You are on page 1of 62

Entrust®

IdentityGuard 8.1

Directory Configuration Guide

Document issue: 1.0

Date of Issue: June 2006


Copyright © 2006 Entrust. All rights reserved.

Entrust is a trademark or a registered trademark of Entrust,


Inc. in certain countries. All Entrust product names and
logos are trademarks or registered trademarks of Entrust,
Inc. in certain countries. All other company and product
names and logos are trademarks or registered trademarks
of their respective owners in certain countries.

This information is subject to change as Entrust reserves


the right to, without notice, make changes to its products
as progress in engineering or manufacturing methods or
circumstances may warrant.

Export and/or import of cryptographic products may be


restricted by various regulations in various countries.
Export and/or import permits may be required.

2 Entrust IdentityGuard 8.1 Directory Configuration Guide


Table of contents
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
About Entrust IdentityGuard ........................................... 8
Repository considerations ............................................. 9
Estimating repository size .......................................... 9
LDAP attributes and classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Gathering your configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Documentation conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Note and Attention text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Obtaining documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Documentation feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Obtaining technical assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

CHAPTER 1
Configuring Active Directory and Active Directory Application Mode . . . . . . .25
Preparing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Setting users and privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring Active Directory with LDIF files . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuring Active Directory manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring the index attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Creating a custom administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
CHAPTER 2
Configuring Critical Path Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Preparing the Critical Path Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring the Critical Path Directory with LDIF files . . . . . . . . . . . . . . . . . . . 36
Configuring the Critical Path Directory manually . . . . . . . . . . . . . . . . . . . . . . . 38
Synchronizing the indexes after an upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configure the directory size limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

CHAPTER 3
Configuring IBM Tivoli Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Preparing the Tivoli Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring the Tivoli Directory with LDIF files . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring the Tivoli Directory manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

CHAPTER 4
Configuring Novell® eDirectory™ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Preparing the Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring the Novell eDirectory with LDIF files . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring the Novell eDirectory manually . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

CHAPTER 5
Configuring Sun™ ONE Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Preparing the Sun ONE Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Configuring the Sun ONE Directory with LDIF files . . . . . . . . . . . . . . . . . . . . . 54
Configuring the Sun ONE Directory manually . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5
6 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0
About this guide

This guide provides instructions on how to configure Entrust IdentityGuard 8.1 to


operate with Active Directory, Active Directory Application Mode (ADAM), Critical
Path Directory, IBM Tivoli Directory Server, Novell® eDirectory™, and Sun™ ONE
Directory.
This chapter includes the following sections:
• “About Entrust IdentityGuard” on page 8
• “Repository considerations” on page 9
• “Gathering your configuration data” on page 18
• “Documentation conventions” on page 20
• “Related documentation” on page 21
• “Obtaining documentation” on page 22
• “Obtaining technical assistance” on page 23

7
About Entrust IdentityGuard
Installing Entrust IdentityGuard 8.1 allows you to add the benefits of multifactor
authentication to your primary authentication method.
Entrust IdentityGuard 8.1 provides multifactor authentication to help organizations
counter identity theft by making it more difficult for attackers to steal users’ online
identities. It addresses the real-world demands for strong authentication, making it
easier to use while helping to reduce deployment and management costs.

Note: You must follow and complete the instructions in this configuration guide
dedicated to your specific directory before you install Entrust IdentityGuard. For
information about installing and configuring Entrust IdentityGuard 8.1, refer to
the refer to the Entrust IdentityGuard Installation Guide.

8 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Repository considerations
This section provides information that applies to all repositories supported by Entrust
IdentityGuard.
Entrust IdentityGuard uses data stored in your LDAP directory. Each time an Entrust
IdentityGuard operation requires a user’s information, Entrust IdentityGuard searches
the LDAP directory. The directory must exist and you should populate it with users
before you install Entrust IdentityGuard, though you can add users later. (Entrust
IdentityGuard does not create directory entries for users.)
Ensure your users exist under a single base DN in the directory tree, unless you plan
to take advantage of the multiple search bases feature in Entrust IdentityGuard.
Ensure the LDAP User DN used by Entrust IdentityGuard to connect to the repository
has sufficient privileges to make changes to the user objects.
Before you install Entrust IdentityGuard, you must prepare the LDAP directory. Each
chapter in this guide gives details specific to a directory type.

Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema. Restoring your directory from backup files enables you to
undo changes made by any errors, as well as recover from system failures.

Estimating repository size


No two repositories will be the same. The number of policies, groups, administrators
and users will vary as will the attributes assigned to each and the authentication
methods used.
You can calculate the approximate disk space requirements using the statistics below.

Note: Information for all policies, groups, grouplists, and roles is stored in a
single entry in the LDAP repository. In contrast, each user and administrator has
a separate entry in the LDAP repository.

Table 1: LDAP repository size

Information Attribute names Data requirement


type

Global policy entrustIGGlobalPolicy 0.5 KB.

About this guide 9


Feedback on guide
Table 1: LDAP repository size

Information Attribute names Data requirement


type

Policy entrustIGPolicyList, 2.5 KB per policy spread


entrustIGPasswordPolicy, across the attributes.
entrustIGTempPinSpec,
entrustIGCardSpec,
entrustIGUserSpec

Roles entrustIGRoleData 1.5 KB per role.

Groups entrustIGGroupData 0.5 KB per group.

Group List entrustIGGroupListData 0.5 KB per group list.

User entrustIGContents, 1.5 KB minimum per user


entrustIGTemporaryPin, with one card, one
entrustIGUserInfoMac, temporary PIN and one
entrustIGAuthSecrets, alias. Most data is in the
entrustIGCreateDate, first four attributes listed.
entrustIGExpiryDate, Others contain values
entrustIGGroup, used for searching.
entrustIGSerialNumber,
0.5 KB per user for each
entrustIGState,
additional 5 by 10 card.
entrustIGUserNumber,
entrustIGLockoutCount, 0.5 KB per user for each
entrustIGLockoutExpiryDate, token the user has.
entrustIGAliases,
More space is needed for
entrustIGChallenge,
comment attributes,
entrustIGChallengecount,
extra aliases, card usage
entrustIGLeastUsedCellUsageCount,
tracking (when enabled),
entrustIGCardUsageThresholdIndicator
and knowledge-based
entrustIGTokenSerialNumber
authentication.
entrustIGTokens
entrustIGTokenState Up to 1 MB per user
entrustIGTokenLoadDate (controlled by policy)
entrustIGTokenLastUsedDate when authentication
secrets are included.

Administrator entrustIGAdminData, 0.5 KB per administrator.


entrustIGGroup, Most data is in the
entrustIGGroupList, entrustIGAdminData
entrustIGRole attribute. Others contain
values used for
searching.

10 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
For information on creating policies, groups, administrators and users, refer to the
Entrust IdentityGuard Administration Guide.

LDAP attributes and classes


Entrust IdentityGuard uses specific directory attributes to store information in LDAP
repositories. They are identified by their OID, as listed in Table 2.
The Entrust IdentityGuard OID is 2.16.840.1.114027.200.2 (represented by
“IG”, below). To determine an attribute’s full OID, use the Entrust IdentityGuard OID
plus the attribute number given in the table. For example, for entrustIGContents
(IG.2.2), the full OID of the attribute is: 2.16.840.1.114027.200.2.2.2
When run, the LDIF files create the following attributes. If you do not use an LDIF
file, you must create and configure them manually.

Table 2: LDAP directory attributes

Attribute Syntax OID Description

entrustIGSerialNumber Multivalued IG.2.1 Serial numbers of all


IA5 string cards belonging to the
user.

entrustIGContents Multivalued IG.2.2 List of encrypted


octet string cards.

entrustIGState Single-valued IG.2.3 State of all cards


octet string belonging to the user.
Multivalued
IA5 string for
IBM Tivoli

entrustIGCreateDate Multivalued IG.2.4 Creation dates of all


generalized cards belonging to the
time user.

entrustIGExpiryDate Multivalued IG.2.5 Expiry dates of all


generalized cards belonging to the
time user.

entrustIGTemporaryPin Single-valued IG.2.6 Temporary PIN


octet string assigned to the user.

entrustIGUserNumber Single-valued IG.2.7 Number assigned to


integer the user by the Entrust
IdentityGuard system.

