6.0 LDAP Servers and Synchronization

LDAP Configuration Dialog

Path: Port 8443 Filr Admin Console System > LDAP

Best Practice: Plan your LDAP Servers and use the following table when working in this dialog:

NOTE:It is highly recommended that internal and external users are not imported from the same LDAP server. This ensures clear isolation between external and internal LDAP sources while Filr administrators assign different Access Control Lists for Filr users.

Table 6-1 Using the LDAP Configuration dialog

Field, Option, or Button

Information and/or Action

LDAP Configuration dialog

LDAP Servers tab

 

  • Add button

  • Delete button

  • Click this to remove the selected LDAP server from the list.

    IMPORTANT:Before you remove an LDAP server, make sure you consider the options you have set for users and groups that are no longer in LDAP in the User Settings tab and the Group Settings tab.

  • Sync All button

HINT:If you have just added or modified the LDAP Servers configuration, you must save it by clicking OK before running an LDAP synchronization.

  • After your users and groups are synchronized, you can click this to refresh the LDAP information in Filr.

  • To synchronize only certain users or groups, filter the list by entering a string in the Filter List.

    Or

  • Click the drop-down arrow next to the Filter List and select the type of users or groups to synchronize.

    For example, Added users, Modified users, Modified groups, and so forth.

  • Users and groups that have been modified by running the LDAP sync are reported, along with information about how they have been modified.

  • Preview Sync button

HINT:If you have just added or modified the LDAP Servers configuration, you must save it by clicking OK before previewing an LDAP synchronization.

  • Use this to preview the synchronization results—users and groups that will be added or deleted, users that will be disabled, and so on—before you run the actual synchronization.

    • To preview only certain users or groups, filter the list by entering a string in the Filter List.

      Or

    • Click the drop-down arrow next to the Filter List and select the type of users or groups to synchronize.

      For example, Added users, Modified users, Modified groups, and so forth.

  • After you are satisfied with the results, use the Sync All option with the same filters to perform the actual synchronization.

  • Show Sync Results button

  • Use this to display the most recent synchronization results for the current browser session.

  • If you run a synchronization, log out of Filr, and then log in again, no results are available to view.

LDAP servers list

  • Server URL

  • User Creation Type

  • This specifies the type of users imported from the LDAP server.

  • User DN

  • This is the LDAP proxy user information for the LDAP server.

User Settings tab

 

  • Register User Profiles Automatically

  • Select this option to automatically add LDAP users to the Filr site.

  • Workspaces are not created until users log in for the first time.

  • Synchronize User Profiles

  • Select this option to automatically update Filr with user information changes following the initial LDAP synchronization.

  • The attributes that are synchronized are the attributes listed in the mappings box in the Server Information tab.

For user accounts provisioned from LDAP that are no longer in LDAP sub-section

  • Disable Account

  • Delete Account

IMPORTANT:A deleted user cannot be undeleted; this action is not reversible.

  • Select this only if you have deleted users from your LDAP directory and you want the LDAP synchronization process to also remove them from Filr.

  • Delete associated user workspaces: This option removes all information, Personal Storage, etc. associated with the user accounts.

Use the following when creating new users sub-section

  • Time zone:

  • Use this drop-down list to set the time zone for user accounts that are synchronized from the LDAP directory into your Filr site.

  • The time zone list is grouped first by continent or region, optionally by country or state, and lastly by city.

  • Locale:

  • Use this drop-down list to set the locale for user accounts that are synchronized from the LDAP directory into your Filr site.

  • The locale list is sorted alphabetically by language.

Group Settings tab

 

  • Register LDAP group profiles automatically

  • Select this to automatically add new LDAP groups to the Filr site.

  • Synchronize group profiles

  • Select this to synchronize group information, such as the group description, to the Filr site whenever this information changes in LDAP.

  • Synchronize group membership

  • This option ensures that the Filr group includes the same users (and possibly groups) as the corresponding LDAP group.

    If this is not selected, then LDAP group changes are not reflected in Filr.

  • This option also ensures that Filr recognizes group-based file system rights assignment updates.

    If this is not selected, users with group-based access rights might not qualify for the roles they need to use Filr.

  • Delete groups that were provisioned from LDAP but are no longer in LDAP

IMPORTANT:A deleted group cannot be undeleted; this action is not reversible.

  • Select this only if you have deleted groups from your LDAP directory and you want the LDAP synchronization process to also remove the groups from Filr.

