The Users tree branch contains information about all configured user groups. Cleo VLNavigator supports authenticating users using its own database or using a directory service via LDAP. A non-LDAP user with administrative privileges, such as the default administrator user, should be defined in case the LDAP server is not functional.
Note: If you have an Administrator user configured in Cleo VLNavigator and a Users host user configured in Cleo Harmony or Cleo VLTrader with the same username, you might experience issues logging in to your system with the Adminstrator user. To resolve possible issues, you can rename or remove the Users host user or change the configuration of the Users host user to use VLNav Connector Host authentication.
Configuring the Cleo VLNavigator LDAP server
Use the LDAP Server tab in Cleo VLNavigator to configure the LDAP server to authenticate internal administrators and operators of the Cleo VLNavigator and VersaLexapplications.
-
In Cleo VLNavigator, click the Users node in the tree view.
The LDAP Server tab appears.
-
Select the Enabled check box to enable the fields on the tab.
If the LDAP server is disabled (the Enabled check box is cleared), any LDAP users and the Default LDAP group, if it exists, are displayed in yellow to indicate the LDAP server is currently disabled and, therefore, all LDAP accounts are currently not usable.
-
Specify values for the fields in the Server Configuration section.
See Cleo VLNavigator LDAP server configuration reference.
-
Specify values for the fields in the Domain Configuration section.
-
Add servers to the list of active LDAP servers. Either retrieve LDAP service records or add them manually.
- To retrieve LDAP service records, select the Lookup check box, specify a value in the Domain field, and click Refresh. LDAP service records found in the domain you specify are displayed in a table.
- To add LDAP service records manually, clear the Lookup check box, and click the New button to display a dialog box in which you can enter information for a new record. When you are finished entering the information, click OK to dismiss the dialog box and display the new record in the table.
Click New to add more new records as necessary.
While the Lookup check box is cleared, you can right-click service records to edit them or remove them from the list.
-
Specify values for Base DN, Search Filter and Username Attribute.
- Optional. Click Advanced to specify password expiration settings. The Advanced button is enabled only when you select Active Directory from the Directory Type menu. See Cleo VLNavigator LDAP server configuration reference.
- Click Test to test changes before they are applied. Enter an LDAP username and password. Changes to the Server Configuration panel are not applied until after a successful test login to the LDAP server.
-
Specify values for the fields in the User Configuration section.
Default LDAP group
On the LDAP Server tab, when an LDAP directory service is configured, the optional Username and Password fields are specified, Create/Maintain Default LDAP Group is selected, and Apply is clicked, a special user group called Default LDAP will appear under the Users tree. The Default LDAP group is a convenience group, provided as an easy way to add many users at one time. The users within this group will correspond to those shown when List is clicked (not including any users that already exist within other VLNavigator user groups).
Once created, the Default LDAP group can be disabled, refreshed, or removed by right-clicking the user group within the tree pane and selecting Disable, Refresh, or Remove. IfRemove is selected, Create/Maintain Default LDAP Group cleared for you and the group is removed. Another way to remove the Default LDAP group is to clear Create/Maintain Default LDAP Group and click Apply.
The users within the Default LDAP group cannot be edited or disabled; however, they can be moved to another user group by right-clicking on the user within the tree pane and selecting Move.
Cleo VLNavigator LDAP server configuration reference
- Enabled
- Select the check box to enable LDAP connections to the configured server. Clear the check box to disable LDAP connections. When this check box is cleared, LDAP users are not able to log in.
- Directory Type
- The product used for the external LDAP directory service.
-
Possible values:
- Active Directory
- Apache Directory Services
- Lotus Domino(IBM)
- Novell eDirectory
- DirX(Siemens)
- Security Mode
- If the directory server requires use SSL, specify a security mode. Otherwise, select None.
-
Possible values:
-
None - Information retrieved from the directory server will be clear-text.
-
SSL - Select when your servers support only SSL connections.
-
StartTLS - Select when your servers support SSL by use of the StartTLS command.
Cleo VLNavigator LDAP domain configuration reference
- Lookup
- Select the check box to use the value in the Domain field for retrieving SRV (Service) records for the LDAP service cluster.
- Clear the check box to add records to the table manually.
- Domain
- The name of the domain from which you want to retrieve SRV records.
- Click Refresh to refresh the information in the table using the value in the Domain field.
- SRV record table
- The SRV record table displays information about SRV records. Each row in the table represents one SRV record. Each row contains the following columns:
-
- Enabled
- Select this check box to use the record. Otherwise, the record is ignored.
- Hostname
- The target machine on which the LDAP service is running.
- Port
- The port used to connect to the LDAP service. Typically, the port
389
is used for non-secure (None) or StartTLS mode and 636
is used for SSL mode.
- TTL
- The
Time To Live
value defined as the time interval (in seconds) that the LDAP service record can be cached before the source of the information (for example, the domain) should again be consulted. A value of zero means that the LDAP record can only be used for the transaction in progress, and should not be cached. You can also use a value of zero for extremely volatile data.
- Priority
- The priority of the LDAP server. Attempts are made to contact LDAP servers with the lowest-numbered priority first. LDAP servers with the same priority are contacted in the order specified by the Weight field.
