LDAP/Active Directory Guide

Release 4.0

Publication date: October 2004 Copyright 2004 Xerox Corporation. All Rights Reserved. Xerox , The Document Company, the digital X and DocuShare are trademarks of Xerox Corporation. All other signs or marks are the properties of their respective companies, and recognized as such. Specifications accurate at time of publication. Specifications subject to change without notice.

Table of Contents
Chapter 1 Understanding the LDAP structure
LDAP overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 LDAP structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Relative Distinguished Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Distinguished Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Directory Information Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 DIT organization based on geographical domains . . . . . . . . . . . . . . . . . . . . . . 15 DIT organization based on DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 2

LDAP/DocuShare configuration

DocuShare Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 LDAP and SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Import the Certificate to DocuShare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Export the Certificate and Save as a CER File . . . . . . . . . . . . . . . . . . . . . . . . 213 Placing the Certificate into DSTrustStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 The Active Directory Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Using the Active Directory Administration tool. . . . . . . . . . . . . . . . . . . . . . . . . 217 The Active Directory LDIFDE command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 LDIFDE command syntax and usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 LDIFDE command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Analyzing the adexport.txt file contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

DocuShare LDAP/Active Directory Guide

iii

Table of Contents

iv

Release 4.0

Understanding the LDAP structure

DocuShare LDAP/Active Directory Guide

11

LDAP overview

Understanding the LDAP structure

LDAP overview
While some background information is provided for understanding basic concepts, this guide does not provide instructions for implementing either LDAP or Windows Active Directory. The information in this guide assumes the Active Directory server is already in place and is being managed by either an Active Directory administrator or by an LDAP administrator. Examples shown in this appendix use Microsoft Windows 2000 Server with Microsoft Internet Explorer (IE) V.6.X. LDAP, or Lightweight Directory Access Protocol, is a lightweight alternative to the X.500 Directory Access Protocol (DAP). LDAP uses the TCP/IP protocol stack instead of the OSI protocol stack that is required by X.500. As a lightweight alternative, LDAP simplifies some operations, but lacks support for some of the features of X.500 DAP. LDAP is the protocol that is used between a directory client and a server. LDAP defines the content of messages exchanged between an LDAP client and an LDAP server. The LDAP client, in this case the DocuShare server, communicates to the LDAP server. The LDAP server, acting as a gateway, accesses the LDAP directory. The LDAP directory may be implemented either as a stand-alone on the LDAP server or as a directory on an X.500 server. DocuShare submits directory content queries to the LDAP server. The LDAP server accesses the directory, either LDAP or X.500, and returns the results to DocuShare. The LDAP protocol allows for read and for update client operations on the directory data.

NOTE: DocuShare does not update LDAP directory data. DocuShare only reads the results of the queries that it sends to the LDAP server.

12

Release 4.0

Understanding the LDAP structure

LDAP structure

LDAP structure
Entries within an LDAP directory are organized in a specific hierarchical structure.

Directories
A directory is a special type of database. Directories are optimized to support a high volume of read requests along with write access that is generally limited to system administrators. Similar to the white pages of a telephone book, an LDAP directory is read more times than it is updated. Just as a telephone book lists individuals, companies, and organizations, an LDAP directory lists objects such as users, servers, and printers. In the same way that a telephone book contains information about each listing, such as name, number, and address, the entries in the LDAP directory contain pertinent information about each object. This object information is referred to as attributes.

Attributes
Each object entry within an LDAP directory contains one or more attributes. Each attribute is comprised of a type and a value. A telephone book entry has attributes such as the name of a person and a corresponding telephone number. LDAP attributes appear in the format of commonName=Jane Smith telephoneNumber=555-555-5555. Table 11 lists some common LDAP attributes, along with the alias associated with the attribute. Table 11: LDAP Attribute commonName Surname userID telephoneNumber origanizationalUnitName organization domainComponent Attribute Alias cn sn uid ou o dc Description of Attribute Common name of an entry Last name of the person User ID or login name Telephone number Name of organizational unit Name of organization DNS component Example Jane Doe Doe jdoe 555-123-4567 my department my company xyz.com

Relative Distinguished Name

The Relative Distinguished Name, or RDN, is represented in the form of an attribute data pair (type and value), such as: cn=Jane Doe uid=smith ou=marketing dc=Xerox

