Note: This feature is being deprecated. For similar functionality, use an LDAP host, which is a type of Connector host. See Connector Host for more information.

Note: This section applies to the Cleo VLTrader and Cleo Harmony applications only.

Use the LDAP Server tab to configure the external LDAP directory service to be used for authenticating users. The LDAP service cluster can be obtained by specifying a single domain where the LDAP servers are located, or through manually configuring an LDAP service cluster that resides on a single domain. In either case, hosts can optionally be designated as primary servers and others as backups. If you are unsure of any of the required values, contact your directory administrator. LDAP user groups can then subsequently be configured as mailboxes in each of the local user hosts – FTP, HTTP, SSH FTP, and Users.

1. Open the LDAP tab.

   In the web UI, go to Administration > User Management > LDAP Settings.

   In the native UI, go to Configure > Options > LDAP Server.

2. Select the Enabled check box to enable the fields on the tab.

3. Specify values for the fields in the Server Configuration section.

   See Server configuration reference.

4. Specify values for the fields in the Domain Configuration section.
   1. Add servers to the list of active LDAP servers. Either retrieve LDAP service records or add them manually.
      • To retrieve LDAP service records, select the Lookup check box, specify a value in the Domain field, and click Refresh. LDAP service records found in the domain you specify are displayed in a table.

      • To add LDAP service records manually, clear the Lookup check box, and click the New button to display a dialog box in which you can enter information for a new record. When you are finished entering the information, click OK to dismiss the dialog box and display the new record in the table.

        Click New to add more new records as necessary.

        While Lookup check box is cleared, you can right-click service records to edit them or remove them from the list.

   2. Specify values for Base DN, Search Filter and Username Attribute.

      See Domain configuration reference for information about the fields in the Domain Configuration section.

   3. Optional. Click Advanced to specify password expiration settings. The Advanced button is enabled only when you select Active Directory from the Directory Type menu. See Server configuration reference.
   4. Click Test to test changes before they are applied. Enter an LDAP username and password. Changes to the Server Configuration panel are not applied until after a successful test login to the LDAP server.

5. Specify values for the fields in the User Configuration section.

   See User configuration reference.

Server configuration reference

Enabled

Select the check box to enable LDAP connections to the configured server. Clear the check box to disable LDAP connections. When this check box is cleared, LDAP users are not able to log in.

Directory Type

The product used for the external LDAP directory service. 

Possible values:

• Active Directory
• Apache Directory Services
• Lotus Domino(IBM)
• Novell eDirectory
• DirX(Siemens)

Security Mode

If the directory server requires use SSL, specify a security mode. Otherwise, select None.

Possible values:

• None - Information retrieved from the directory server will be clear-text.
• SSL - Select when your servers support only SSL connections.
• StartTLS - Select when your servers support SSL by use of the StartTLS command.

Domain configuration reference

Lookup

Select the check box to use the value in the Domain field for retrieving SRV (Service) records for the LDAP service cluster.

Clear the check box to add records to the table manually.

Domain

The name of the domain from which you want to retrieve SRV records.

Click Refresh to refresh the information in the table using the value in the Domain field.

SRV record table

The SRV record table displays information about SRV records. Each row in the table represents one SRV record. Each row contains the following columns:

Enabled

Select this check box to use the record. Otherwise, the record is ignored.

Hostname

The target machine on which the LDAP service is running.

Port

The port used to connect to the LDAP service. Typically, the port 389 is used for non-secure (None) or StartTLS mode and 636 is used for SSL mode.

TTL

The Time To Live value defined as the time interval (in seconds) that the  LDAP service record can be cached before the source of the information (for example, the domain) should again be consulted. A value of zero means that the LDAP record can only be used for the transaction in progress, and should not be cached.  You can also use a value of zero for extremely volatile data.

Priority

The priority of the LDAP server. Attempts are made to contact LDAP servers with the lowest-numbered priority first.  LDAP servers with the same priority are contacted in the order specified by the Weight field. 

Possible values: 0-65535

Weight

A server selection mechanism that specifies a relative weight for entries with the same priority. Larger weights are given a proportionately higher probability of being selected. Use a zero value when server selection is not required.

When there are records with weight values greater than zero, records weighted with a zero value will have a very small chance of being selected. When all priority and weight values are the same, the LDAP servers are selected in random order. 

Possible values: 0-65535

Base DN

The base organizational unit where the users are defined. Contact your directory administrator for the correct Base DN value.  (The Base DN value entered here can be overridden in a local user host LDAP mailbox.)

