Although LDAP authentication is a great authentication method, if you don't take measures to make it fault tolerant, your users can all be locked out of their GroupWise accounts. If the LDAP server you have configured for your user authentication goes down, the POA cannot authenticate users, and so users will not be able to access their mailboxes. The solution to this potential problem is called LDAP server pooling. The next section talks about how to enable LDAP server pooling. LDAP Server PoolingLDAP pooling allows you to define a second (or even a third) LDAP server for the POA to roll over to if the first one is not available for some reason. Here are the steps for doing this:
Other LDAP Authentication OptionsLet's take a deeper look at LDAP authentication in order to make an important point. The GroupWise POA identifies the user who is logging in based on the User ID the user fills in via the GroupWise client (be it the Windows, WebAccess, or wireless clients). In every user's record in the GroupWise directory (WPDOMAIN.DB and WPHOST.DB), there is a field called Network ID. There's another field that identifies the eDirectory tree the user is grafted into. These two values come from eDirectory based on the eDirectory object that the GroupWise account is associated with. The POA uses these values to indicate which eDirectory context to look into in order to authenticate the users. Now that you understand the architecture, imagine that either your LDAP server is in another eDirectory tree, or your LDAP server isn't even a Novell eDirectory LDAP server. What do you do then? You have two options, as discussed next. Option 1Each user object has a field on the GroupWise Account page called LDAP Authentication. This field allows you to indicate a different context or fully distinguished name. For example, you could enter this: CN=ECORNISH,OU=EMPLOYEES,O=FLATTREEORGANIZATION The fact that you enter the location for the user in another tree means that the LDAP server defined to service this post office must also be in the other tree or LDAP directory. Option 2Leave the LDAP Authentication field blank, and make sure that the email address attribute in the LDAP directory matches the eDirectory's email attribute of the GroupWise user. You must then rename the LDAPX.NLM file found on the server where your POA is running and restart the POA. When you perform this step, the POA will not try to look up the eDirectory's distinguished name for the user, and because the LDAP Authentication field is blank, the POA will simply search against the LDAP server for the user's email address. If it finds an email address, it will then know the user's distinguished name, and will know how to authenticate to the other tree or LDAP directory as the correct user. If you happen to have a workforce tree (an eDirectory tree created from another eDirectory tree via DirXML), and you want to use the workforce tree for LDAP authentication, refer to a Technical Information Document in Novell's Knowledgebase at http://support.novell.com. Search for the TID # 10067272 in the Knowledgebase search field. This Technical Information Document talks about the details surrounding option 2. External eDirectory trees and DirXML are outside the scope of this book. We have also used the LDAP Authentication field to associate the user's login credentials with a different eDirectory user object. For example, we wanted to have the user TKRATZER to authenticate with the user ADMIN's password. Here's what we did:
So, why do this? We did it to prove it could be done. You'll have to think of under what conditions you might find this useful. |