DocuShare LDAP/Active Directory Guide

13

LDAP structure

Understanding the LDAP structure

Distinguished Name
Entries in the directory are organized by a Distinguished Name (DN). Distinguished Name is similar to the absolute path to a file in the Windows file system. The DN of an object is made up of the name and the location of the entry within the directory. A DN is made up of RDN attribute data pairs, separated by commas, such as: cn=John Smith,ou=marketing,dc=Xerox,dc=com cn=John Smith,ou=engineering,dc=Xerox,dc=com The path for a DN is from the lowest order to highest order. This is the reverse of the order that is used in the Windows file system. Just as the Windows file system allows numerous files to have the same name, if each file is in a different file directory, numerous users can have the same RDN as long as each DN is unique. As the DN example above shows, a John Smith can be listed in the marketing department and a John Smith can be listed in the engineering department.

14

Release 4.0

Understanding the LDAP structure

Directory Information Tree

Directory Information Tree

The directory arranges entries in a hierarchical tree-like structure called the Directory Information Tree or DIT. A DIT is based on the Distinguished Name of the entries, with the Distinguished Names organized into branches that generally represent a geographical or organizational structure. Microsoft Active Directory is often organized either by geographical domains or by DNS.

DIT organization based on geographical domains

The illustration below shows how the administrator at seafood importing corporation might organize the LDAP directory hierarchy according to geography. To host a DocuShare server for their Acme company in the US, the administrator would define the DIT Root as o=Acme, c=us. To define an external domain for the importing department at Acme, the administrator would define the Relative Authentication and the Directory Service Locator as ou=import.

DIT organization based on DNS

The illustration below shows how the administrator at corporation might organize the LDAP directory hierarchy according to DNS. The company uses Windows domain servers

DocuShare LDAP/Active Directory Guide

15

Directory Information Tree

Understanding the LDAP structure

for the marketing, engineering, and finance divisions. By defining the DIT root as dc=mycompany, dc=com, the administrator can create a DocuShare external domain for each department within a division. To define an external domain for the Accounts Receivable department in the Finance division, the administrator would define the Relative Authentication and the Directory Service Locator as ou=accts recv, dc=finance.

16

Release 4.0

LDAP/DocuShare configuration

DocuShare LDAP/Active Directory Guide

27

DocuShare Configuration

LDAP/DocuShare configuration

DocuShare Configuration
To configure your DocuShare site to use LDAP/Active Directory, login as admin to your DocuShare site, then follow procedures A through F. To configure DocuShare correctly, use either the Active Directory Administration Tool or the Active Directory LDIFDE command to gather the necessary information. Both information gathering processes are described in this chapter.

A- LDAP Configuration
Use the DocuShare administration LDAP Configuration page to establish a connection between your DocuShare server and your LDAP server, and to define the Directory Information Tree that is used to create DocuShare external domains. 1. Open the LDAP Configuration page of the Administration UI. 2. Enter in the Host(s) field, the Host Name, or the IP address, or the DNS name of the LDAP/Active Directory server (FQDN preferred, or IP address if not FQDN). Use a space to separate multiple LDAP server address entries. 3. Enter in the Port field, the port number that is used by your LDAP server if other than the default port number 389. 4. Optional: Enter in the SSL field, the port number used for Secure Socket Layer. 5. Enter in the DIT Root field, the information you obtained using the Active Directory Administration Tool search for a reference to namingContext. For example, this information would be in the format of dc=adoc,dc=Xerox,dc=com. 6. Enter in the User RDN Key field, the attribute cn. This is the alias for the attribute commonName. The attribute my be different, depending on the type of LDAP server used (iPlanet etc). 7. Select Agent in the System Agent field. Most Active Directory servers require either an Agent or a Service account login. 8. Enter in the DN field, the Distinguished Name of the agent account. For example, cn=john,cn=users,dc=adoc,dc=xerox. 9. Enter in the Password field, the password for the Agent account. 10. Go to the Test LDAP section at the bottom of the LDAP Configuration page. Use Test LDAP to check for a valid connection and a successful login to the LDAP server. 11. Select Agent in the Connection DN field. 12. Enter in the Name field, the Distinguished Name that you entered in the DN field in step 7. 13. Enter in the Password field, the password that you entered in the Password field in step 8.

28

Release 4.0

LDAP/DocuShare configuration 14. Click Apply and Test.