-
Possible values:0-65535
- Weight
- A server selection mechanism that specifies a relative weight for entries with the same priority. Larger weights are given a proportionately higher probability of being selected. Use a zero value when server selection is not required.
- When there are records with weight values greater than zero, records weighted with a zero value will have a very small chance of being selected. When all priority and weight values are the same, the LDAP servers are selected in random order.
-
Possible values:0-65535
- Base DN
- The base organizational unit where the users are defined. Contact your directory administrator for the correct Base DN value. (The Base DN value entered here can be overridden in a local user host LDAP mailbox.)
- The examples the table below show sample base organizational units for the supported directory types.
- <td">Active Directory</td"><td">Apache Directory Services</td"><td">Lotus Domino</td"><td">Novell eDirectory</td"><td">DirX</td">
Directory Type |
Example Base DN |
OU=Employees,DC=company,DC=com |
OU=Users,DC=example,DC=com |
O=SCNotes |
O=Company Organization |
ou=Users,o=Company |
- Search filter
- Optional. Used to limit the amount of information returned from the LDAP server when many users are defined. A more restrictive filter can be specified as a comma separated list. If necessary, contact your directory administrator to determine the appropriate attributes and values. You can override the value entered here in a local user host LDAP mailbox.
- The following table contains example lists with sample attribute names and values.
-
Search Filter |
Description |
department=EDI |
Limits the search to entries that have the attribute, department, with a value of EDI. |
department=EDI,group=administrators |
Limits the search to entries that must match two attributes. The user must be in the EDI department and in the administrators group. |
department=EDI,telephoneNumber=800* |
Limits search to EDI department members with a telephone number starting with 800. |
objectclass=person |
Limit the search to entries that are people if the Base DN contains other entries (for example, computers) and people. |
!(userAccountControl:1.2.840.113556.1.4.803:=2) |
Excludes disabled accounts - in Active Directory, if an account is disabled, bit 0x02 in the userAccountControl attribute value is on. 1.2.840.113556.1.4.803 is the rule object ID (ruleOID) for the LDAP bitwise AND operator. |
- If the value to search in has any of the following special characters, they must be substituted in the Search Filter with the corresponding escape sequence.
-
ASCII character |
Escape Sequence Substitute |
* |
\2a |
( |
\28 |
) |
\29 |
, |
\2c |
\ |
\5c |
NUL |
\00 |
/ |
\2f |
- Username Attribute
- The Username Attribute is the directory attribute that matches the username entered when a login is required. The following table contains typical attribute names for the supported directory types.
-
Directory Type |
Username Attribute |
Active Directory |
sAMAccountName |
Apache Directory Services |
Uid |
Lotus Domino |
CN |
Novell eDirectory |
CN |
DirX |
cn |
- LDAP Server Advanced Settings
- The LDAP Server Advanced Settings dialog box displays when you click Advanced on the LDAP Server tab. Use this dialog box to specify values for password expiration checking.
- Enable Password Expiration Checking
- Select this check box to enable password expiration checking and the rest of the fields in the dialog box. Password expiration checking provides a daily email notification to the system administrator.
- Warning Days Before Password Expiration
- The range of days within which a notification is generated.
- Daily Time Check
- The time of day password expiration is checked.
- To
- The email address of the recipient of the daily password expiration check notification. You can specify multiple recipients. Separate email addresses by commas (,), semi-colons(;) or colons(:).
- One or more individual users can also receive an email notification, if specified, when the Security Mode is not set to None and an email address is configured for the users (as part of his Active Directory settings). A Web Portal user whose password hasn't already expired is directed to the web link (see Providing access to the web portal) where they can change their password. Otherwise, they are directed to contact the system administrator for assistance in changing it.
-
Default value: The System Administrator email address defined in the panel in the native UI or in the web UI.
- From
- The email address of the sender of the daily password expiration check notification. If this field contains multiple email addresses, only the first address is displayed.
-
Default value: The System Administrator email address defined in the panel in the native UI or in the web UI.
- Subject
- String that appears in the Subject field of the daily password expiration check notification.
Cleo VLNavigator LDAP user configuration reference
- Email Address Attribute
- Required field. Attribute name for a user's email address.
Note: If you do not specify the Email Address attribute and you have LDAP users who try to reset a password via email, the application will not send password-reset emails.
- Phone Attribute
- First Name Attribute
- Last Name Attribute
- Full Name Attribute
- Optional fields. Other options might depend on the values you specify for these fields.
- User UID Attribute
- Required field.
- An additional distinguishing attribute in the user list.
- LDAP Account for Extracting Users
-
- Username
- Password
- Credentials used to login to extract LDAP user from the LDAP directory service to populate the optional default LDAP user group or when you browse for users on the Cleo VLNavigator User tab. In addition to the List button here and in each of the local user host mailbox LDAP tabs, this account is used to periodically extract users in order to check mailbox license limits and to create user subdirectories.
- Create/Maintain Default LDAP Group
- Select the check box to create the optional Default LDAP user group. Clear the check box to remove the Default LDAP user group.
Comments
0 comments
Please sign in to leave a comment.