18.1 Synchronizing Users and Groups from an LDAP Directory

Unless you are planning a very small Novell Filr site, the most efficient way to create Filr users is to synchronize initial user information from your network directory service (NetIQ eDirectory, Microsoft Active Directory, or other LDAP directory service) after you have installed the Filr software. Over time, you can continue to synchronize user information from the LDAP directory to your Filr site.

IMPORTANT:The following limitations apply when synchronizing user information to Filr from an LDAP directory service:

  • Filr performs one-way synchronization from the LDAP directory to your Filr site. If you change user information on the Filr site, the changes are not synchronized back to your LDAP directory.

  • Filr does not support multi-value attributes. If your LDAP directory contains multi-value attributes, Filr recognizes only the first attribute. For example, if your LDAP directory contains multiple email addresses for a given user, only the first email address is synchronized to Filr.

  • Users that are imported to Filr via LDAP are always authenticated to Filr via the LDAP source. If the LDAP source is unavailable for any reason, the LDAP-imported users cannot log in to Filr.

For information about known issues with LDAP synchronization in Filr, see LDAP Synchronization Issues in the Novell Filr 1.1 Readme.

Table 18-1 shows user synchronization rates based on samples from test labs at Novell. Results may vary depending on hardware, LDAP server, database, and network topology.

Table 18-1 LDAP Synchronization Performance Rate Samples

Number of Users Synchronized

Time Required to Complete Synchronization

1,000

20 seconds

2,500

44 seconds

10,000

2 minutes

20,000

5 minutes

50,000

13 minutes

To synchronize users and groups from LDAP:

  1. Log in to Filr as the Filr administrator.

    1. Launch a web browser.

    2. Specify one of the following URLs, depending on whether you are using a secure SSL connection:

      http://Filr_hostname:8080
      https://Filr_hostname:8443
      

      Replace Filr_hostname with the host name or fully qualified domain name of the Filr server that you have set up in DNS.

      Depending on how you have configured your Filr system, you might not be required to enter the port number in the URL. If you are using NetIQ Access Manager, the Filr login screen is not used.

  2. Click the admin link in the upper-right corner of the page, then click the Administration Console icon .

  3. Under System, click LDAP.

18.1.1 Configuring an LDAP Connection

You can configure one or more LDAP connections to your directory.

You should never configure multiple LDAP connections to point to the same location on the same LDAP directory. If you need a failover solution, you should use a load balancer.

To configure an LDAP connection:

  1. On the LDAP Configuration page, click the LDAP Servers tab.

  2. To create a new LDAP connection, click Add.

    or

    To modify an existing LDAP connection, click the URL of the connection in the Server URL column of the provided table.

  3. On the LDAP Server Configuration dialog box, specify the information on each tab, as described in the following sections:

Server Information

  1. On the LDAP Servers tab, click Add.

    The LDAP Server Configuration dialog box is displayed.

  2. Specify the following information on the Server Information tab:

    IMPORTANT:When modifying an existing LDAP connection, do not modify the LDAP server URL. Doing so can lead to synchronized users being disabled or deleted.

    LDAP Server URL: In order to synchronize initial user information, Filr needs to access an LDAP server where your directory service is running. You need to provide the host name of the server, using a URL with the following format:

    ldap://hostname
    

    If the LDAP server requires a secure SSL connection, use the following format:

    ldaps://hostname
    

    If the LDAP server is configured with a default port number (389 for non-secure connections or 636 for secure SSL connections), you do not need to include the port number in the URL. If the LDAP server uses a different port number, use the following format for the LDAP URL:

    ldap://hostname:port_number
    ldaps://hostname:port_number
    

    If the LDAP server requires a secure SSL connection, additional setup is required. You must complete the steps in Section 31.2, Securing LDAP Synchronization to import the root certificate for your LDAP directory into the Java keystore on the Filr server before you configure Filr for LDAP synchronization.

    User DN (proxy user for synchronizing users and groups): Filr needs the user name and password of a user on the LDAP server who has sufficient rights to access the user information stored there:

    Directory Service

    Required Rights

    eDirectory

    • [All Attribute Rights] - Compare & Read

    • [Entry Rights] - Browse (on the container containing the users that need to be imported into Filr)

    Active Directory

    Any authenticated user can be used as the proxy user as long as there are no read restrictions in place on the Organizational Unit (OU) that contains the users

    Required rights if OU read restrictions are in place:

    • Read (on the Organizational Unit containing the users that need to be imported into Filr)

      Ensure that This object & all descendant objects is selected in the Security tab under the advanced options.

