,ou=organizational_unit,dc=domain_component |
LDAP Attribute to Identify a User or Group
The LDAP attribute that uniquely identifies a user or group helps facilitate renaming and moving Filr users and groups in the LDAP directory. If this attribute is not set, and you rename or move a user in the LDAP directory, Filr assumes that the new name (or the new location of the same name) represents a new user, not a modified user, and creates a new Filr user.
For example, suppose you have a Filr user named William Jones. If William changes his name to Bill, and you make that change in the LDAP directory, Filr creates a new user named Bill Jones.
To ensure that Filr modifies the existing user instead of creating a new user when the user is renamed or moved in the LDAP directory, you must specify the name of the LDAP attribute that uniquely identifies the user. The following table shows the LDAP attribute to use for your directory.
This attribute always has a unique value that does not change when you rename or move a user in the LDAP directory. If you want to map users to a different attribute, you must ensure that the attribute that you use is a binary attribute. For example, the cn attribute cannot be used because it is not a binary attribute.
|
eDirectory |
Active Directory |
|---|---|---|
|
Attribute to Identify a User or Group |
GUID |
objectGUID |
LDAP Attribute Used for Filr Name
The setting has two purposes:
-
The value is used as the Filr username when the user is first provisioned from LDAP. The value of this attribute must be unique.
-
During Filr login, Filr uses this attribute to locate the user in the LDAP directory, then tries to authenticate as that user.
LDAP directories differ in the LDAP attribute used to identify a User object. Both eDirectory and Active Directory might use the cn (common name) attribute. A more sure alternative for Active Directory is to use the sAMAccountName attribute, as shown in the following table. Other LDAP directories might use the uid (unique ID) attribute, depending on the structure and configuration of the directory tree.
|
eDirectory |
Active Directory |
|---|---|---|
|
Attribute Used for Filr Name |
cn or uid (Depending on the structure of the LDAP directory) |
sAMAccountName |
You might need to consult with your directory administrator in order to determine which attribute is best to use. In some cases where not all users are imported successfully, you might need to set up two LDAP sources pointing to the same LDAP server and have each source use a different value for the . For example, set up one LDAP source and use cn as the , and then set up a separate source to the same LDAP server and use sAMAccountName as the .
In addition to the attributes already mentioned in this section, other LDAP attributes can be used for the , as long as the attribute is unique for each User object. For example, the mail LDAP attribute on User objects could be used to enable Filr users to log in to the Filr site by using their email addresses.
NOTE:Because the login name becomes part of the user’s workspace URL, the at sign (@) in the email address is replaced with an underscore (_) in the workspace URL because @ is not a valid character in a URL.
User and Group Object Locations
Filr can find and synchronize initial user information from User objects located in one or more containers in the LDAP directory tree. A container under which User objects are located is called a base DN (distinguished name). The format you use to specify a base DN depends on your directory service.
|
Directory Service |
Format for the User Container |
|---|---|
|
eDirectory |
ou=organizational_unit,o=organization |
|
Active Directory |
ou=organizational_unit,dc=domain_component |
NOTE:Container names cannot exceed 128 characters. If the container name exceeds 128 characters, users are not provisioned.
To identify potential Filr users, Filr by default filters on the following LDAP directory object attributes:
-
Person
-
orgPerson
-
inetOrgPerson
If you want to create Filr groups based on information in your LDAP directory, Filr filters on the following LDAP directory object attributes:
-
group
-
groupOfNames
-
groupOfUniqueNames
You can add attributes to the user or group filter list if necessary. You can use the following operators in the filter:
-
| OR (the default)
-
& AND
-
! NOT
You can choose whether you want Filr to search for users (and optionally, groups) in containers underneath the base DN (that is, in subtrees).
You might find it convenient to create a group that consists of all the users that you want to set up in Filr, regardless of where they are located in your LDAP directory. After you create the group, you can use the following filter to search for User objects that have the specified group membership attribute:
IMPORTANT:Be sure to include the parentheses in your filter.
|
Directory Service |
Filter to search for User objects |
|---|---|
|
eDirectory |
(groupMembership=cn=group_name,ou=organizational_unit,o=organization) |
|
Active Directory |
(memberOf=cn=group_name,ou=organizational_unit,dc=domain_component) |
14.1.2 LDAP Synchronization Options
The following synchronization options apply to all LDAP configurations:
Synchronization Schedule
When you enable LDAP synchronization, you can set up a schedule for when it is convenient for synchronization to occur. In planning the schedule, take into account how often your LDAP directory user (and, optionally, group) information changes and the server resources required to perform the synchronization for the number of users (and, optionally, groups) that you have.