DocuShare Configuration

You will see a "Success" message if you have correctly established a connection to the LDAP server. 15. Repeat steps 11 through 14 but select User in the Connection DN field.

NOTE: This test does not check the validity of the DIT Root nor the Relative Authentication Locator of any external domains.The test checks only whether DocuShare received a positive response from the LDAP server.

B- Advanced Configuration
Use LDAP Advanced configuration to set how specific object classes are defined on your LDAP server. 1. Click Advanced located at the bottom of the LDAP Configuration page. The LDAP Advanced Configuration page appears. 2. At the bottom of the LDAP Advanced Configuration page, locate the section title Object Classes. 3. In the User field, replace the default entry person, with the word user (all lowercase). 4. In the Static Group field, replace the default entry groupOfUniqueNames, with the word group (all lowercase). 5. Click Apply.

C- Enable LDAP Providers

Use the DocuShare administration Security Services and Directory Service pages to enable both the Security and Directory Provider Services for LDAP. This allows users to select the LDAP External Domains from the Domains drop down list at the Login prompts. 1. Open the Security Services page of the Administration UI. 2. On the Security Services page, check the LDAP box to enable LDAP as the authentication provider for all external domains, then click Apply. 3. Open the Directory Service page of the Administration UI. 4. On the Directory Service page, check the LDAP box to enable LDAP as the directory service provider for all external domains, then click Apply.

DocuShare LDAP/Active Directory Guide

29

DocuShare Configuration

LDAP/DocuShare configuration

D- Bind User
Use the DocuShare administration Bind User page to establish an association between DocuShare account properties and LDAP account attributes. 1. Open the Bind User page of the Administration UI. 2. In the First Name field, enter the attribute that LDAP uses for the first name of a user. This is generally givenName. 3. In the Last Name field, enter the attribute that LDAP uses for the last name of a user. This is generally surname or sn. This is a required field. 4. In the Username field, enter the attribute that LDAP uses for the login name of a user. This is generally sAMAccountName. This is a required field. 5. If the LDAP directory contains attributes for addition attributes, such as email address, mail stop, telephone number, or home page, enter those attributes in the appropriate fields on the Bind User page. 6. Click Apply the save this information.

E- Bind Group
Use the DocuShare administration Bind Group page to establish an association between DocuShare account properties and LDAP account attributes. 1. Use the information you obtained using the LDIFDE command and enter those attributes in the appropriate fields on the Bind Group page. For more information, refer to the section of this chapter titled The Active Directory LDIFDE command/Analyzing the adexport.text file contents/E. Bind Group Properties. 2. Click Apply the save this information.

F- Create Domain
Use the DocuShare administration Domains page to create external domains on your local DocuShare site. Each DocuShare external domain represents a branch in the LDAP directory tree. And each branch contains a collection of DocuShare user and group accounts. 1. Open the Domains page of the Administration UI. 2. In the Add field, enter the name of the external domain that you want to add to your local site. This may be simply a description name, such as Engineering. 3. Select LDAP/LDAP in the Providers/Security Services and Providers/Directory Services pages of the Admin UI. 4. In the Relative Authentication Locator field, enter one or more attribute pairs to define the path to the directory that contains the user and group accounts. Use the attribute components of the DN that are to the left of the DIT root and to the right of the user RDN.

210

Release 4.0

LDAP/DocuShare configuration

DocuShare Configuration

For example, the DN for a user account in a domain is cn=users name,ou=engineering,ou=docushare,dc=adoc,dc=xerox,dc=com. The Engineering domain is in ou=engineering, ou=docushare branch. The DIT root is dc=adoc, dc=xerox, dc=com. 5. In the Relative Directory Service Locator field, enter one or more attribute pairs. Use the same attribute pairs that you entered in the Relative Authentication Locator field. DocuShare 3.0 supports only LDAP for Authentication and Directory services, so the values for Relative Authentication Locator and Relative Directory Service Locator are identical. 6. Click Add to add this external domain to your local login menu.

G- Add
After you have completed the LDAP Configuration, Providers, Bind User, and Domains pages, you are ready to add user and group accounts to the external domain on your DocuShare site. If you were to List Users or List Groups in the new external domain, the domain would be empty. What you must do now is open the domain on the LDAP server, and select those user and group account that you want as members of your local external domain. 1. Open the Add page of the Administration UI. This is not the same page as Add User. 2. Select a domain from the By User domain menu. 3. Select one or more accounts from the User or Group list. Accounts not selected will not be able to login nor access the DocuShare site. 4. Click Add. The accounts selected now are part of the external domain as it appears on the DocuShare site. 5. Open the List Users page of the Administration UI, and select the newly added domain from the Domain menu. The List Users page displays all of the accounts that you just added to the external domain.

