LDAP

From GWAVA Technologies Training
Revision as of 22:09, 10 November 2016 by Stephanf (Talk | contribs)

Jump to: navigation, search

Contents

Lightweight Directory Access Protocol (LDAP)

LDAP is a protocol for directory structures (eDirectory and Active Directory) to talk to each other.

LDAP Structure

There are only four basic fields in LDAP Data Interchange Format (LDIF)

  • dc Domain Component (dc=gwava,dc=com)
  • ou Organizational Unit (ou=provo or ou=montreal)
  • cn Common Name (cn=Stephan Fassmann or cn=confRm01)
  • dn Distinguishing Name (dn=stephanf)

LDAP errors

Code 49

When setting up a system with LDAP authentication you may get an error code 49. This indicates an authentications error. The particular error will help resolve the issue, that will be listed next to data. [1] 

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580]
  • 525 user not found
  • 52e invalid credentials
  • 530 not permitted to logon at this time
  • 531 not permitted to logon at this workstation
  • 532 password expired
  • 533 account disabled
  • 701 account expired
  • 773 user must reset password
  • 775 user account locked

Code 32

This indicates a rights error. The user does not have rights to the container you are trying to access. 

LDAP: error code 32 - 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:
    'CN=InformationStore,
     CN=EXCH01,
     CN=Servers,
     CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
     CN=Administrative Groups,
     CN=gwava Organization,
     CN=Microsoft Exchange,
     CN=Services,
     CN=Configuration,
     DC=aria,
     DC=local']; remaining name 'CN=Mailbox Database,
     CN=First Storage Group,
     CN=InformationStore,
     CN=EXCH01,
     CN=Servers,
     CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
     CN=Administrative Groups,
     CN=gwava Organization,
     CN=Microsoft Exchange,
     CN=Services,
     CN=Configuration,
     DC=gwava,
     DC=local'

This can be very difficult to resolve. This requires following that path and finding the Impersonation User in that location in Active Directory Sites and Services and giving them proper rights so they can traverse the tree.

AD Solution to LDAP error code 32 Issue [2]

LDAP Troubleshooting Tools

There are a few tools take can be handy in dealing with LDAP issues.

Softerra LDAP Browser is a very good tool since it is a read-only device so it can't do anything dangerous.

Apache Directory Studio This is a more powerful tool as it can write to directory structures, given proper credentials. By careful not to shoot yourself in the foot. Retain uses the Apache libraries so if this doesn't work for logging in then Retain will not be able to log in.

Connecting LDAP Systems

Some customers use Active Directory (AD) to manage their users while using GroupWise for their email system. Retain can be set to use LDAP authentication so users can log in using their email address.

  1. Install an AD system [3]
    1. Create some test users.
  2. Install a GW system [4] with a domain and post office
    1. Create some test mailboxes that match the test users in AD, you do not need to give them passwords.
  3. Setting Up an LDAP Directory [5]
    1. Go into GroupWise Administration/System and open LDAP Servers
      1. Create a New Directory with the IP address of your AD server
      2. Set the LDAP user name (for example, Administrator) and password
      3. Set the Base DN (for example,DC=sf,DC=gwava,DC=net)
      4. Choose the Sync Domain (the GW domain)
      5. Enable Synchronization.
    2. Create a New LDAP Server
      1. Select the Directory
      2. Enter the IP) address of the AD server.
      3. Under the Post Offices tab, select a post office
    3. Go to Post Offices and choose the post office that will be using LDAP.
      1. Under the Security tab choose LDAP Authentication and select Preferred LDAP Servers
    4. Go to System and open Directory Associations
      1. Enable Search Sub Tree
      2. Associate Mailboxes with their LDAP Names
  4. Go to the GroupWise module and fill out the LDAP tab
    1. Enable EMail Address lookup
    2. Provide the LDAP Server hostname or IP address
    3. Provide the LDAP Port (usually 389 or 636)
    4. Enable Use SSL, if necessary
    5. Provide the LDAP Admin User's distinguishedName in the form CN=Administrator,CN=Users,DC=company,DC=com
    6. Provide the Password for LDAP Admin User
    7. Provide the Top Search Context, usually the distinguishedName of the domain in the form DC=company,DC=com
  5. Edit the file ~\Beginfinite\Retain\RetainServer\WEB-INF\classes\config\misc.properties
    1. Change the following lines:
      1. custom.ldap.enable=1
      2. custom.ldap.class=com.gwava.authenticate.gw.AlternativeGWLDAPAuthentication
  6. Restart tomcat
  7. Refresh the address book in Retain.

You should be able to log into Retain with the email address of an LDAP test user.

Retrieved from "https://traininggwava.microfocus.net/index.php?title=LDAP&oldid=314028"
Personal tools
Namespaces

Variants
Actions
Home
Exchange
GroupWise
JAVA
Linux
MTK
Retain
GW Monitoring and Reporting (Redline)
GW Disaster Recovery (Reload)
GW Forensics (Reveal)
GWAVA
Secure Messaging Gateway
GW Mailbox Management (Vertigo)
Windows
Other
User Experience
Toolbox
Languages
Toolbox