You can choose to have LDAP synchronization performed every day, or you can select specific days of the week when you want it performed (for example, on Monday, Wednesday, and Friday). You can choose to have it performed once a day at a specified time (for example, at 2:00 a.m.), or you can set a time interval, so that it is performed multiple times each day (for example, every four hours). The smallest time interval you can set is .25 hours (every 15 minutes).
User Synchronization Options
The following options are available for enabling and configuring user synchronization from your LDAP directory to your Filr site:
-
Synchronize user profiles: Select this option to synchronize user information whenever the LDAP directory information changes after initial Filr site setup. The attributes that are synchronized are the attributes that are found in the map box in the section on the Configure LDAP Synchronization page.
Filr synchronizes the following attributes from the LDAP directory:
-
First name
-
Last name
-
Phone number
-
Email address
-
Description
-
-
Register LDAP user profiles automatically: Select this option to automatically add LDAP users to the Filr site. However, workspaces are not created until users log in to the Filr site for the first time.
-
Delete users that are not in LDAP: Select this option to delete users that exist on the Filr site but do not exist in your LDAP directory.
IMPORTANT:Before you select this option, you need to understand the following:
-
A deleted user cannot be undeleted; deleting a user is permanent and is not reversible.
-
When a user is deleted, the user’s personal storage (My Files) is also deleted. As a result, all users who have access to a file or folder in the deleted user’s My Files area via a share no longer have access, because the items no longer exists in the Filr system.
Novell recommends that you leave this option deselected. Leaving this option deselected automatically disables any users in Filr who have been deleted in your LDAP directory.
For more information about disabled users in Filr, see Section 14.7, Disabling Filr User Accounts.
If you are sure that you want to automatically delete users that are not in LDAP, this option is designed to use under the following conditions:
-
You have deleted users from your LDAP directory and you want the LDAP synchronization process to also delete them from Filr.
-
In addition to the users synchronized from LDAP, you create some Filr users manually, as described in Section 14.2, Creating a New Local User, and you want the LDAP synchronization process to delete the manually created users.
-
-
When deleting users, delete associated user workspaces and content: Select this option to remove obsolete information along with the user accounts.
-
Use the following time zone when creating new users: Select this option to set the time zone for user accounts that are synchronized from the LDAP directory into your Filr site. The time zone list is grouped first by continent or region, optionally by country or state, and lastly by city. Some common selections for United States time zones are:
Time Zone
Continent/City
Pacific Time
America/Los Angeles
Mountain Time
America/Denver
Central Time
America/Chicago
Eastern Time
America/New York
-
Use the following locale when creating new users: Select this option to set the locale for user accounts that are synchronized from the LDAP directory into your Filr site. The locale list is sorted alphabetically by language.
Group Synchronization Options
The following options are available for enabling and configuring user and group synchronization from your LDAP directory to your Filr site:
-
Synchronize group profiles: Select this option to synchronize group information, such as the group description, to the Filr site whenever this information changes in LDAP.
-
Register LDAP group profiles automatically: Select this option to automatically add LDAP groups to the Filr site.
-
Synchronize group membership: Select this option so that the Filr group includes the same users (and possibly groups) as the group in your LDAP directory. If you do not select this option, and you make changes to group membership in the LDAP directory, the changes are not reflected on your Filr site.
If users have rights to files on your OES or Windows file systems through group membership, you must select this option to synchronize group membership to Filr. If you do not synchronize group membership, users who have access rights to files through membership in a group might not have the appropriate access rights in Filr.
-
Delete local groups that are not in LDAP: Select this option to delete groups that exist on the Filr site but do not exist in your LDAP directory. Use this option under the following conditions:
-
You have deleted groups from your LDAP directory and you want the LDAP synchronization process to delete them from Filr as well.
-
In addition to the groups synchronized from LDAP, you create some Filr groups manually, as described in Section 6.2, Creating Groups of Users, and you want the LDAP synchronization process to delete the manually created groups.
-