H- View Login
1. Return to the DocuShare home page. 2. In the Login section of the home page, the new external domain should appear in the Login Domain menu. 3. A user of an external domain must select the correct domain for login, or DocuShare displays a login error message and a request to retry.

DocuShare LDAP/Active Directory Guide

211

LDAP and SSL

LDAP/DocuShare configuration

LDAP and SSL

Secure Socket Layer, or SSL, is a protocol that was developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that is transferred over an SSL connection. Both Netscape Navigator and Internet Explorer support SSL. Many Web sites use SSL to obtain confidential user information, such as credit card numbers and account passwords. An SSL session is initiated by using a URL that begins with https instead of http.

Certificates
When using SSL, servers and clients use certificates to provide proof of identity prior to establishing a secure connection. A certificate also contains public and private keys that are used to establish a session. Servers and clients use session keys to encrypt and decrypt data. Certificates may be self-signed or they can be issued by a certificate authority (CA) such as Entrust, Equifax, Valicert, or Verisign. Certificates issued by a CA are considered to be from a trusted third-party authority. Basically, third-party authority vouches for the identity of a user. Most client browsers are configured to recognize and trust certificates issued by CAs. When certificates are self-signed the user is acting as a certificate authority. A self-signed certificate must be installed in the browsers authorities' store and the certificate is not recognized as a trusted third-party authority. Certificates are issued as either client or server certificates. DocuShare does not support client-side certificates. DocuShare uses a copy of the LDAP server's certificate to establish the SSL session with the LDAP server.

Import the Certificate to DocuShare

Depending on the CA that issued the certificate, the administrator may need to import the certificate from the LDAP server to the DocuShare server web browser certificate store. If the certificate is self-signed, the administrator must import the certificate to the DocuShare server web browser certificate store. To import the certificate from a specific LDAP server: 1. Open a web browser at the DocuShare server. 2. Connect to the LDAP server using the address https://<your.ldap.server>:636. Port 636 is the standard port for SSL. 3. If the certificate has not been installed on the DocuShare server's browser, a Security Alert window appears prompting you to install the certificate. 4. To install the certificate, click View Certificate at the bottom of the Security Alert window. A Certificate window appears. 5. Click the Details tab, then click the Copy to File button.

212

Release 4.0

LDAP/DocuShare configuration

LDAP and SSL

Export the Certificate and Save as a CER File

After you have imported the certificate from the LDAP server, you now need to export the certificate to DocuShare directory and save it as a certificate file. To export the certificate and save it as a certificate file: 1. Click Next at the bottom of the Wizard window. If the certificate contained a private key, the Export Private Key window appears. 2. In the Export Private Key window, select No, do not export the private key. DocuShare will not need a private key to establish an SSL session with the LDAP server. 3. Click Next. The Export File Format window appears. 4. Select Base-64 encoded X.509 (.CER) in the Export File Format window. 5. Click Next. The File to Export prompt window appears. 6. Enter in the File name field, the directory path to a location on your drive where you want to export the certificate. For example D:\. 7. Enter in the File name field, behind the directory path, a file name for the certificate with the extension .cer. For example D:\SSL_Cert4LDAP.cer. 8. Click Next to complete the certificate export. The Completing Certificate Export Wizard window appears. 9. Click Finish to close the Wizard. The LDAP certificate is saved as a .cer file on your DocuShare site. 10. Follow the instructions on the next page, Placing the certificate into DSTrustStore.

Placing the Certificate into DSTrustStore

Now that you have saved the certificate as a certificate file, you must place it in the DSTrustStore file. To place the certificate .cer file into the DSTrustStore file: 1. Locate the .cer file you exported using the Certificate Export Wizard. 2. Copy the .cer file to the directory containing the DSTrustStore file <ds3_installdir>\jdk1.3.1\jre\lib\security.