    You need to provide the fully qualified, comma-delimited user name, along with its context in your LDAP directory tree, in the format expected by your directory service.

    Directory Service

    Format for the User Name

    eDirectory

    cn=username,ou=organizational_unit,o=organization

    Active Directory

    cn=username,ou=organizational_unit,dc=domain_component

    Password: Password for the User DN.

    Directory Type: The directory type that you are connecting to. Select eDirectory or Active Directory.

    GUID attribute: Depending on the directory type that you chose, this field is populated with the name of the LDAP attribute that uniquely identifies a user or group. For eDirectory, this value is GUID. For Active Directory, this value is objectGUID. This attribute always has a unique value that does not change when you rename or move a user in the LDAP directory. It ensures that Filr modifies the existing user instead of creating a new user when the user is renamed or moved in the LDAP directory.

    If this attribute is not set and you rename or move a user in the LDAP directory, Filr assumes that the new name (or the new location of the same name) represents a new user, not a modified user, and creates a new Filr user.

    For example, suppose you have a Filr user named William Jones. If William changes his name to Bill, and you make that change in the LDAP directory, Filr creates a new user named Bill Jones.

    If you want to map users to a different attribute, select Other in the drop-down list, specify the name of the LDAP attribute, then click OK. Before you do this, ensure that the attribute that you use is a binary attribute. For example, the cn attribute cannot be used because it is not a binary attribute.

    Filr account name attribute: The attribute you choose here depends on the directory type you selected in the Directory type drop-down list. If you selected eDirectory in the Directory type drop-down list, you see cn and Other as options for this attribute. If you selected Active Directory or Other in the Directory type drop-down list, you see sAMAccountName, cn, and Other as options for this attribute. If you select Other as the value for this attribute, you are prompted to enter the name of the LDAP attribute. The value of the attribute that you enter is used for the Filr account name.

    The Filr account name attribute has two purposes:

    • Used as the Filr user name when the user is first provisioned from LDAP. The value of this attribute must be unique.

    • During Filr login, Filr uses this attribute to locate the user in the LDAP directory and then tries to authenticate as that user.

    LDAP directories differ in the LDAP attribute used to identify a User object. Both eDirectory and Active Directory might use the cn (common name) attribute. A more sure alternative for Active Directory is to use the sAMAccountName attribute. Other LDAP directories might use the uid (unique ID) attribute, depending on the structure and configuration of the directory tree.

    You might need to consult with your directory administrator in order to determine which attribute is best to use. In some cases where not all users are imported successfully, you might need to set up two LDAP sources pointing to the same LDAP server and have each source use a different value for the LDAP Attribute Used for Filr Name. For example, set up one LDAP source and use cn as the Filr account name attribute. Then set up a separate source to the same LDAP server and use sAMAccountName as the Filr account name attribute.

    In addition to the attributes already mentioned in this section, other LDAP attributes can be used for the Filr account name attribute, as long as the attribute is unique for each User object. For example, the mail LDAP attribute on User objects could be used to enable Filr users to log in to the Filr site by using their email addresses.

    NOTE:Because the login name becomes part of the user’s workspace URL, the at sign (@) in the email address is replaced with an underscore (_) in the workspace URL because @ is not a valid character in a URL.

  3. Continue with Users.

Users

  1. On the LDAP Server Configuration page, click the Users tab, then click Add.

    The LDAP Search dialog box is displayed.

  2. Specify the following information n the LDAP search dialog box:

    Base DN: Filr can find and synchronize initial user information from User objects located in one or more containers in the LDAP directory tree. A container under which User objects are located is called a base DN (distinguished name). The format you use to specify a base DN depends on your directory service.

    Directory Service

    Format for the User Container

    eDirectory

    ou=organizational_unit,o=organization

    Active Directory

    ou=organizational_unit,dc=domain_component

    Container names cannot exceed 128 characters. If the container name exceeds 128 characters, users are not provisioned.

    HINT:You can use the Browse icon next to the Base DN field to browse the LDAP directory for the base DN that you want to use.

