The Users tree branch contains information about all configured user groups. Cleo VLNavigator supports authenticating users using its own database or using a directory service via LDAP. A non-LDAP user with administrative privileges, such as the default administrator user, should be defined in case the LDAP server is not functional.

Configuring the Cleo VLNavigator LDAP server

Use the LDAP Server tab in Cleo VLNavigator to configure the LDAP server to authenticate internal administrators and operators of the Cleo VLNavigator and VersaLexapplications.

1. In Cleo VLNavigator, click the Users node in the tree view.

   The LDAP Server tab appears.

2. Select the Enabled check box to enable the fields on the tab.

   If the LDAP server is disabled (the Enabled check box is cleared), any LDAP users and the Default LDAP group, if it exists, are displayed in yellow to indicate the LDAP server is currently disabled and, therefore, all LDAP accounts are currently not usable.

3. Specify values for the fields in the Server Configuration section.

   See Cleo VLNavigator LDAP server configuration reference.

4. Specify values for the fields in the Domain Configuration section.
   1. Add servers to the list of active LDAP servers. Either retrieve LDAP service records or add them manually.
      • To retrieve LDAP service records, select the Lookup check box, specify a value in the Domain field, and click Refresh. LDAP service records found in the domain you specify are displayed in a table.
      • To add LDAP service records manually, clear the Lookup check box, and click the New button to display a dialog box in which you can enter information for a new record. When you are finished entering the information, click OK to dismiss the dialog box and display the new record in the table.

        Click New to add more new records as necessary.

        While the Lookup check box is cleared, you can right-click service records to edit them or remove them from the list.

   2. Specify values for Base DN, Search Filter and Username Attribute.
      See Cleo VLNavigator LDAP domain configuration reference for information about the fields in the Domain Configuration section.
   3. Optional. Click Advanced to specify password expiration settings. The Advanced button is enabled only when you select Active Directory from the Directory Type menu. See Cleo VLNavigator LDAP server configuration  reference.
   4. Click Test to test changes before they are applied. Enter an LDAP username and password. Changes to the Server Configuration panel are not applied until after a successful test login to the LDAP server.
5. Specify values for the fields in the User Configuration section.
   See Cleo VLNavigator LDAP user configuration reference.

Default LDAP group

On the LDAP Server tab, when an LDAP directory service is configured, the optional Username and Password fields are specified, Create/Maintain Default LDAP Group is selected, and Apply is clicked, a special user group called Default LDAP will appear under the Users tree. The Default LDAP group is a convenience group, provided as an easy way to add many users at one time. The users within this group will correspond to those shown when List is clicked (not including any users that already exist within other VLNavigator user groups).

Once created, the Default LDAP group can be disabled, refreshed, or removed by right-clicking the user group within the tree pane and selecting Disable, Refresh, or Remove. IfRemove is selected, Create/Maintain Default LDAP Group cleared for you and the group is removed. Another way to remove the Default LDAP group is to clear Create/Maintain Default LDAP Group and click Apply.

The users within the Default LDAP group cannot be edited or disabled; however, they can be moved to another user group by right-clicking on the user within the tree pane and selecting Move.

Cleo VLNavigator LDAP server configuration reference

Enabled

Select the check box to enable LDAP connections to the configured server. Clear the check box to disable LDAP connections. When this check box is cleared, LDAP users are not able to log in.

Directory Type

The product used for the external LDAP directory service. 

Possible values:

• Active Directory
• Apache Directory Services
• Lotus Domino(IBM)
• Novell eDirectory
• DirX(Siemens)

Security Mode

If the directory server requires use SSL, specify a security mode. Otherwise, select None.

Possible values:

• None - Information retrieved from the directory server will be clear-text.
• SSL - Select when your servers support only SSL connections.
• StartTLS - Select when your servers support SSL by use of the StartTLS command.

Cleo VLNavigator LDAP domain configuration reference

Lookup

Select the check box to use the value in the Domain field for retrieving SRV (Service) records for the LDAP service cluster.

Clear the check box to add records to the table manually.

Domain

The name of the domain from which you want to retrieve SRV records.

Click Refresh to refresh the information in the table using the value in the Domain field.

SRV record table

The SRV record table displays information about SRV records. Each row in the table represents one SRV record. Each row contains the following columns:

Enabled

Select this check box to use the record. Otherwise, the record is ignored.

Hostname

The target machine on which the LDAP service is running.

Port

The port used to connect to the LDAP service. Typically, the port 389 is used for non-secure (None) or StartTLS mode and 636 is used for SSL mode.

TTL

The Time To Live value defined as the time interval (in seconds) that the  LDAP service record can be cached before the source of the information (for example, the domain) should again be consulted. A value of zero means that the LDAP record can only be used for the transaction in progress, and should not be cached.  You can also use a value of zero for extremely volatile data.

Priority

The priority of the LDAP server. Attempts are made to contact LDAP servers with the lowest-numbered priority first.  LDAP servers with the same priority are contacted in the order specified by the Weight field. 