DocuShare LDAP/Active Directory Guide

213

LDAP and SSL

LDAP/DocuShare configuration

3. Open a command prompt window and navigate to the directory containing dstruststore. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\>cd\xerox\docushare\jkd1.3.1\jre\lib\security C:\Xerox\DocuShare\jkd1.3.1\jre\lib\security\dir Volume in drive C is Local Disk Volume in Serial Number is 508B-0D2F Directory of C:\Xerox\DocuShare\jdk1.3.1\jre\lib\security 18-11-02 15:55 18-11-02 15:55 02-10-02 12:25 02-10-02 12:26 02-10-02 12:26 02-10-02 12:26 10-11-02 15:43 5 Files(s) 2 Dir(s) <DIR> <DIR> --

7,365 cacerts 589 dstruststore 2,271 java.policy 4,115 java.security 844 SLL_Cert4LDAP.cer 15,184 bytes 1,486,024,704 bytes free

C:\Xerox\DocuShare\jdk1.3.1\jre\lib\security

4. At the command prompt, enter the set PATH command to set the PATH environment variable. Use set PATH=%PATH%;<ds3_install-dir>\jdk1.3.1\bin. C:\Xerox\Docushare\jkd1.3.1\jre\lib\security>set PATH=%PATH%;C:\XEROX\DocuShare\jdk1.3.1\jre\bin

5. After you have set the PATH variable, at the command prompt, enter keytool, without arguments. The Keytool Utility help appears. The Keytool Utility places the SSL certificate in the DSTrustStore. 6. At the command prompt, enter the keytool utility command keytool -import -alias <alias_name> -file <cert_file> -keystore dstruststore Replace <alias_name> with a unique name for the certificate file. Replace <cert_file> with the name of the certificate file (.cer) that you exported and copied to the directory containing the dstruststore file.

214

Release 4.0

LDAP/DocuShare configuration 7. Press Enter to start the command. A request for a password appears. 8. Enter password and press Enter.

LDAP and SSL

C:\Xerox\Docushare\jkd1.3.1\jre\lib\security>keytool -import -alias Test LDAPss1 -file SDL_Cert4LDAP.cer -keystore dstruststore Enter keystore password: password Owner: OU=EFS File Encryption Certificate, L=EFS, CN=Administrator Issuer: OU=EFS File Encryption Certificate, L=EFS, CN=Administrator Serial number: 5ee8abd44c2cd2b14ffbee159f03d354 Valid from: Tue Feb 19 10:57:21 PST 2002 until: Thu Jan 26 10:57:21 PST 2102 Certificate fingerprints: MD5: 78:C7:A3:04:32:69:EB:97:76:FE:F4:8A:11:A2:65:26 SHA1: 02:DD:9A:BE:BE:DE:3C:AA:22:AE:14:9A:F2:F2:5B:11:61:6D:5A:5F Trust this certificate? [no]: yes Certificate was added to keystore C:\Xerox\DocuShare\jdk1.3.1\jre\lib\security>

9. Examine the screen output to ensure that Keytool successfully added the certificate to the keystore. If Keytool completed the operation, your DocuShare server is now ready to use the certificate to establish and SSL session with your LDAP server.

DocuShare LDAP/Active Directory Guide

215

The Active Directory Administration Tool

LDAP/DocuShare configuration

The Active Directory Administration Tool

You can use the Active Directory Administration Tool to perform various operations to an Active Directory and to query an LDAP directory server. To install and use the Active Directory Administration Tool to help configure your DocuShare site: 1. Open the Windows 2000 server software CD, and locate and read the sreadme.doc file. 2. Locate the file setup.exe in the Support\Tools directory. 3. Click the setup.exe file to begin the installation of the ldp.exe file. 4. Follow the on screen instructions to install the ldp.exe. 5. After installation has completed, open the Windows Start menu and click the Active Directory Administration Tool. This launches ldp.exe and the Active Directory Administration Tool appears. The Tool has a navigation bar with commands, and a left and right frame where it displays information.

216

Release 4.0

LDAP/DocuShare configuration

The Active Directory Administration Tool

Using the Active Directory Administration tool

You can use the Active Directory Administration Tool to collect information about your LDAP server that you need to configure your DocuShare site to use the server for external domains. Follow procedures A through F.

NOTE: This procedure is based on using the tool to collect information from a typical LDAP server setup. Variations may occur, depending on how the server was configured.

A- Connect
1. Select Connection from the Active Directory Administration Tool navigation bar, and then select Connect from the Connection menu. The Connect dialog box appears. 2. Enter in the Server field either the IP address or the DNS name of the LDAP Active Directory server. 3. Enter in the Port field the port number used, if other than the displayed default. 4. Click OK. You have now set the LDAP server address and port number.