    Filter: To identify potential Filr users, Filr by default filters on the following LDAP directory object attributes:

    • Person

    • orgPerson

    • inetOrgPerson

    You can add attributes to the user or group filter list if necessary. You can use the following operators in the filter:

    • | OR (the default)

    • & AND

    • ! NOT

    You might find it convenient to create a group that consists of all the users that you want to set up in Filr, regardless of where they are located in your LDAP directory. After you create the group, you can use the following filter to search for User objects that have the specified group membership attribute:

    IMPORTANT:If you create a filter to search for a specific group to find users, users that are located in any sub-groups to that group are not synchronized.

    When synchronizing against Active Directory, you can create a filter that synchronizes users in sub-groups by using the following rule object identifier (OID):

    <attribute name>:<matching rule OID>:=<value>
    

    Be sure to include the parentheses in your filter.

    Directory Service

    Filter to search for User objects

    eDirectory

    (groupMembership=cn=group_name,ou=organizational_unit,o=organization)

    Active Directory

    (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)

    Search subtree: Select whether you want Filr to search for users in containers underneath the base DN (that is, in subtrees).

    Home Directory Net Folder Configuration: Select from the following options for creating Home directories for users in the Filr system:

    For more information about Home directories, see Section 8.2, Configuring Home Folders for Display in the My Files Area.

    • Use the following custom criteria: Select this option to specify the Net Folder Server and path where user Home directory information is located.

      In the Net Folder Server field, select the Net Folder Server that will be used with the Home directory Net Folders that will be created automatically when a user logs in. If you have not already created Net Folder Servers, or if you need to create a new one, click Create Net Folder Server. For information about how to create a Net Folder Server, see Section 8.3, Configuring and Managing Net Folder Servers.

      In the Relative path field, specify the path that points to user home directories on the selected server.

      You must use a replaceable parameter in the Relative path field. Replaceable parameters are entered by using the following syntax: %attributeName%. Replaceable parameters are evaluated dynamically each time a user logs in to Filr, and are replaced with the value of the given LDAP attribute. For example, if each users’ Home directory is associated with the cn value in the LDAP directory, specify the following in the Relative path field: Home\%cn%.

      The server path must be entered using UNC syntax.

    • Use the LDAP Home directory attribute: Select this option to use the LDAP Home directory attribute. This attribute is detected during the LDAP synchronization process. If the search context of the LDAP synchronization contains an OES or Windows server that has a Home folder attribute associated with at least one user, a Net Folder Server is ready to be configured immediately after running the LDAP synchronization process. (For more information about configuring the Net Folder Server, see Section 8.3, Configuring and Managing Net Folder Servers.)

    • Use the specified LDAP attribute: Select this option to specify the name of the LDAP attribute that contains the home directory information. The attribute must be of type String. The attribute must contain a string that is a UNC path, with one of the following forms:

      \\server\volume\path

      \\server\share\path

      \\server\share

    • Don’t create a Home directory Net Folder: Select this option if you do not want user Home directories to be created at the time that users are imported into the Filr system.

  3. Click OK.

  4. Continue with Groups.

Groups

  1. On the LDAP Server Configuration page, click the Groups tab, then click Add.

    The LDAP Search dialog box is displayed.

  2. Specify the following information on the LDAP Search dialog box:

    Base DN: Filr can find and synchronize initial user information from group objects located in one or more containers in the LDAP directory tree. A container under which User objects are located is called a base DN (distinguished name). The format you use to specify a base DN depends on your directory service.

    Directory Service

    Format for the User Container

    eDirectory

    ou=organizational_unit,o=organization

    Active Directory

    ou=organizational_unit,dc=domain_component

    Container names cannot exceed 128 characters. If the container name exceeds 128 characters, users are not provisioned.

    HINT:You can use the Browse icon next to the Base DN field to browse the LDAP directory for the base DN that you want to use.

    Filter: To import groups based on information in your LDAP directory, Filr filters on the following LDAP directory object attributes:

    • group

    • groupOfNames

    • groupOfUniqueNames

    You can add attributes to the group filter list if necessary. You can use the following operators in the filter:

    • | OR (the default)

    • & AND

    • ! NOT

    IMPORTANT:Be sure to include the parentheses in your filter.