About this guide 11


Feedback on guide
Table 2: LDAP directory attributes

Attribute Syntax OID Description

entrustIGUserInfoMac Single-valued IG.2.8 Information about the


octet string user required by the
Entrust IdentityGuard
system.

entrustIGChallenge Single-valued IG.2.9 Challenge currently


octet string assigned to the user.

entrustIGCardSpec Single-valued IG.2.10 Entrust IdentityGuard


octet string system card
specification.

entrustIGTempPinSpec Single-valued IG.2.11 Entrust IdentityGuard


octet string system temporary PIN
specification.

entrustIGPasswordPolicy Single-valued IG.2.12 Entrust IdentityGuard


octet string system password
policy.

entrustIGAdminData Single-valued IG.2.13 Information about an


octet string Entrust IdentityGuard
administrator.

entrustIGLockoutCount Single-valued IG.2.14 Current lockout count


integer for the user.

entrustIGLockoutExpiryData Single-valued IG.2.15 Date at which the


generalized user's lockout expires.
time

entrustIGGlobalPolicy Single-valued IG.2.16 Global policy


octet string information.

entrustIGPolicyList Single-valued IG.2.17 Definition of all system


octet string policies.

entrustIGUserSpec Single-valued IG.2.18 User specification


octet string policy objects.

entrustIGRole Single-valued IG.2.19 Role of the


integer administrator.

entrustIGRoleData Single-valued IG.2.20 Definition of all roles.


octet string

12 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Table 2: LDAP directory attributes

Attribute Syntax OID Description

entrustIGGroup Single-valued IG.2.21 Identifier of the group


integer to which a user or
administrator is
assigned.

entrustIGGroupData Single-valued IG.2.22 Definition of all


octet string groups.

entrustIGGroupList Single-valued IG.2.23 Identifier of the group


integer list assigned to an
administrator.

entrustIGGroupListData Single-valued IG.2.24 Definition of all group


octet string lists.

entrustIGAliases Multivalued IG.2.25 Aliases identified with


string the user.

entrustIGChallengeCount Single-valued IG.2.26 Number of challenges


integer presented to the user
during authentication.

entrustIGLeastUsedCellUsageCo Single-valued IG.2.27 Count of how often


unt integer each card cell is used.

entrustIGCardUsageThresholdIn Multivalued IG.2.28 Number of times the


dicator IA5 string user can use the card
before Entrust
IdentityGuard
recommends a
replacement.

entrustIGAuthSecrets Single-valued IG.2.29 Authentication


octet string secrets.

entrustIGTokenSerialNumber Multivalued IG.2.30 Token serial numbers.


IA5 string

entrustIGTokens Single-valued IG.2.31 Encrypted token data


octet string with MAC checksum
applied.

entrustIGTokenState Multivalued IG.2.32 Token state.


IA5 string

About this guide 13


Feedback on guide
Table 2: LDAP directory attributes

Attribute Syntax OID Description

entrustIGTokenLoadDate Multivalued IG.2.33 Token load date.


generalized
time

entrustIGTokenLastUsedDate Multivalued IG.2.34 Token last-used date.


generalized
time

When run, the LDIF files create the following objects and attributes. If you do not
use an LDIF file, you must create and configure them manually. By default,
Entrust IdentityGuard adds these three object classes to directory entries as
needed. To change the way Entrust IdentityGuard adds object classes, refer to the
topic “Configuring LDAP properties” in the Entrust IdentityGuard Installation
Guide.

Table 3: LDAP object classes and attributes

Name Attribute OID Description

entrustIGUser entrustIGChallenge IG.1.1 Object class


entrustIGContents added to an end
entrustIGCreateDate user's LDAP
entrustIGExpiryDate directory entry
entrustIGGroup to allow
entrustIGSerialNumber addition of the
entrustIGState common Entrust
entrustIGTemporaryPin IdentityGuard
entrustIGUserInfoMac attributes.
entrustIGUserNumber Entrust
entrustIGLockoutCount IdentityGuard
entrustIGLockoutExpiryDate adds these to all
entrustIGAliases user entries in
entrustIGChallengeCount the LDAP
entrustIGLeastUsedCellUsageCount directory.
entrustIGCardUsageThresholdIndicator
entrustIGAuthSecrets
entrustIGTokenSerialNumber
entrustIGTokens
entrustIGTokenState
entrustIGTokenLoadDate
entrustIGTokenLastUsedDate