B- Bind
After setting up the connection to the LDAP server, you must now bind the server to an administrator account that has access permission to search the directory. 1. Select Connection from the Active Directory Administration Tool navigation bar, and then select Bind from the Connection menu. The Bind dialog box appears. 2. Enter the user account name in the User field, password in the Password field, and domain in the Domain field. 3. Click OK. If you have successfully connected to and created a bind to the LDAP server, the server displays response text in the right frame of the Active Directory Administration Tool.

DocuShare LDAP/Active Directory Guide

217

The Active Directory Administration Tool

LDAP/DocuShare configuration

C- Locate the base Distinguished Name

The base DN will be the starting point for our examination of the directory tree. 1. Search the response text of the right frame of the Active Directory Administration Tool for a reference to namingContext. The format of the namingContext will vary depending on the LDAP server that you are using. 2. The highlighted text is the base Distinguished Name for the DIT. For an example, the highlighted base DN might be dc=adoc,dc=Xerox,dc=com. Your actual Base DN may differ according to the unique structure of your LDAP directory tree. Write down this information for later use.

D- View the Directory Information Tree

1. Select View from the Active Directory Administration Tool navigation bar, and then select Tree from the View menu. The Tree View dialog box appears. 2. In the BaseDN field, enter the base Distinguished Name that you found in your namingContext search above. 3. Click OK. The DIT for your LDAP server is displayed in the left frame of the Active Directory Administration Tool window. 4. Examine the Tree to determine where your DIT root will be for any DocuShare external domains that you want to create. The root should be high enough in the hierarchy so it includes all of the branches (such as organizationUnit and domainComponents) that will have access to the DocuShare server. For our example, we are going to use dc=adoc, dc=xerox,dc=com as our DIT root because we want to include only the users in the ADOC domain and not everyone at Xerox.com.

E- Find the Agent Account

In most cases an Active Directory does not accept anonymous queries to the directory.This requires the use of either an Agent or a Service account to query the server. Use the Search command to find the DN of the Agent account. 1. Select Browse from the Active Directory Administration Tool navigation bar, and then select Search from the Browse menu. The Search dialog box appears. 2. Enter a Base DN in the Base DN field. Depending on the Base DN value used and the location in the hierarchy of the Agent account, you may need to select Subtree to expand the search scope. 3. Enter a filer in the Filter field. We used the sAMAccoutName attribute for our filter since we knew the login name of the Agent account. This attribute is unique to Active Directory and is a carryover from Windows NT. If we knew the commonName (cn) of the account we

218

Release 4.0

LDAP/DocuShare configuration

The Active Directory Administration Tool

could have used commonName=Peter Pan for example. An iPlanet server may use the uid or commonName (cn) attribute. 4. Select the Scope of the search. Select Subtree is One Level is not wide enough. 5. Click Run. The results of your search appears as text in the right frame of the Active Directory Administration Tool window. For example, a search might show that the distinguishedName for the Agent account is cn=TestUser1,cn=users,dc=adoc,dc=xerox,dc=com.

F- Next step
After following procedures A through E, you should be able to use Active Directory Administration Tool to gather the information you need to configure your DocuShare site to use LDAP for user account authentication. The IP address or the DNS name of the LDAP server The DIT Root The Agent account for DocuShare

DocuShare LDAP/Active Directory Guide

219

The Active Directory LDIFDE command

LDAP/DocuShare configuration

The Active Directory LDIFDE command

If you are running your LDAP server under Windows 2000 or Windows 2003 you can use the LDIFDE command to write to a text file, the contents of the entire LDAP directory or a specific domain within the LDAP directory. This text file contains most of the information you need to configure DocuShare for use with LDAP. The text file generated by LDIFDE is the primary file that is used by DocuShare Support to troubleshoot LDAP configuration issues.