Possible values:0-65535

Weight

A server selection mechanism that specifies a relative weight for entries with the same priority. Larger weights are given a proportionately higher probability of being selected. Use a zero value when server selection is not required.

When there are records with weight values greater than zero, records weighted with a zero value will have a very small chance of being selected. When all priority and weight values are the same, the LDAP servers are selected in random order. 

Possible values:0-65535

Base DN

The base organizational unit where the users are defined. Contact your directory administrator for the correct Base DN value.  (The Base DN value entered here can be overridden in a local user host LDAP mailbox.)

The examples the table below show sample base organizational units for the supported directory types. 

<td">Active Directory</td"><td">Apache Directory Services</td"><td">Lotus Domino</td"><td">Novell eDirectory</td"><td">DirX</td">

Directory Type	Example Base DN
OU=Employees,DC=company,DC=com
OU=Users,DC=example,DC=com
O=SCNotes
O=Company Organization
ou=Users,o=Company

Search filter

Optional. Used to limit the amount of information returned from the LDAP server when many users are defined.  A more restrictive filter can be specified as a comma separated list. If necessary, contact your directory administrator to determine the appropriate attributes and values.  You can override the value entered here in a local user host LDAP mailbox.

The following table contains example lists with sample attribute names and values.

Search Filter	Description
department=EDI	Limits the search to entries that have the attribute, department, with a value of EDI.
department=EDI,group=administrators	Limits the search to entries that must match two attributes. The user must be in the EDI department and in the administrators group.
department=EDI,telephoneNumber=800*	Limits search to EDI department members with a telephone number starting with 800.
objectclass=person	Limit the search to entries that are people if the Base DN contains other entries (for example, computers) and people.
!(userAccountControl:1.2.840.113556.1.4.803:=2)	Excludes disabled accounts - in Active Directory, if an account is disabled, bit 0x02 in the userAccountControl attribute value is on.  1.2.840.113556.1.4.803 is the rule object ID (ruleOID) for the LDAP bitwise AND operator.

If the value to search in has any of the following special characters, they must be substituted in the Search Filter with the corresponding escape sequence.

ASCII character	Escape Sequence Substitute
*	\2a
(	\28
)	\29
,	\2c
\	\5c
NUL	\00
/	\2f

Username Attribute

The Username Attribute is the directory attribute that matches the username entered when a login is required. The following table contains typical attribute names for the supported directory types.

Directory Type	Username Attribute
Active Directory	sAMAccountName
Apache Directory Services	Uid
Lotus Domino	CN
Novell eDirectory	CN
DirX	cn

LDAP Server Advanced Settings

The LDAP Server Advanced Settings dialog box displays when you click Advanced on the LDAP Server tab. Use this dialog box to specify values for password expiration checking.

Enable Password Expiration Checking

Select this check box to enable password expiration checking and the rest of the fields in the dialog box. Password expiration checking provides a daily email notification to the system administrator.

Warning Days Before Password Expiration

The range of days within which a notification is generated.

Daily Time Check

The time of day password expiration is checked.

To

The email address of the recipient of the daily password expiration check notification. You can specify multiple recipients. Separate email addresses by commas (,), semi-colons(;) or colons(:). 

One or more individual users can also receive an email notification, if specified, when the Security Mode is not set to None and an email address is configured for the users (as part of his Active Directory settings).  A Web Portal user whose password hasn't already expired is directed to the web link (see Providing access to the web portal) where they can change their password. Otherwise, they are directed to contact the system administrator for assistance in changing it.

Default value: The System Administrator email address defined in the Options > Other panel in the native UI or Administration > System > Other in the web UI.

From

The email address of the sender of the daily password expiration check notification. If this field contains multiple email addresses, only the first address is displayed. 

Default value: The System Administrator email address defined in the Options > Other panel in the native UI or Administration > System > Other in the web UI.

Subject

String that appears in the Subject field of the daily password expiration check notification.

Cleo VLNavigator LDAP user configuration reference

Email Address Attribute

Required field. Attribute name for a user's email address.

Note: If you do not specify the Email Address attribute and you have LDAP users who try to reset a password via email, the application will not send password-reset emails.

Phone Attribute

First Name Attribute

Last Name Attribute

Full Name Attribute

Optional fields. Other options might depend on the values you specify for these fields.

User UID Attribute

Required field.

An additional distinguishing attribute in the user list.

LDAP Account for Extracting Users

Username

Password

Credentials used to login to extract LDAP user from the LDAP directory service to populate the optional default LDAP user group or when you browse for users on the Cleo VLNavigator User tab. In addition to the List button here and in each of the local user host mailbox LDAP tabs, this account is used to periodically extract users in order to check mailbox license limits and to create user subdirectories.

Create/Maintain Default LDAP Group

Select the check box to create the optional Default LDAP user group. Clear the check box to remove the Default LDAP user group.