Synchronization Schedule tab

  • Enable schedule

  • This is selected by default so that LDAP synchronizations occur at regular intervals.

  • You should not normally de-select this unless you are troubleshooting a problem or working with OpenText support to resolve a service request.

  • Every day

  • Select this to run an LDAP synchronization every day at the time or interval specified below.

  • On selected days

  • Select this if you want the LDAP synchronization to run only on specific days.

  • At HH:MM

  • Using the drop-down lists, you can specify synchronizations to occur at a specific time.

  • Hours start at midnight (0) and continue through 11 p.m. (23).

  • Minutes can be specified using 5-minute increments.

  • Repeat every X hours

  • As an alternative to synchronizing at a specific time, you can set a time interval and synchronize multiple times each day (for example, every four hours).

  • The smallest time interval you can set is .25 hours (every 15 minutes).

Local User Accounts tab

  • Allow log in for local user accounts (i.e user accounts not in LDAP)

  • Use this to enable or disable logging in by locally created and self-provisioned user accounts.

LDAP Server Configuration Dialog

Path: Port 8443 Filr Admin ConsoleSystem > LDAP > Add button

Best Practice: Plan your LDAP Servers and use the following table when working in this dialog:

Table 6-2 Using the LDAP Server Configuration dialog

Field, Option, or Button

Information and/or Action

LDAP Server Configuration dialog

Server Information tab

  • LDAP Server URL

WARNING:If you modify an existing LDAP connection, do not modify this LDAP server URL field. Doing so can cause synchronized users to be disabled or deleted.

  • This is the host name of the LDAP server where your directory service is running.

    Specify a URL with the format your server requires, as follows:

  • If the LDAP server uses a different port number from those above, you must include the port as follows:

    • ldap://hostname:port_number

    • ldaps://hostname:port_number

  • User DN:

    (LDAP proxy user)

  • This is the LDAP proxy user and it must have sufficient rights to access the user information stored there. See LDAP Proxy User Role and Rights in OpenText Filr 24.4: Understanding How Filr Works.

  • You must specify a fully qualified, comma-delimited user name, along with its context in your LDAP directory tree, in the format expected by your directory service.

    • eDirectory: cn=username,ou=organizational_unit,o=organization

    • Active Directory: cn=username,ou=organizational_unit,dc=domain_component

  • Password:

    (LDAP proxy user password)

  • You must type the password for the User DN.

  • Directory Type:

  • Select the directory type for the LDAP server that you are configuring (eDirectory or Active Directory)

  • Guid attribute:

  • Based on the directory type you have selected, Filr selects the standard LDAP attribute used to identify a user.

  • GUID and objectGUID: These are the default, binary attributes for eDirectory and Active Directory, respectively

    They have unique values that do not change if you rename or move a user in the LDAP directory, thus ensuring that Filr modifies the existing user rather than creating a new one.

  • Other: Selecting this option in the Guid attribute drop-down prompts you to map users to a different LDAP attribute by specifying the attribute name and then clicking OK.

    • You must ensure that the attribute you specify is a binary attribute.

      For example, the cn attribute cannot be used because it is not a binary attribute.

    • If you cancel the prompt to specify an attribute or specify an attribute that is not binary, Filr create new Filr users when names or locations change.

      For example, if you have a Filr user and LDAP user named William Jones, and if William requests that you change his name to Bill in the LDAP directory, then the next time an LDAP synchronization occurs, Filr creates a new user named Bill Jones.

  • Create users as:

  • Internal users is selected by default.

  • Select the type of users you want to create:

    • Internal Users: The users from the LDAP server are imported as internal users in Filr.

    • External Users: The users from the LDAP server are imported as external users in Filr.

  • You cannot edit this field once the server information is saved.

  • If you select external users, the Groups tab is not displayed in the LDAP Server Configuration dialog.

  • Filr account name attribute:

  • Filr uses this attribute

    • To create Filr account names

    • To locate users in the LDAP directory.

    • As the User ID for authentication purposes.

  • The value of this attribute must be unique in LDAP.

  • Attribute options depend on the directory type selected in the Directory type drop-down list.

    Consult with your directory administrator to determine which attribute or attributes are used in your directory service.

    • For eDirectory, the default available options are cn and Other.

    • For Active Directory, the default available options are sAMAccountName, cn, and Other.

    • If you select Other as the value for this attribute, you are prompted to enter the name of an LDAP attribute to use instead of the default choices.