14 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Table 3: LDAP object classes and attributes

Name Attribute OID Description

entrustIGPolicy entrustIGCardSpec, IG.1.2 Object class that


entrustIGGlobalPolicy, allows the
entrustIGGroupData, addition of the
entrustIGGroupListData, Entrust
entrustIGPasswordPolicy, IdentityGuard
entrustIGPolicyList, policy to an
entrustIGRoleData, LDAP directory
entrustIGTempPinSpec, entry. There is
entrustIGUserSpec only one such
entry.

entrustIGAdmin entrustIGAdminData, IG.1.3 Object class that


entrustIGGroup, identifies an
entrustIGGroupList, Entrust
entrustIGRole IdentityGuard
administrator
within the
system.

The following attributes have special requirements for determining their ordering and
matching. When run, the LDIF files set the correct ordering. If you do not use an LDIF
file, you must create and configure them manually.
This does not apply to Active Directory and ADAM.

Table 4: LDAP matching and ordering

Attribute Matching and ordering rules

entrustIGSerialNumber Configure for case-ignored IA5 string and


substring matching.

entrustIGContents Configure for octet string matching.

entrustIGState Configure for octet string matching for most


directories. For IBM Tivoli Directory only,
configure for case-ignored IA5 string and
substring matching.

entrustIGCreateDate Configure for generalized time matching and


ordering.

entrustIGExpiryDate Configure for generalized time matching and


ordering.

About this guide 15


Feedback on guide
Table 4: LDAP matching and ordering

Attribute Matching and ordering rules

entrustIGTemporaryPin Configure for octet string matching.

entrustIGUserNumber Configure for integer matching and


ordering. Not supported for indexing on IBM
Tivoli Directory.

entrustIGUserInfoMac Configure for octet string matching.

entrustIGChallenge Configure for octet string matching.

entrustIGCardSpec Configure for octet string matching.

entrustIGTempPinSpec Configure for octet string matching.

entrustIGPasswordPolicy Configure for octet string matching.

entrustIGAdminData Configure for octet string matching.

entrustIGLockoutCount Configure for integer matching.

entrustIGLockoutExpiryDate Configure for generalized time matching and


ordering.

entrustIGGlobalPolicy Configure for octet string matching.

entrustIGPolicyList Configure for octet string matching.

entrustIGUserSpec Configure for octet string matching.

entrustIGRole Configure for integer matching.

entrustIGRoleData Configure for octet string matching.

entrustIGGroup Configure for integer matching.

entrustIGGroupData Configure for octet string matching.

entrustIGGroupList Configure for integer matching.

entrustIGGroupListData Configure for octet string matching.

entrustIGAliases Configure for case-ignored string and


substring matching.

entrustIGChallengeCount Configure for integer matching and integer


ordering

16 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Table 4: LDAP matching and ordering

Attribute Matching and ordering rules

entrustIGLeastUsedCellUsageCount Configure for integer matching and integer


ordering.

entrustIGCardUsageThresholdIndicator Configure for case-ignored IA5 string and


substring matching.

entrustIGAuthSecrets Configure for octet string matching.

entrustIGTokenSerialNumber Configure for case-ignored IA5 string and


substring matching.

entrustIGTokens Not used in ordering and matching

entrustIGTokenState Configure for case-ignored IA5 string and


substring matching.

entrustIGTokenLoadDate Configure for generalized time matching and


ordering.

entrustIGTokenLastUsedDate Configure for generalized time matching and


ordering.

About this guide 17


Feedback on guide
Gathering your configuration data
This section describes how to prepare for installation of Entrust IdentityGuard once
you have completed the configuration steps documented in the following chapters.
The Entrust IdentityGuard Server installer will ask configuration questions or present
options that have a direct relationship to the configuration settings you make. As you
go through the configuration steps, gather the data needed to answer those
installation questions as listed in the following table.