The examples the table below show sample base organizational units for the supported directory types. 

Directory Type	Example Base DN
Active Directory	OU=Employees,DC=company,DC=com
Apache Directory Services	OU=Users,DC=example,DC=com
Lotus Domino	O=SCNotes
Novell eDirectory	O=Company Organization
DirX	ou=Users,o=Company

Search filter

Optional. Used to limit the amount of information returned from the LDAP server when many users are defined. A more restrictive filter can be specified as a comma separated list. If necessary, contact your directory administrator to determine the appropriate attributes and values. You can override the value entered here in a local user host LDAP mailbox.

The following table contains example lists with sample attribute names and values.

Search Filter	Description
department=EDI	Limits the search to entries that have the attribute, department, with a value of EDI.
department=EDI,group=administrators	Limits the search to entries that must match two attributes. The user must be in the EDI department and in the administrators group.
department=EDI,telephoneNumber=800*	Limits search to EDI department members with a telephone number starting with 800.
objectclass=person	Limit the search to entries that are people if the Base DN contains other entries (for example, computers) and people.
!(userAccountControl:1.2.840.113556.1.4.803:=2)	Excludes disabled accounts - in Active Directory, if an account is disabled, bit 0x02 in the userAccountControl attribute value is on.  1.2.840.113556.1.4.803 is the rule object ID (ruleOID) for the LDAP bitwise AND operator.

If the value to search in has any of the following special characters, they must be substituted in the Search Filter with the corresponding escape sequence.

ASCII character	Escape Sequence Substitute
*	\2a
(	\28
)	\29
,	\2c
\	\5c
NUL	\00
/	\2f

Username Attribute

The Username Attribute is the directory attribute that matches the username entered when a login is required. The following table contains typical attribute names for the supported directory types.

Directory Type	Username Attribute
Active Directory	sAMAccountName
Apache Directory Services	Uid
Lotus Domino	CN
Novell eDirectory	CN
DirX	cn

LDAP Server Advanced Settings

The LDAP Server Advanced Settings dialog box displays when you click Advanced on the LDAP Server tab. Use this dialog box to specify values for password expiration checking.

Enable Password Expiration Checking

Select this check box to enable password expiration checking and the rest of the fields in the dialog box. Password expiration checking provides a daily email notification to the system administrator.

Warning Days Before Password Expiration

The range of days within which a notification is generated.

Daily Time Check

The time of day password expiration is checked.

To

The email address of the recipient of the daily password expiration check notification. You can specify multiple recipients. Separate email addresses by commas (,), semi-colons(;) or colons(:). 

One or more individual users can also receive an email notification, if specified, when the Security Mode is not set to None and an email address is configured for the users (as part of his Active Directory settings).  A Web Portal user whose password hasn't already expired is directed to the web link (see Providing access to the web portal) where they can change their password. Otherwise, they are directed to contact the system administrator for assistance in changing it.

Default value: The System Administrator email address defined in the Options > Other panel in the native UI or Administration > System > Other in the web UI.

From

The email address of the sender of the daily password expiration check notification. If this field contains multiple email addresses, only the first address is displayed. 

Default value: The System Administrator email address defined in the Options > Other panel in the native UI or Administration > System > Other in the web UI.

Subject

String that appears in the Subject field of the daily password expiration check notification.

User configuration reference 

Email Address Attribute

Full Name Attribute

Home Directory Attribute

Optional fields. Other options might depend on the values you specify for these fields. For example, if the LDAP server provides user home directory paths in addition to authentication, the Home Directory attribute is required.

Note: If you do not specify the Email Address attribute and you have LDAP users who try to reset a password via email, the application will not send password-reset emails.

 

User UID Attribute

Required field for user ID lookup.

If you are using SAML, this LDAP attribute value must match the SAML assertion NameId value passed by the IDP in order for a user to successfully login through SAML.

If you are using Cleo Unify within Cleo Portal, the user ID is required for sharing.

You should not use the Email Address Attribute as the User UID Attribute, as an email address for an individual can change.

LDAP Account for Extracting Users

Username

Password

Credentials to use to login to extract LDAP user from the LDAP directory service to populate the optional default LDAP user group or when you browse for users on the Cleo VLNavigator User tab. In addition to the List button here and in each of the local user host mailbox LDAP tabs, this account is used to periodically extract users in order to check mailbox license limits and to create user subdirectories.