  • Based on your findings, you might need to set up two or more LDAP sources that point to the same LDAP server but use different values for the LDAP Attribute Used for Filr Name.

    For example, if you use Active Directory, you might need to set up one LDAP source and use cn and another to sAMAccountName as the Filr account name attribute.

  • In addition to the attributes already mentioned in this section, other LDAP attributes can be used for the Filr account name attribute, as long as the attribute is unique for each User object.

    For example, the mail LDAP attribute could be used so that Filr users can log in by using their email addresses.

  • External users can only log in to Filr using their email addresses. The default value is mail. Therefore, this option is disabled when creating an external user.

  • LDAP Attribute Mappings box

  • This lists the mappings between Filr user information and the LDAP attributes that correspond to them.

    It is populated automatically.

  • If Synchronize User Profiles is enabled in the User Settings tab, the information associated with the mappings that are configured here, is updated each time the user account is synchronized.

OK button

  • If you are modifying previously configured LDAP server information, you can click OK. Otherwise, you must click the Users tab

Cancel button

  • Click this to discard the LDAP server configuration changes you have made and exit the tab.

Users tab

 

  • Add button

  • Delete button

  • Click this after selecting one or more list entries. For example, when the context no longer exists or when it is covered by another entry.

OK button

  • If you are modifying previously configured User information, you can click OK.

  • If this is a new configuration, you should click the Groups tab and add an LDAP search context. Otherwise, your Filr users might not be recognized as having the roles needed for Filr access (see the information for the Synchronize group membership option).

Cancel button

  • Click this to discard your changes and exit.

Groups tab

 

  • Add button

  • Delete button

  • Click this after selecting one or more group Base DN entries. For example, when the context no longer exists or when it is covered by another entry.

OK button

  • Click OK to save the LDAP server configuration.

Cancel button

  • Click this to discard your changes and exit.

LDAP Search Dialog (User Version)

Path: Port 8443 Filr Admin ConsoleSystem > LDAP > Add button > Users tab > Add button

Table 6-3 Using the LDAP Search dialog (User Version)

Field, Option, or Button

Information and/or Action

LDAP Search dialog (User Version)

  • Base DN:

Best Practice: Use the Browse icon next to the Base DN field to browse the LDAP directory for the base DN that you want to use. This eliminates the risk of typing the context incorrectly. Also, if browsing fails, that means the LDAP server configuration is not correct and must be changed.

  • This is the directory context or container under which LDAP User objects are located.

  • When specifying this you must use the syntax required by your directory service type.

    • eDirectory: ou=organizational_unit,o=organization

    • Active Directory: ou=organizational_unit,dc=domain_component

IMPORTANT:Container names cannot exceed 128 characters. If they do, users are not provisioned.

  • Filter:

Filr sets up a standard User filter for the LDAP server type.

IMPORTANT:In most of the cases, you need to modify this to ensure that only the licensed users are added to the Filr server.

Use the User filter to provision only the licensed users to the Filr server.

  • About User Filters:

    • By default, Filr identifies potential users by filtering on the following LDAP directory object attributes:

      • Person

      • orgPerson

      • inetOrgPerson

      If needed, you can modify the filter by inserting the following operators:

      • | OR (the default)

      • & AND

      • ! NOT

  • A Group for Filr Users:

    • You might want to create a group for only Filr users, regardless of where they are located in your LDAP directory.

    • After creating the group, use the following filters to search for User objects that have the group membership attribute shown below.

      Make sure you include the parentheses in your filter.

      • eDirectory: (groupMembership=cn=group_name,ou=organizational_unit,o=organization)

      • Active Directory: (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)

    IMPORTANT:Users in eDirectory sub-groups are not synchronized.

    However, for Active Directory you can create a filter that synchronizes users in sub-groups by using the following rule object identifier (OID):

    <attribute name>:<matching rule OID>:=<value>

  • Search subtree

  • Select this if you want Filr to search for users in containers underneath the base DN (that is, in subtrees).

Home-Directory Net Folder Configuration sub-section

NOTE:This configuration is not applicable for external users.

  • Use the following custom criteria

  • Select this to specify the Net Folder Server and path where user Home directories are located.

  • Net Folder Server: Click the drop-down list and select the Net Folder Server where Filr should create home folders when the users in this context (Base DN) log in.

    If the server isn’t created yet, click New Net Folder Server and refer to Creating a Net Folder Server if you need help.

  • Relative Path: Using UNC syntax, specify the path to where the corresponding Home directories are located.

