Note: This feature is being deprecated. For similar functionality, use an LDAP host, which is a type of Connector host. See Connector Host for more information.
Note: This section applies to the Cleo VLTrader and Cleo Harmony applications only.
Use the LDAP Server tab to configure the external LDAP directory service to be used for authenticating users. The LDAP service cluster can be obtained by specifying a single domain where the LDAP servers are located, or through manually configuring an LDAP service cluster that resides on a single domain. In either case, hosts can optionally be designated as primary servers and others as backups. If you are unsure of any of the required values, contact your directory administrator. LDAP user groups can then subsequently be configured as mailboxes in each of the local user hosts – FTP, HTTP, SSH FTP, and Users.
- Open the LDAP tab.
In the web UI, go to .
In the native UI, go to .
- Select the Enabled check box to enable the fields on the tab.
- Specify values for the fields in the Server Configuration section.
- Specify values for the fields in the Domain Configuration section.
- Add servers to the list of active LDAP servers. Either retrieve LDAP service records or add them manually.
- To retrieve LDAP service records, select the Lookup check box, specify a value in the Domain field, and click Refresh. LDAP service records found in the domain you specify are displayed in a table.
- To add LDAP service records manually, clear the Lookup check box, and click the New button to display a dialog box in which you can enter information for a new record. When you are finished entering the information, click OK to dismiss the dialog box and display the new record in the table.
Click New to add more new records as necessary.
While Lookup check box is cleared, you can right-click service records to edit them or remove them from the list.
- Specify values for Base DN, Search Filter and Username Attribute.
- Optional. Click Advanced to specify password expiration settings. The Advanced button is enabled only when you select Active Directory from the Directory Type menu. See Server configuration reference.
- Click Test to test changes before they are applied. Enter an LDAP username and password. Changes to the Server Configuration panel are not applied until after a successful test login to the LDAP server.
- Specify values for the fields in the User Configuration section.
Server configuration reference
- Enabled
- Select the check box to enable LDAP connections to the configured server. Clear the check box to disable LDAP connections. When this check box is cleared, LDAP users are not able to log in.
- Directory Type
- The product used for the external LDAP directory service.
- Possible values:
- Active Directory
- Apache Directory Services
- Lotus Domino(IBM)
- Novell eDirectory
- DirX(Siemens)
- Security Mode
- If the directory server requires use SSL, specify a security mode. Otherwise, select None.
- Possible values:
- None - Information retrieved from the directory server will be clear-text.
- SSL - Select when your servers support only SSL connections.
- StartTLS - Select when your servers support SSL by use of the StartTLS command.
Domain configuration reference
- Lookup
- Select the check box to use the value in the Domain field for retrieving SRV (Service) records for the LDAP service cluster.
- Clear the check box to add records to the table manually.
- Domain
- The name of the domain from which you want to retrieve SRV records.
- Click Refresh to refresh the information in the table using the value in the Domain field.
- SRV record table
- The SRV record table displays information about SRV records. Each row in the table represents one SRV record. Each row contains the following columns:
-
- Enabled
- Select this check box to use the record. Otherwise, the record is ignored.
- Hostname
- The target machine on which the LDAP service is running.
- Port
- The port used to connect to the LDAP service. Typically, the port
389
is used for non-secure (None) or StartTLS mode and 636
is used for SSL mode.
- TTL
- The
Time To Live
value defined as the time interval (in seconds) that the LDAP service record can be cached before the source of the information (for example, the domain) should again be consulted. A value of zero means that the LDAP record can only be used for the transaction in progress, and should not be cached. You can also use a value of zero for extremely volatile data.
- Priority
- The priority of the LDAP server. Attempts are made to contact LDAP servers with the lowest-numbered priority first. LDAP servers with the same priority are contacted in the order specified by the Weight field.
- Possible values: 0-65535
- Weight
- A server selection mechanism that specifies a relative weight for entries with the same priority. Larger weights are given a proportionately higher probability of being selected. Use a zero value when server selection is not required.
- When there are records with weight values greater than zero, records weighted with a zero value will have a very small chance of being selected. When all priority and weight values are the same, the LDAP servers are selected in random order.
- Possible values: 0-65535
- Base DN
- The base organizational unit where the users are defined. Contact your directory administrator for the correct Base DN value. (The Base DN value entered here can be overridden in a local user host LDAP mailbox.)
- The examples the table below show sample base organizational units for the supported directory types.
