· You must have the following information:
o The host name of the LDAP Server
o The port number of the LDAP Server
o If you use SSL, the port number you want to use for SSL
o The DIT Root
o The User RDN Key
o The Relative Authentication and Directory Services Attributes
o Object Class Attributes
o LDAP user and group bind attributes
NOTE: If you do not know how to gather the information listed above from your LDAP server. Refer to the Solution (for Windows Environments): How To Use the LDIFDE tool to Gather information from LDAP.
NOTE: You must be a site administrator to perform this solution
NOTE: All examples provided in this solution are for reference purposes only, you will need to configure your LDAP settings in DocuShare based on your LDAP server’s environment.
1. Set up a connection between your LDAP server and DocuShare
a. Log into DocuShare as admin
b. Click the Admin Home link on the navigation bar
c. Click the [+] symbol next to Account Management
d. Click the [+] symbol next to LDAP Accounts
e. Click the Configuration link. The Configuration page displays.
f. In the Host(s) field, enter either the Host Name, IP Address or the DNS name of your LDAP/Active Directory Server.
NOTE: A Fully Qualified Distinguished Name (FQDN) is preferred, but an IP address will do if a FQDN is not available.
NOTE: If applicable, use a space to separate multiple LDAP server entries. Defining multiple host names is for redundancy use only. Each multiple LDAP host defined must have identical DITs.
g. In the Port field, enter the port number that is used by the LDAP server, if the number is not the default port 389.
h. If applicable, select use SSL and in the SSL field enter the port number you want to user for an SSL connection, if the number is not the default port number 636.
NOTE: If ssl is to be used, the server certificate must be added to the dstruststore using the keytool.
i. In the DIT Root field, enter the Directory Tree Information (DIT) root for the namespace that you created on your LDAP server. Example: dc=California, dc=acme, dc=com
j. From the Server Type menu, select Active Directory or SunOne/iPlanet/NDS Directory
k. The User RDN Key field will be automatically pre-filled with cn or uid depending on the Server Type selected in the previous step.
NOTE: If you require the User RDN Key when SunOne/iPlanet/NDS Directory is selected you will need to manually enter cn= in the field. If the = sign is missing the setting will not stick.
l. In the System Agent field, select Agent
NOTE: Most Active Directory servers require either an Agent or a Service account login.
m. In the DN field, enter the distinguished name of the agent account. Example: cn=dsagent, cn=users, dc=marketing, dc=californina, dc=acme, dc=com
n. In the Password field, enter the password for the agent account that you entered in the DN field.
o. Click the Apply button to save the information you entered in the LDAP Configuration page.
NOTE: If you proceed to the next step (testing the LDAP Connection) without applying the changes and you have SunOne/iPlanet/NDS Directory selected with cn= as the RDN key the selection will not be saved properly, it will revert back to uid.
2. Test the LDAP Connection
a. After your settings have been applied you will be returned to the LDAP Configuration page again. Scroll down to the bottom of the page to the Test LDAP Configuration section.
b. In the Connecting DN field, select Anonymous
c. Click Apply and Test button
NOTE: This test pings the LDAP server. A success message appears if DocuShare can ping the LDAP server.
d. In the Connecting DN field of the Test LDAP Connection Area, select Agent
NOTE: It will use the agent info provided in the agent box above.
e. Click Apply and Test button.
NOTE: This tests the validity of the System Agent DN. A success message appears if the System Agent DN is valid.
f. In the Connecting DN field, select User.
g. In the Name field, enter the DN of the user. Example: cn=joesmith, cn=users, dc=marketing, dc=acme
h. In the Password field, enter the password for the user.
i. Click the Apply and Test button.
NOTE: This tests the validity of the LDAP directory. A success message appears if the LDAP directory is valid.
3. Use LDAP Advanced configuration to set how specific object classes are defined on the LDAP server
a. Click the Advanced button on the bottom of the LDAP Configuration page.
b. In the User field, enter the user property for your LDAP server. Example: user
c. In the Static Group field, enter the static group property for your LDAP server. Example: group
d. Click the Apply button.
4. Use the DocuShare administration provider pages to enable LDAP as both the security and directory service for all external domains
a. From Admin Home, click the [+] symbol next to Account Management.
b. Click the [+] symbol next to Providers
c. Click the Security Services link. The Security Services page displays.
d. Select LDAP to enable LDAP.
e. Click the Apply button.
f. Under Providers, on the left hand side of the page.
g. Click Directory Services link. The Directory Services page displays.
h. Select LDAP to enable LDAP
i. Click the Apply button.
5. Establish an association between specific DocuShare user account properties and LDAP account attributes
a. From Admin Home, click the [+] symbol next to LDAP Accounts
b. Click the Bind User link. The Bind User page displays.
c. In the First Name field, enter the attribute that LDAP uses for the first name of a user. Example: givenName
d. In t he Last Name field, enter the attribute that LDAP uses for the last name of a user. Example: sn
NOTE: The Last Name User Bind Attribute is a required field.
e. In the UserName field, enter the attribute that LDAP uses for the login name of a user. Example: sAMAccountName
NOTE: If there are more LDAP attributes, such as Email Address (mail:), enter those attributes in the appropriate fields.
f. Click the Apply button.
6. Establish an Association between specific DocuShare Group account properties and LDAP account attributes
a. From Admin Home, click LDAP Accounts
b. Click the Bind Group link. The Bind Group page displays.
c. In the Title field, enter the attribute that LDAP uses for the Title. (This field is required) Example: cn
d. In the Description field, enter the attribute that LDAP uses for Description. Example: description
e. In the Summary field, enter the attribute that LDAP uses for Summary. Example: info
NOTE: If there are more LDAP attributes, enter those attributes in the appropriate fields.
f. Click the Apply button.
7. Create an External Domain on your DocuShare site
NOTE: Each external domain represents a branch in the LDAP directory tree, and each branch contains a collection of DocuShare user and group accounts.
a. From Admin Home, click the [+] symbol next to Account Management
b. Click the Domains link. The Domains page displays.
c. In the Domain Name field of the Add column, enter the name of the external domain as it exists on the LDAP server.
d. In the Authentication and Directory Services field, select LDAP, LDAP
e. In the Relative Authentication Locator field, enter one or more attribute pairs to define the path to the LDAP directory that contains the user and group accounts. Example: cn=users, dc=marketing, dc=californina, dc=acme, dc=com
f. In the Relative Directory Service Locator field, enter the same values as in the Relative Authentication Locator field.
NOTE: if users are scattered all over the place, use the most common point dc=californina, dc=acme, dc=com and enable the subtree search functionality.
NOTE: The LDAP Server Info box is to be used when a separate ldap server is to be used that is not part of the current ldap configuration.
NOTE: DocuShare supports only LDAP for authentication and directory services, therefore the values of the two fields are the same.
g. Click Add to add this external domain to your local login menu.
NOTE: If you were to run List Users or List Groups on this domain, the domain would be empty. You will need to populate the new external domain with the user and group accounts. These accounts must already exist on the LDAP Server; you cannot use DocuShare to create new accounts on the LDAP server.