Table 5: Entrust IdentityGuard configuration data

Configuration data Description

Will you be using SSL to If you answer yes to this question, you will need to provide
connect to the LDAP server? information on the SSL certificate (file name, owner, issuer,
serial number, valid-from date, and certificate fingerprints).
For more information on securing LDAP connections with
SSL, refer to the Entrust IdentityGuard Installation Guide.

LDAP host Provide the name of the computer where your LDAP
repository resides.

LDAP port number Provide the port used by your LDAP repository. The default
port is 389 for a non-SSL connection and 636 for an SSL
connection

LDAP base DN Provide the DN under which the Entrust IdentityGuard policy
entry is found.

LDAP user DN Provide the DN or ID of the user that Entrust IdentityGuard


will use to connect to the LDAP repository. The DN must
have administrator privileges.
For most LDAP repositories, enter the DN in the format:
cn=Directory Manager
For Active Directory, enter the user DN in the format:
AdminUser@domain.com

LDAP password Provide the password of the user that Entrust IdentityGuard
will use to connect to the LDAP repository.

LDAP policy RDN Specify the user entry in the LDAP repository used to store
Entrust IdentityGuard policy information. See the section
entitled “Creating a user to store policies” in the chapter
specific to your directory for more details.

18 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Table 5: Entrust IdentityGuard configuration data

Configuration data Description

Generalized Time format Does your LDAP repository support subseconds as part of
generalized time data? Once you install Entrust
IdentityGuard, ensure that you correctly set the
identityguard.ldap.GeneralizedTimeWithSubSecs
property in the identitygaurd.properties file. For a
Novell eDirectory repository, set this to false. Set it to true
for other repositories.

LDAP user name attribute Each user entry in the directory must have an existing
attribute that Entrust IdentityGuard can use as a unique user
name. Specify the LDAP attribute that identifies Entrust
IdentityGuard users. For the primary search base, or in the
case of a single search base, the attribute is usually:
• sAMAccountName for Active Directory
• CN (common name) or uid for ADAM and all other
supported repositories
For additional search bases, use a different attribute that
provide a unique ID. Also see “Configuring additional search
bases” in the Entrust IdentityGuard Installation Guide.

The Entrust IdentityGuard Server installer will also ask for the type of repository to
use.
• Select Active Directory for an Active Directory or ADAM repository.
• Select LDAP all other supported repositories.

About this guide 19


Feedback on guide
Documentation conventions
Following are typographic conventions which appear in this guide:

Table 6: Typographic conventions

Convention Purpose Example


Bold text Indicates graphical user Click Next.
(other than interface elements and
headings) wizards.
Italicized text Used for book or Entrust TruePass 7.0 Deployment Guide
document titles.
Blue text Used for hyperlinks to Entrust TruePass supports the use of many types
other sections in the of digital ID.
document.
Underlined blue Used for Web links. For more information, visit our Web site at
text www.entrust.com.
Courier type Indicates installation Use the entrust-configuration.xml file
paths, file names, to change certain options for Verification Server.
Windows registry keys,
commands, and text you
must enter.
Angle brackets Indicates variables (text By default, the entrust.ini file is located in
you must replace with <install_path>/conf/security/entrust.
<>
your organization’s ini.
correct values).
Square brackets Indicates optional dsa passwd [-ldap]
parameters.
[courier type]

Note and Attention text


Throughout this guide, there are paragraphs set off by ruled lines above and
below the text. These paragraphs provide key information with two levels of
importance, as shown below.

Note: Information to help you maximize the benefits of your Entrust product.

Attention: Issues that, if ignored, may seriously affect performance, security, or


the operation of your Entrust product.

