Policy Server Guides › Policy Server Configuration Guide › User Directories › How to Configure a Novell eDirectory LDAP Directory Connection
How to Configure a Novell eDirectory LDAP Directory Connection
You can use a Novell eDirectory LDAP user directory as a user store. The following process lists the steps for creating the user store connection to the Policy Server:
- Configure NetWare
- Configure Anonymous LDAP Access on Novell eDirectory
or
Create access for a specific CA SiteMinder® Administrator:
- Special Access for the CA SiteMinder® Administrator
- Create a Novell eDirectory User Account for CA SiteMinder® Administration
- Configure a Novell eDirectory LDAP Directory Connection
Configure NetWare
This configuration lets the Policy Server log into the Novell eDirectory, view the contents of the directory, and retrieve directory attributes. Some advanced features can possibly require you to configure the Novell eDirectory to allow the Policy Server write-access
If LDAP is part of your Novell eDirectory installation, name a server in Novell eDirectory "LDAP Server",and an LDAP group named "LDAP Group." LDAP Server is a member of the LDAP Group.
Follow these steps:
- Create an LDAP Server in Novell eDirectory. (For this example, it is called LDAP Server.)
- Create an LDAP Group in Novell eDirectory. (For this example, it is called LDAP Group.)
- Assign LDAP Group to LDAP Server.
- In the NW Admin tool, right click on LDAP Server.
Note: If you are using the Netware ConsoleOne tool instead of the NW Admin tool to modify your Novell eDirectory, you must complete the same tasks using the tools available in ConsoleOne. The interface for the two tools is similar. See your Novell documentation for more information.
- From the popup menu, select Details.
- Type LDAP Group in the LDAP Group field.
- Click OK.
More information:
Directory Attributes Overview
Configure Anonymous LDAP Access on Novell eDirectory
For the Policy Server to interact with a Novell eDirectory, create an account with enough administrative privileges to allow access to the directory. The easiest configuration is to generate an anonymous user on the LDAP server and make this user the proxy. The user is assigned enough power to perform all functions..
The following instructions assign administrator privileges to an anonymous user, although you can configure the user with more limited privileges. Any anonymous access to the LDAP directory gains the same privileges that you give to CA SiteMinder®.
<fsp>
- Create a user namedLDAP_Anonymous.
The following procedure is an example:
- From the menu bar of the NW Admin tool, select Object, Create, User.
- Add the name LDAP_Anonymous.
- Do not assign a password.
- In the right frame, select Security Equal To and add the admin user (for example, Admin.transpolar).
- Click OK.
- Set up a proxy account:
The following procedure is an example:
- In the NW Admin tool, select LDAP Group.
- From the popup menu, select Details.
- Click Continue.
- In the Proxy Username field, enter LDAP_Anonymous.
- In right frame, select Access Control and click Add.
- In the LDAP ACL Name field, enter LDAP_Anonymous.
- Select the LDAP Distinguished Name check box and enter cn=LDAP_Anonymous.
- Select the All Attributes and Object Rights check box.
- Click OK.
- In right frame, select Access Control and click Add.
- In the box that is labeled LDAP ACL Name, enter Everyone.
- Select the Everything check box.
- Select the All Attributes and Object Rights check box.
- Click OK.
- Click OK.
To continue configuring your Novell eDirectory for use with the Policy Server, see Configure a Novell eDirectory LDAP Connection in the Administrative UI..
Special Access for the SiteMinder Administrator
The alternate instructions below allow special access only to the Policy Servers. These may be more appropriate in some environments.
- Create an Novell eDirectory user to represent the CA SiteMinder® administrator. For example, siteminder_admin.
- Give this user a password generated by the CA SiteMinder® administrator that is entered in the Administrative UI.
Create a Novell eDirectory User Account for SiteMinder Administration
You can create a user account for the policy administrator using the NW Admin tool.
Follow these steps:
- In the NW Admin tool, right-click LDAP Group.
- From the popup menu, select Details.
- In the right panel, click Access Control.
- Add an ACL.
- Enter a name for the ACL.
- In the Access By List screen, click Add.
- In the Access By List panel, click LDAP Distinguished Name.
- Enter the following: cn=siteminder_admin.
By default, set the access level to Read, which is sufficient for basic functions. Customers who use active APIs or advanced features (for example, Password Services, User Disablement, Registration Services) can possibly require Write access.
Ping the User Store System
Be sure to ping your user store system before configuring to verify that a network connection exists between the Policy Server and the user directory or database.
Note: Some user store systems may require the Policy Server to present credentials.
Configure Novell eDirectory LDAP Directory Connections
You can configure a user directory connection that lets the Policy Server communicate with a Novell eDirectory user store.
Follow these steps:
- Click Infrastructure, Directory.
- Select User Directories.
- Click Create User Directory..
- Complete the required connection information in the General and Directory Setup areas.
- Configure the LDAP search and LDAP user DN lookup settings in the LDAP Settings area.
Note: If the user directory contains multiple organizations, you can leave the Root field blank. This lets the Policy Server search for users in multiple organizations.
- (Optional) Do the following in the Administrator Credentials area:
- Select the Require Credentials option.
- Enter the credentials of an administrator account.
- (Optional) Specify the user directory profile attributes that are reserved for CA SiteMinder® use in the User Attributes area.
- (Optional) Click Create in the Attribute Mapping List area to configure user attribute mapping.
- Click Submit.
The user directory connection is created.
More information:
LDAP Load Balancing and Failover
Define an Attribute Mapping
Copyright © 2014 CA.
All rights reserved.
|
|