-
Directory Type |
Example Base DN |
Active Directory |
OU=Employees,DC=company,DC=com |
Apache Directory Services |
OU=Users,DC=example,DC=com |
Lotus Domino |
O=SCNotes |
Novell eDirectory |
O=Company Organization |
DirX |
ou=Users,o=Company |
- Search filter
- Optional. Used to limit the amount of information returned from the LDAP server when many users are defined. A more restrictive filter can be specified as a comma separated list. If necessary, contact your directory administrator to determine the appropriate attributes and values. You can override the value entered here in a local user host LDAP mailbox.
- The following table contains example lists with sample attribute names and values.
-
Search Filter |
Description |
department=EDI |
Limits the search to entries that have the attribute, department, with a value of EDI. |
department=EDI,group=administrators |
Limits the search to entries that must match two attributes. The user must be in the EDI department and in the administrators group. |
department=EDI,telephoneNumber=800* |
Limits search to EDI department members with a telephone number starting with 800. |
objectclass=person |
Limit the search to entries that are people if the Base DN contains other entries (for example, computers) and people. |
!(userAccountControl:1.2.840.113556.1.4.803:=2) |
Excludes disabled accounts - in Active Directory, if an account is disabled, bit 0x02 in the userAccountControl attribute value is on. 1.2.840.113556.1.4.803 is the rule object ID (ruleOID) for the LDAP bitwise AND operator. |
- If the value to search in has any of the following special characters, they must be substituted in the Search Filter with the corresponding escape sequence.
-
ASCII character |
Escape Sequence Substitute |
* |
\2a |
( |
\28 |
) |
\29 |
, |
\2c |
\ |
\5c |
NUL |
\00 |
/ |
\2f |
- Username Attribute
- The Username Attribute is the directory attribute that matches the username entered when a login is required. The following table contains typical attribute names for the supported directory types.
-
Directory Type |
Username Attribute |
Active Directory |
sAMAccountName |
Apache Directory Services |
Uid |
Lotus Domino |
CN |
Novell eDirectory |
CN |
DirX |
cn |
- LDAP Server Advanced Settings
- The LDAP Server Advanced Settings dialog box displays when you click Advanced on the LDAP Server tab. Use this dialog box to specify values for password expiration checking.
- Enable Password Expiration Checking
- Select this check box to enable password expiration checking and the rest of the fields in the dialog box. Password expiration checking provides a daily email notification to the system administrator.
- Warning Days Before Password Expiration
- The range of days within which a notification is generated.
- Daily Time Check
- The time of day password expiration is checked.
- To
- The email address of the recipient of the daily password expiration check notification. You can specify multiple recipients. Separate email addresses by commas (,), semi-colons(;) or colons(:).
- One or more individual users can also receive an email notification, if specified, when the Security Mode is not set to None and an email address is configured for the users (as part of his Active Directory settings). A Web Portal user whose password hasn't already expired is directed to the web link (see Providing access to the web portal) where they can change their password. Otherwise, they are directed to contact the system administrator for assistance in changing it.
- Default value: The System Administrator email address defined in the panel in the native UI or in the web UI.
- From
- The email address of the sender of the daily password expiration check notification. If this field contains multiple email addresses, only the first address is displayed.
- Default value: The System Administrator email address defined in the panel in the native UI or in the web UI.
- Subject
- String that appears in the Subject field of the daily password expiration check notification.
User configuration reference
- Email Address Attribute
- Full Name Attribute
- Home Directory Attribute
- Optional fields. Other options might depend on the values you specify for these fields. For example, if the LDAP server provides user home directory paths in addition to authentication, the Home Directory attribute is required.
Note: If you do not specify the Email Address attribute and you have LDAP users who try to reset a password via email, the application will not send password-reset emails.
- User UID Attribute
- Required field for user ID lookup.
- If you are using SAML, this LDAP attribute value must match the SAML assertion NameId value passed by the IDP in order for a user to successfully login through SAML.
- If you are using Cleo Unify within Cleo Portal, the user ID is required for sharing.
- You should not use the Email Address Attribute as the User UID Attribute, as an email address for an individual can change.
- LDAP Account for Extracting Users
-
- Username
- Password
- Credentials to use to login to extract LDAP user from the LDAP directory service to populate the optional default LDAP user group or when you browse for users on the Cleo VLNavigator User tab. In addition to the List button here and in each of the local user host mailbox LDAP tabs, this account is used to periodically extract users in order to check mailbox license limits and to create user subdirectories.
Comments
0 comments
Please sign in to leave a comment.