RESOURCES: For more information on using the LDIFDE command, go to http:// support.microsoft.com/default.aspx?scid=http:// support.microsoft.com:80/support/kb/articles/Q237/6/ 77.ASP&NoWebContent=1

220

Release 4.0

LDAP/DocuShare configuration

The Active Directory LDIFDE command

LDIFDE command syntax and usage

To use the LDIFDE command, open a command prompt window on your LDAP server and enter C:\Windows\system32>idifde -? and press Enter. LDIFDE returns the following: LDIF Directory Exchange General Parameters ================== -i Turn on Import Mode (The default is Export) -f filename Input or Output filename -s servername The server to bind to (Default to DC of logged in Domain) -c FromDN ToDN Replace occurences of FromDN to ToDN -v Turn on Verbose Mode -j Log File Location -t Port Number (default = 389) -u Use Unicode format -? Help Export Specific =============== -d RootDN The root of the LDAP search (Default to Naming Context) -r Filter LDAP search filter (Default to "(objectClass=*)") -p SearchScope Search Scope (Base/OneLevel/Subtree) -l list List of attributes (comma separated) to look for in an LDAP search -o list List of attributes (comma separated) to omit from input. -g Disable Paged Search. -m Enable the SAM logic on export. -n Do not export binary values Import ====== -k -y

The import will go on ignoring 'Constraint Violation' and 'Object Already Exists' errors The import will use lazy commit for better performance

Credentials Establishment ========================= Note that if no credentials is specified, LDIFDE will bind as the currently logged on user, using SSPI. -a UserDN [Password | *] Simple authentication -b UserName Domain [Password | *] SSPI bind method Example: Simple import of current domain ldifde -i -f INPUT.LDF Example: Simple export of current domain ldifde -f OUTPUT.LDF Example: Export of specific domain with credentials ldifde -m -f OUTPUT.LDF -b USERNAME DOMAINNAME * -s SERVERNAME -d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com" -r "(objectClass=user)"

DocuShare LDAP/Active Directory Guide

221

The Active Directory LDIFDE command

LDAP/DocuShare configuration

LDIFDE command example

The following is an example of an LDIFDE command that writes the content of the Active Directory on a server named Corvette, to a text file named adexport.txt.

Run the LDIFDE command:

Enter the command C:\Windows\system32\LDIFDE.exe -f adexport.txt -s corvette and press Enter. The command runs and displays its progress: Connecting to "corvette" Logging in as current user using SSPI Exporting directory to file adexport.txt Searching for entries... Writing out entries............................................................. ....................................................................... 132 entries exported The command has completed successfully C:\Documents and Settings\Administrator>LDIFDE -f adexport.txt -s corvette Connecting to "corvette" Logging in as current user using SSPI Exporting directory to file adexport.txt Searching for entries... Writing out entries............................................................. ....................................................................... 132 entries exported The command has completed successfully

222

Release 4.0

LDAP/DocuShare configuration

The Active Directory LDIFDE command

The generated adexport.txt file

Below is the contents of the adexport.txt file that the FDIFDE command generated in our example. This example shows only a portion of the total file content. Pay close attention to the bolded items; these are items you need to configure DocuShare to use this specific LDAP server. dn: DC=infodev,DC=dsbu,DC=xerox,DC=com changetype: add masteredBy:CN=NTDS Settings, CN=CORVETTE, CN=Servers, CN=infodev-dsbusite, CN=Sites,CN=Configuration, DC=infodev, DC=dsbu, DC=xerox, DC=com auditingPolicy:: AAE= creationTime: 127199619543431088 dc: infodev forceLogoff: -9223372036854775808 fSMORoleOwner:CN=NTDS Settings, CN=CORVETTE, CN=Servers,CN=infodevdsbu-site, CN=Sites, CN=Configuration, DC=infodev, DC=dsbu, DC=xerox, DC=com

[Sample Directory Record for a single User] dn: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox, DC=com changetype: add accountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: Duncan Donkey countryCode: 0 displayName: Duncan Donkey mail: ddonkey@infodev.xerox.com givenName: Duncan instanceType: 4 lastLogoff: 0 lastLogon: 0 logonCount: 0 distinguishedName: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox, DC=com objectCategory:CN=Person, CN=Schema, CN=Configuration, DC=infodev, DC=dsbu, DC=xerox,DC=com objectClass: user objectGUID:: xmi02W78lEmpYca7AtiupQ== objectSid:: AQUAAAAAAAUVAAAAqDfWZRUlr0f4n7R0bgQAAA== primaryGroupID: 513 pwdLastSet: 127293917905389760 name: Duncan Donkey sAMAccountName: duncan sAMAccountType: 805306368 sn: Donkey userAccountControl: 512 userPrincipalName: duncan@infodev.dsbu.xerox.com uSNChanged: 7353 uSNCreated: 7349 whenChanged: 20040518220950.0Z whenCreated: 20040518220933.0Z

DocuShare LDAP/Active Directory Guide

223

The Active Directory LDIFDE command Text file continued...