    Directory Service

    Filter to search for Group objects

    eDirectory

    (groupMembership=cn=group_name,ou=organizational_unit,o=organization)

    Active Directory

    (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)

    Search subtree: Select whether you want Filr to search for groups in containers beneath the base DN (that is, in subtrees).

  3. Click OK, then click OK again to save the LDAP server configuration.

  4. Continue with Section 18.1.2, Configuring LDAP Synchronization.

18.1.2 Configuring LDAP Synchronization

When you configure LDAP synchronization, you configure user synchronization options, groups synchronization options, and the synchronization schedule.

NOTE:Because the synchronization options apply to all LDAP configurations for the Filr system, you cannot have customized synchronization settings for each LDAP configuration.

Configuring User Synchronization Options

  1. On the LDAP Configuration page, click the Users tab.

  2. Specify the following information for enabling and configuring user synchronization from your LDAP directory to your Filr site:

    Register LDAP user profiles automatically: Select this option to automatically add LDAP users to the Filr site. However, workspaces are not created until users log in to the Filr site for the first time.

    Synchronize user profiles: Select this option to synchronize user information whenever the LDAP directory information changes after initial Filr site setup. The attributes that are synchronized are the attributes that are found in the map box on the Server Information tab on the LDAP Server Configuration page.

    Filr synchronizes the following attributes from the LDAP directory:

    • First name

    • Last name

    • Phone number

    • Email address

    • Description

    For user accounts provisioned from LDAP that are no longer in LDAP: Because deleting user accounts cannot be undone, Novell recommends that you leave Disable account selected.

    For more information about disabled users in Filr, see Section 18.7, Disabling Filr User Accounts.

    Select Delete account only if you are certain that you want to delete users that exist on the Filr site but do not exist in your LDAP directory. If you do decide to delete user accounts, you can select the option Also delete associated user workspaces and content to remove obsolete information along with the user accounts.

    IMPORTANT:A deleted user cannot be undeleted; deleting a user is permanent and is not reversible.

    If you are sure that you want to automatically delete users that are not in LDAP, this option is designed to be used under the following conditions:

    • You have deleted users from your LDAP directory and you want the LDAP synchronization process to also delete them from Filr.

    • In addition to the users synchronized from LDAP, you create some Filr users manually, as described in Section 18.2, Creating a New Local User, and you want the LDAP synchronization process to delete the manually created users.

    Use the following time zone when creating new users: Select this option to set the time zone for user accounts that are synchronized from the LDAP directory into your Filr site. The time zone list is grouped first by continent or region, optionally by country or state, and lastly by city.

    Common selections for United States time zones:

    Time Zone

    Continent/City

    Pacific Time

    America/Los Angeles

    Mountain Time

    America/Denver

    Central Time

    America/Chicago

    Eastern Time

    America/New York

    Use the following locale when creating new users: Select this option to set the locale for user accounts that are synchronized from the LDAP directory into your Filr site. The locale list is sorted alphabetically by language.

  3. Continue with Configuring Group Synchronization Options.

Configuring Group Synchronization Options

  1. On the LDAP Configuration page, click the Groups tab.

  2. Specify the following information for enabling and configuring user and group synchronization from your LDAP directory to your Filr site:

    Register LDAP group profiles automatically: Select this option to automatically add LDAP groups to the Filr site.

    Synchronize group profiles: Select this option to synchronize group information, such as the group description, to the Filr site whenever this information changes in LDAP.

    Synchronize group membership: Select this option so that the Filr group includes the same users (and possibly groups) as the group in your LDAP directory. If you do not select this option, and you make changes to group membership in the LDAP directory, the changes are not reflected on your Filr site.

    If users have rights to files on your OES or Windows file systems through group membership, you must select this option to synchronize group membership to Filr. If you do not synchronize group membership, users who have access rights to files through membership in a group might not have the appropriate access rights in Filr.

    Delete groups that were provisioned in LDAP but are no longer in LDAP: Select this option to delete groups that exist on the Filr site but do not exist in your LDAP directory. Use this option under the following conditions:

    • You have deleted groups from your LDAP directory and you want the LDAP synchronization process to delete them from Filr as well.

    • In addition to the groups synchronized from LDAP, you create some Filr groups manually, as described in Section 9.0, Creating Groups of Users, and you want the LDAP synchronization process to delete the manually created groups.

