| Lightweight Directory Access Protocol (LDAP) services for eDirectory lets LDAP clients access information stored in eDirectory. LDAP is currently the preferred directory access protocol on the Internet. Because eDirectory lets you give different clients different levels of directory access, you can manage external, internal, and confidential information from the same directory. eDirectory also supports secure LDAP connections so that privileged users can access internal or private information securely without any special client software. All they need is a browser with LDAP support and connectivity to the LDAP server. Installing LDAP Services Novell LDAP Services for eDirectory are installed automatically during the OES Linux installation routine. For more information on OES Linux installation options, see Chapter 2. Two types of objects are defined in the eDirectory schema to support LDAP Services: LDAP Services for eDirectory are an integrated component of ndsd and cannot be manually loaded and unloaded. LDAP SERVER OBJECT The LDAP Server object stores configuration information in eDirectory about an LDAP server. The LDAP Server object is created in the same container as your server object. Each LDAP Server object configures one LDAP server. To configure an LDAP server, complete the following steps in iManager: 1. | In the Navigation frame, open the LDAP group and select LDAP Overview.
| 2. | Select the View LDAP Servers tab, and click the LDAP Server object with which you want to work.
| 3. | Enter the configurable parameters in the property pages, and click the Refresh button to reset the LDAP server. Click OK when you're finished.
|
There are six pages of configuration parameters for the LDAP Server object: Information Set the general configuration of your LDAP server on this page. The following entries are available: LDAP Group Specify the name of the LDAP group to which this server should belong. Dereference Aliases When Resolving Names Check this option to force the LDAP server to resolve to the actual object whenever it encounters an alias object.
Connections Sets the secure connection settings for this LDAP server with the following options: Server Certificate Specifies the digital certificate that is used for secure connections on this server. Certificate server creates this certificate during the server installation routine. You should not have to change this value. Client Certificate Specifies how the LDAP server will work with client certificates. Options include Not Requesting Certificates; Requesting, but Not Requiring Client Certificates; and Requiring Client Certificates. Trusted Root Containers Specifies the container(s) in which trusted root certificates are stored for those clients capable of using Transport Layer Security (TLS). Require TLS for All Operations Check this box to require TLS- protected connections for all LDAP server communications. Enable and Require Mutual Authentication Check this box to force the LDAP server to mutually authenticate when using SSL. Enable Encrypted Port Sets the TCP port used for SSL connections on this server. Default is port 636. This should not be changed unless another service is already using port 636 on this server. Uncheck this box to prevent LDAP clients from using secure connections on this server. Enable Non-encrypted Port Sets the TCP port used for LDAP on this server. Default is port 389. This should not be changed unless another service is already using port 389 on this server. Uncheck this box to force LDAP clients to use SSL connections on this server. Concurrent Bind Limit Sets the maximum number of simultaneous LDAP connections. This should be set based on the amount of available memory in the LDAP server. Each LDAP request takes about 160KB of memory. Default is no limit. Idle Timeout Defines the maximum time in seconds that an open LDAP connection can remain inactive before being closed. Default is no limit. Bind Restrictions Specifies whether users must supply a username and password in order to connect. This is useful if you want to prevent anonymous or public access to eDirectory.
Searches Defines the search settings on this LDAP server with the following settings: Filtered Replicas If you have configured a Filtered replica with specific search data, such as a corporate directory, you can specify that LDAP uses this replica to perform its searches. If your Filtered replicas are configured for this purpose, they can improve search time significantly. Persistent Search Persistent search is an extension to the LDAP search operation that allows an LDAP client to receive active updates to a given query from the LDAP server. As data on the LDAP server changes, the client will be automatically notified of changes that affect its search. These settings let you enable/disable persistent searches, and limit the number of concurrent persistent searches. Restrictions Sets the maximum values for searches in both time and number of entries returned. Nonstandard Behaviors Two check boxes let you support ADSI and legacy Netscape schema requests, and provide operational as well as user attributes when a request for user attributes is made.
Events This page lets you enable event monitoring for external applications that may want to monitor certain eDirectory events. This monitoring can place a significant load on the LDAP server, so you can also specify a maximum server load for event monitoring. Tracing This page lets you enable tracing of certain types of LDAP events. LDAP tracing can place a significant load on the LDAP server, so it should be used only when necessary to gather troubleshooting information. Referrals This page lets you configure referral options that define how this LDAP server will react if it is unable to process an LDAP request directly: Default Referral URL Specify the LDAP URL that will point the LDAP client to another LDAP server when no specific referral information is available. Conditions Which Return Default Referral These three check boxes let you enable/disable situations under which this LDAP server will return a default referral to the client. Referral Options: Always Chain/Prefer Chaining Chaining causes the LDAP server to contact other LDAP servers to locate the requested data for the client, and then return the data to the client. Query work is server-intensive. Always Refer/Prefer ReferralsA referral is a message returned to the client that tells it where it can go to get the requested information. Both LDAP clients and servers must support referrals, but this eliminates the first LDAP server as a middleman for the LDAP request. The chaining and referral preferences can be set separately for eDirectory searches as opposed to other eDirectory operations.