LDAP/DocuShare configuration

[Sample Directory Record for a Group] dn: CN=labusers,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com changetype: add member: CN=Greg Wong,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com member: CN=Janet Gilmore,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com member: CN=Jennings\, Ferris,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com member: CN=Cua\, Kiam T,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com info: Authorized Login User to the InforDev Lab cn: labusers description: InfoDev Lab Users groupType: -2147483644 instanceType: 4 distinguishedName:CN=labusers, CN=Users, DC=infodev, DC=dsbu, DC=xerox, DC=com objectCategory: CN=Group, CN=Schema, CN=Configuration, DC=infodev, DC=dsbu, DC=xerox, DC=com objectClass: group objectGUID:: Cm9phZkOn0ig4iEWMRPWsg== objectSid:: AQUAAAAAAAUVAAAAqDfWZRUlr0f4n7R0VgQAAA== name: labusers sAMAccountName: labusers sAMAccountType: 536870912 uSNChanged: 3975 uSNCreated: 2540 whenChanged: 20040302161513.0Z whenCreated: 20040130190128.0Z

224

Release 4.0

LDAP/DocuShare configuration

The Active Directory LDIFDE command

Analyzing the adexport.txt file contents

Our example adexport.txt file uses the Distinguished Name (DN) for Duncan Donkey; a member of the Digital Actors team in the InfoDev department of DSBU at Xerox Corporation. In our example, the DN for Duncan Donkey is defined as: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox, DC=com By examining a users Distinguished Name you can find the information necessary to identify the: a. The Directory Information Tree (DIT) Root b. The User RDN Key c. The Relative Authentication and Directory Service Locators d. Bind User Attributes e. Bind Group Attributes

A. The Directory Information Tree (DIT) Root Set the DIT root at the level of the directory tree that will include all branches of the directory that contain users who need access to the DocuShare server. In our example, only members of the DSBU organization at Xerox will have access to our sample DocuShare server. The DSBU organization includes several departments and teams within each department. These departments and teams are organized in the LDAP Directory by Domain Components (DC) and Organizational Units (OU). For our example we will setup an External Domain in DocuShare to authenticate users who are members of the Digital Actors Team in the InfoDev department at DSBU within Xerox Corporation. In our example, the DIT root of the DN for Duncan Donkey is shown here bolded: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox, DC=com By defining the DIT root at this level in the hierarchy, external domains can be created for each department/team within DSBU.

B. The User RDN Key The User RDN Key is the attribute alias used to identify the User. In our example, the User RDN key of the DN for Duncan Donkey is shown here bolded: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox, DC=com

C. The Relative Authentication and Directory Service Locators The Relative Authentication and Directory Service Locators are the pointers to the directory branch of the external domain that contains a specific user, users, or group.

DocuShare LDAP/Active Directory Guide

225

The Active Directory LDIFDE command

LDAP/DocuShare configuration

In our example, the Relative Authentication and Directory Service Locator is shown here bolded: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox, DC=com.

D. Bind User Attributes The text file generated by the FDIFDE command contains the attributes alias that are used to identify the last name, user name, and Email address of each user listed. You will use these attributes aliases to configure the DocuShare LDAP Bind User properties. In the FDIFDE command text file, users within the LDAP directory are identified with the entry objectClass: user. In our example, you will find the LDAP attribute aliases for the following properties: Last Name = sn User Name = sAMAccountName Email Address = mail In our example, the values given to these LDAP attribute aliases are: sn: Donkey sAMAccountName: duncan mail: ddonkey@infodev.xerox.com

E. Bind Group Attributes The text file generated by the FDIFDE command contains the attributes alias that are used to identify the title, description, and summary information of each group listed. You will use these attributes aliases to configure the DocuShare LDAP Bind Group properties. In the FDIFDE command text file, groups within the LDAP directory are identified with the entry objectClass: group. In our example, you will find the LDAP attribute aliases for the following properties: Title = cn Description = description Summary = info In our example, the values given to these LDAP attribute aliases are: cn: labusers description: InfoDev Lab Users summary: Authorized Login User to the InfoDev Lab

226

Release 4.0