  3. Continue with Configuring the Synchronization Schedule.

Configuring the Synchronization Schedule

This section describes how to set a schedule for the LDAP synchronization.

When planning the schedule, take into account how often your LDAP directory user (and, optionally, group) information changes and the server resources required to perform the synchronization for the number of users (and, optionally, groups) that you have.

  1. On the LDAP Configuration page, click the Synchronization Schedule tab.

  2. Select Enable schedule to enable a schedule for the LDAP synchronization to occur.

  3. Select whether to run the LDAP synchronization every day, or select specific days of the week when you want it run (for example, on Monday, Wednesday, and Friday).

    You can choose to have it run once a day at a specified time (for example, at 2:00 a.m.), or you can set a time interval, so that it is run multiple times each day (for example, every four hours). The smallest time interval you can set is .25 hours (every 15 minutes).

  4. (Conditional) If you want to restrict local users from logging in to the Filr site, continue with Section 18.1.3, Restricting Local User Accounts from Logging In.

  5. Continue with Section 18.1.4, Previewing and Running the LDAP Synchronization.

18.1.3 Restricting Local User Accounts from Logging In

By default, Filr allows locally created users to log in the Filr site. This section describes how to configure Filr to allow only users that are synchronized via LDAP to log in.

  1. On the LDAP Configuration page, click the Local User Accounts tab.

  2. Leave Allow log in for local user accounts (i.e. user accounts not in LDAP) to allow users who you have created locally to log in to the Filr site.

    For more information about creating users, see Section 18.2, Creating a New Local User.

  3. Continue with Section 18.1.4, Previewing and Running the LDAP Synchronization.

18.1.4 Previewing and Running the LDAP Synchronization

Before you run the LDAP synchronization, it is a good idea to preview the synchronization so that you are aware what changes will occur when you run the live synchronization.

Previewing LDAP Synchronization

After you have configured the LDAP connection, you can see a preview of what the synchronization results will be. This allows you to see beforehand the users and groups that will be added or deleted, as well as the users that will be disabled, before you run the actual synchronization.

To preview the LDAP synchronization:

  1. On the LDAP Configuration page, click the LDAP Servers tab, then click Preview sync.

    Users and groups that will be modified by running the LDAP sync are shown, along with information about how they will be modified (whether they will be added, modified, deleted, or disabled).

  2. (Optional) Specify a user or group in the Filter List field to filter the list of users and groups to be synchronized.

    or

    Click the drop-down arrow next to the Filter List field, then select the type of users or groups that you want to display, then click OK. (For example, select to display added users, modified users, modified groups, and so forth.)

  3. After you review the results of the synchronization, click Close, then continue with Running the LDAP Synchronization.

Running the LDAP Synchronization

After you have run the preview of the LDAP synchronization (as described in Running the LDAP Synchronization), you are ready to run the live synchronization.

  1. On the LDAP Configuration page, click the LDAP Servers tab, then click Sync All.

    Users and groups that have been modified by running the LDAP sync are shown, along with information about how they have been modified (whether they were added, modified, deleted, or disabled).

  2. (Optional) Specify a user or group in the Filter List field to filter the list of users and groups to be synchronized.

    or

    Click the drop-down arrow next to the Filter List field, then select the type of users or groups that you want to display. (For example, select to display added users, modified users, modified groups, and so forth.)

  3. Click Close.

18.1.5 Viewing Synchronization Results

You can view the synchronization results of the most recent LDAP synchronization for the current browser session. If you perform a synchronization, log out of Filr, and then log in again, you cannot view the results of the LDAP synchronization for your previous session.

To view the results for a previous synchronization:

  1. On the LDAP Configuration page, click the LDAP Servers tab.

  2. Click Show sync results.

18.1.6 Deleting an LDAP Configuration

IMPORTANT:If you delete an LDAP configuration and you have selected the option to delete user accounts that are provisioned from LDAP that are no longer in LDAP, all users that were synchronized to the Filr site through that LDAP configuration are deleted from the Filr site. (For more information about the configuration option concerning user accounts provisioned from LDAP, see Configuring User Synchronization Options.)

  1. On the LDAP Configuration page, click the LDAP Servers tab.

  2. Select the LDAP configuration that you want to delete, then click Delete.