Using the pages just described, you can configure the LDAP Server object as needed to fit your specific environment. LDAP GROUP OBJECT The LDAP Group object allows you to configure user access to the LDAP server. By default, an LDAP Group object will be created for each LDAP Server object, but if you want to use the same user configuration for multiple LDAP servers, you can combine them into a single LDAP group. To configure the LDAP Group object, complete the following steps in iManager: 1. | In the Navigation frame, open the LDAP group and select LDAP Overview.
| 2. | Select the View LDAP Groups tab, and click the LDAP group object with which you want to work.
| 3. | Enter the configurable parameters in the property pages, and click OK when finished.
|
There are four pages of configuration parameters for the LDAP Group object: Information This page lets you set a couple of general settings for the LDAP Group: Server List Use this option to add or remove LDAP servers from this LDAP group. Proxy User Specifies the eDirectory user object to use as a proxy for anonymous LDAP bind requests. For more information, see "Connecting via LDAP," later in this chapter. Require TLS for Simple Binds with Password Check this option if you want to prevent unencrypted bind requests that contain a password. This is recommended to prevent passwords from being sent across the network in clear text.
Referrals This page lets you configure referral options that define how this LDAP server will react if it is unable to process an LDAP request directly: Default Referral URL Specify the LDAP URL that will point the LDAP client to another LDAP server when no specific referral information is available. Conditions Which Return Default Referral These three check boxes let you enable/disable situations under which this LDAP server will return a default referral to the client. Referral Options: Always Chain/Prefer Chaining Chaining causes the LDAP server to contact other LDAP servers to locate the requested data for the client, and then return the data to the client. Query work is server-intensive. Always Refer/Prefer ReferralsA referral is a message returned to the client that tells it where it can go to get the requested information. Both LDAP clients and servers must support referrals, but this eliminates the first LDAP server as a middleman for the LDAP request. The chaining and referral preferences can be set separately for eDirectory searches versus other eDirectory operations.
Attribute Map and Class Map These pages let an administrator associate LDAP schema classes and attributes to corresponding eDirectory schema classes and attributes. A default set of mappings is defined when the LDAP group is created, but it leaves many LDAP classes and attributes unmapped. If you have specific needs, you can map LDAP classes and attributes as needed.
NOTE Because there are certain LDAP attributes (such as CN and Common Name) that map to the same NDS value, LDAP services support multivalue associations. However, the LDAP server will return the value of the first matching attribute it locates in the list. If you map multiple LDAP attributes to a single NDS attribute, make sure you order the list with the most important attributes at the top; they will take precedence.
Connecting via LDAP All LDAP clients bind or connect to eDirectory as one of the following types of users: [Public] user (anonymous bind) Proxy user (proxy user anonymous bind) Directory user (eDirectory user bind)
The type of bind the user authenticates with affects the content the LDAP client can access. LDAP clients access a directory by building a request and sending it to the directory. When an LDAP client sends a request through LDAP Services for eDirectory, eDirectory completes the request for only those attributes to which the LDAP client has the appropriate access rights. For example, if the LDAP client requests an attribute value (which requires the Read right) and the user is granted only the Compare right to that attribute, the request is rejected. Standard login restrictions and password restrictions still apply; however, any restrictions are relative to where LDAP is running. Time and address restrictions are honored, but address restrictions are relative to where the eDirectory login occurredin this case, the LDAP server. Also, because LDAP does not support grace logins, users can log in to the server yet not be able to bind to LDAP. CONNECTING AS A [PUBLIC] USER An anonymous bind is an LDAP connection that does not contain a username or password. If an anonymous client requests an LDAP connection and the service is not configured to use a Proxy user, eDirectory authenticates the client as a [Public] user. [Public] is an unauthenticated eDirectory user. By default, [Public] is assigned only the Browse right to the objects in the eDirectory tree. [Public] can see only objects; it cannot browse object attributes. This is typically too limited for most LDAP clients. Although you can change the [Public] rights, this will give those rights to all users. To avoid this, use Proxy user (anonymous bind). CONNECTING AS A PROXY USER Proxy user (anonymous bind) allows LDAP to connect as a predefined eDirectory user. This gives you the flexibility to offer an anonymous connection that may actually be useful for somethingsuch as accessing public informationwithout potentially causing security problems by changing [Public]. The key concepts of Proxy user (anonymous bind) are as follows: All anonymous LDAP access is managed through the Proxy User object. Assign the Proxy user appropriate rights to all objects and attributes in eDirectory. The Proxy user cannot have a password or any password restrictions, such as password change intervals, because LDAP clients do not supply passwords during anonymous binds. Do not allow the Proxy user to change passwords. If desired, you can limit the locations from which a Proxy user can log in by setting address restrictions on the Proxy User object. For more information on creating and configuring eDirectory User objects, see Chapter 8.
The Proxy User object is enabled from the Information tab of the LDAP Group object, as described earlier in this chapter. There is only one Proxy User object for all servers in an LDAP group. CONNECTING AS A DIRECTORY USER LDAP clients can also connect using regular eDirectory User objects. When authenticated, the LDAP client is allowed access to any information to which the eDirectory user has rights. The key concepts of eDirectory user binds are as follows: eDirectory user connections are authenticated to eDirectory with a username and password entered at the LDAP client. If secure connections are not required for password-based connections, the eDirectory password can be transmitted in clear text on the path between the LDAP client and LDAP server. If an eDirectory user password has expired, eDirectory bind requests for that user are rejected.
You have the flexibility to leverage any of these types of LDAP bind operations to give LDAP users access to eDirectory information they might need. |