    For example, if user Home directories are included in a directory named Home which is located at the root of the specified Net Folder Server, the path would be Home\.

    In place of the actual directory names, include a replaceable parameter using the syntax: %LDAPattributeName%.

    Continuing the example, if the Home directory is associated with the LDAP attribute cn, the complete path with the replaceable parameter included would be Home\%cn%.

    Filr evaluates replaceable parameters each time a user logs in and replaces the parameter with the value of the LDAP attribute specified in the path.

  • After the Home Net Folder Server is created, when you log in to the Port 8443 Administration Console, you are prompted to complete the server’s configuration by specifying a Net Folder proxy user. See the information starting with Specify proxy using a Proxy Identity Proxy identity:.

  • Use the LDAP home directory attribute

  • Select this option to use the LDAP Home directory attribute.

  • Filr detects the attribute during the LDAP synchronization process.

  • If the search context of the LDAP synchronization contains an OES or Windows server that has a Home folder attribute associated with at least one user, Filr creates a Home Net Folder Server immediately after running the LDAP synchronization process.

  • After the Home Net Folder Server is created, when you log in to the Port 8443 Administration Console, you are prompted to complete the server’s configuration by specifying a Net Folder proxy user. See the information starting with Specify proxy using a Proxy Identity Proxy identity:.

  • Use the specified LDAP attribute

  • Select this option to specify the name of the LDAP attribute that contains the required home directory information.

    Attribute Name: This must be of type String and must contain a UNC path, with one of the following forms:

    • \\server\volume\path

    • \\server\share\path

    • \\server\share

  • After the Home Net Folder Server is created, when you log in to the Port 8443 Administration Console, you are prompted to complete the server’s configuration by specifying a Net Folder proxy user. See the information starting with Specify proxy using a Proxy Identity Proxy identity:.

  • Don’t create a home directory Net Folder

  • Select this option if you do not want user Home directories to be created at the time that users are imported into the Filr system.

LDAP Search Dialog (Group Version)

Path: Port 8443 Filr Admin ConsoleSystem > LDAP > Add button > Groups > Add button

Table 6-4 Using the LDAP Search dialog (Group Version)

Field, Option, or Button

Information and/or Action

LDAP Search dialog (Group Version)

  • Base DN:

Best Practice: Use the Browse icon next to the Base DN field to browse the LDAP directory for the base DN that you want to use. This eliminates the risk of typing the context incorrectly. Also, if browsing fails, that means the LDAP server configuration is not correct and must be changed.

  • This is the directory context or container under which LDAP Group objects are located.

  • When specifying this you must use the syntax required by your directory service type.

    • eDirectory: ou=organizational_unit,o=organization

    • Active Directory: ou=organizational_unit,dc=domain_component

IMPORTANT:Container names cannot exceed 128 characters. If they do, groups are not provisioned.

  • Filter:

Filr sets up a standard Group filter for the LDAP server type.

IMPORTANT:In most of the cases, you need to modify this to ensure that only the licensed users are added to the Filr server.

Use the Group filter to provision only the licensed users to the Filr server.

  • Search subtree

  • Select this if you want Filr to search for groups in containers underneath the base DN (that is, in subtrees).

Configuring LDAP ID

Hide the user IDs of the LDAP users

Displaying the LDAP ID can cause security threats to the directory service, such as unauthorized access to data and modification of configuration. A configurable option is available in the ssf-ext.properties file to hide the LDAP IDs.

  1. In the /opt/novell/filr/apache-tomcat/webapps/ssf/WEB-INF/classes/config/ssf-ext.properties file, set the hide.LDAPId parameter to true.

    User IDs are no longer displayed in the Web client Address Book Search, Show People tab, and so on.

  2. Restart the Filr service after making modifications to the ssf-ext.properties file.

Disable Address Book Search for external LDAP users

This setting can prevent external LDAP users from appearing in the Share dialog Address book search.

A new parameter external.ldap.user.disable.search in ssf-ext.properties is added to control the behavior of share dialog address book search suggestions for external LDAP users.

  1. In the /opt/novell/filr/apache-tomcat/webapps/ssf/WEB-INF/classes/config/ssf-ext.properties file, set the external.ldap.user.disable.search parameter to true.

    Search suggestions will only be displayed for internal users. When you search for external LDAP users in the Share dialog, you have to enter the complete email address to find the desired recipient.

  2. Restart the Filr service after making modifications to the ssf-ext.properties file.