20 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Related documentation
Entrust IdentityGuard is supported by a complete documentation suite:
• For instructions on installing and configuring Entrust IdentityGuard Server,
see the Entrust IdentityGuard Installation Guide.
• For instructions on administering Entrust IdentityGuard users and groups, see
the Entrust IdentityGuard Administration Guide.
• For information on deploying Entrust IdentityGuard, refer to the Entrust
IdentityGuard Deployment Guide.
• For information on configuring Entrust IdentityGuard to work with a
supported LDAP repository – Active Directory, Active Directory Application
Mode, Critical Path InJoin Directory, IBM Tivoli Directory, Novell eDirectory,
or Sun ONE Directory – see the Entrust IdentityGuard Directory
Configuration Guide.
• For information on configuring Entrust IdentityGuard to work with a
supported database – IBM DB2 Universal Database, Microsoft SQL Server, or
Oracle Database – see the Entrust IdentityGuard Database Configuration
Guide.
• For information on Entrust IdentityGuard error messages, see the Entrust
IdentityGuard Error Messages.
• For information on new features, limitations and known issues in the latest
release, see the Entrust IdentityGuard Release Notes.
• For information on integrating the authentication and administration
processes of your applications with Entrust IdentityGuard, see the Entrust
IdentityGuard Programming Guide that applies to your development
platform (either Java Platform or C#).
• For Entrust IdentityGuard product information and a data sheet, go to
http://www.entrust.com/strong-authentication/identityguard/index.htm.
• For information on identity theft protection seminars, go to
http://www.entrust.com/events/identityguard.htm.

About this guide 21


Feedback on guide
Obtaining documentation
Entrust product documentation, white papers, technical notes, and a comprehensive
Knowledge Base are available through Entrust TrustedCare Online. If you are
registered for our support programs, you can use our Web-based Entrust TrustedCare
Online support services at:
https://www.entrust.com/trustedcare

Documentation feedback
You can rate and provide feedback about Entrust product documentation by
completing the online feedback form. You can access this form by
• clicking the Feedback on guide link located in the footer of Entrust’s PDF
documents (see bottom of this page).
• following this link: http://www.entrust.com/products/feedback/index.cfm
Feedback concerning documentation can also be directed to the Customer Support
email address:
support@entrust.com

22 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Obtaining technical assistance
Entrust recognizes the importance of providing quick and easy access to our support
resources. The following subsections provide details about the technical support and
professional services available to you.

Technical support
Entrust offers a variety of technical support programs to help you keep Entrust
products up and running. To learn more about the full range of Entrust technical
support services, visit our Web site at:
http://www.entrust.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust TrustedCare Online offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://www.entrust.com/trustedcare
If you contact Entrust Customer Support, please provide as much of the following
information as possible:
• your contact information
• product name, version, and operating system information
• your deployment scenario
• description of the problem
• copy of log files containing error messages
• description of conditions under which the error occurred
• description of troubleshooting activities you have already performed

Telephone numbers
For support assistance by telephone call one of the numbers below:
• 1-877-754-7878 in North America
• 1-613-270-3700 outside North America

Email address
The email address for Customer Support is:
support@entrust.com

About this guide 23


Feedback on guide
Professional Services
The Entrust team assists e-businesses around the world to deploy and maintain secure
transactions and communications with their partners, customers, suppliers and
employees. We offer a full range of professional services to deploy our e-business
solutions successfully for wired and wireless networks, including planning and design,
installation, system integration, deployment support, and custom software
development.
Whether you choose to operate your Entrust solution in-house or subscribe to hosted
services, Entrust Professional Services will design and implement the right solution for
your e-business needs. For more information about Entrust Professional Services
please visit our Web site at:
http://www.entrust.com

24 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Chapter 1

Configuring Active Directory and


Active Directory Application
Mode

This chapter provides instructions on how to configure Entrust IdentityGuard 8.1 to


operate with Microsoft® Active Directory and Active Directory Application Mode
(ADAM).
The Active Directory administrator must be involved in planning and carrying out
specific tasks.

25
Preparing Active Directory
This chapter includes the following sections:
• “Choosing your configuration method” on page 26
• “Setting users and privileges” on page 26
• “Configuring Active Directory with LDIF files” on page 27
• “Configuring Active Directory manually” on page 30
• “Configuring the index attributes” on page 31
• “Creating a custom administrator” on page 31
• “Creating a user to store policies” on page 32

Choosing your configuration method


Before you install Entrust IdentityGuard, you must prepare your Active Directory or
ADAM repository for use with Entrust IdentityGuard.
Choose one of the following configuration methods:
• Use the LDIF files supplied with Entrust IdentityGuard to prepare the LDAP
directory automatically. See “Configuring Active Directory with LDIF files”.
• Alternatively, you can prepare the LDAP directory manually. See
“Configuring Active Directory manually” on page 30.
Whatever configuration method you choose, some manual preparation is required for
an upgrade. See “Configuring the index attributes” on page 31.
For a new installation, also see “Creating a user to store policies” on page 32.

Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema.

Note: Complete the procedures in this guide before you install Entrust
IdentityGuard.

Setting users and privileges


Ensure your users exist under a single base DN in the directory tree, unless you plan
to take advantage of the multiple search bases feature.
Entrust IdentityGuard will ask you for a base DN during installation. Entrust
IdentityGuard requires directory credentials (a DN and password) to connect to the

26 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
directory. In the case of multiple search bases, enter the DN of the default search
base.
Configuring Active Directory or ADAM for use with Entrust IdentityGuard requires
careful attention to the selection of the administrator user that Entrust IdentityGuard
needs to connect to the repository. If you do not want to grant Entrust IdentityGuard
the privileges associated with a standard administrator user, you can create one with
lesser privileges. See “Create a custom administrator” later in this document.
Also see “Gathering your configuration data” on page 18 for details about entering
administrator information during configuration.
Each user entry in the directory must have an existing attribute that Entrust
IdentityGuard can use as a unique user identifier. (During installation, Entrust
IdentityGuard will ask you for this attribute name.) For the primary search base, or in
the case of a single search base, the attribute is typically sAMAccountName. For
additional search bases, use a different attribute.

Configuring Active Directory with LDIF files


Entrust IdentityGuard uses several directory attributes to store information specific to
Entrust IdentityGuard; so you need to modify your LDAP directory schema to define
these attributes.
The recommended method is to use one of the LDIF files included with the Entrust
IdentityGuard installation package. The LDIF files set up the required attributes and
auxiliary object classes automatically.

To access LDIF files


1 Extract the applicable archive file for your operating system. Refer to the Entrust
IdentityGuard Installation Guide for details.
LDIF files for Active Directory and Active Directory Application Mode (ADAM)
are available in the /IG_81/ldif directory included with the Entrust
IdentityGuard installation package. You can access them without having to install
Entrust IdentityGuard.
• If you are installing a new version of Entrust IdentityGuard, use the file
activedirectory_v81_schema.ldif.
• If you are upgrading from version 8.0 of Entrust IdentityGuard, use the file
activedirectory_v80_to_v81_upgrade.ldif.
• If you are upgrading from version 7.2 of Entrust IdentityGuard, use the file
activedirectory_v7x_to_v81_upgrade.ldif.
2 Copy the applicable LDIF file to a folder named LDIF under the root folder on
Windows, such as C:\LDIF.

Configuring Active Directory and Active Directory Application Mode 27


Feedback on guide
Note: In Windows 2000, before you can modify the schema, you must set the
following REG_DWORD key to a non-zero value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Pa
rameters\Schema Update Allowed
Create that registry key if it doesn’t exist.
In Windows 2003, don’t set the key unless you encounter a problem with the
schema. Refer to http://support.microsoft.com for further information.

Loading the LDIF files


To load the directory schema changes, log in with the correct privileges and run the
Microsoft ldifde utility on the Active Directory server as described below. The
procedures for Active Directory and ADAM are almost identical.

To load the LDIF files


1 Log in to the Active Directory server as a member of the Schema Administrators
group. (Typically the Enterprise Administrator is a member of this group.)
2 Locate and note the DN of the schema entry in your Active Directory. It will be
something like this:
CN=Schema,CN=Configuration,DC=<YourDomainName>,dc=com, where
YourDomainName is the system reference to the schema.
In the case of ADAM, the schema entry will be GUID number like this:
20154B22-09DE-41BC-8DEE-E12DFD7A66F3
For instructions on locating the correct DN, see “Finding your DN” on page 29.
3 For an ADAM installation, find and note the port number assigned to ADAM. It
might not be the default Active Directory port 389. If ADAM is running on a
domain controller, port 389 is probably assigned to Active Directory, not ADAM.
4 Open a command prompt.
5 Navigate to the correct installation folder.
• For an ADAM installation, change to the ADAM folder, as in:
cd c:\windows\adam
• For an Active Directory installation, change to the system folder, as in:
cd c:\windows\system32
6 Import the applicable LDIF file like this:
ldifde -i -s <server> -c "DC=X" "DC=<YourDomainName>,dc=com"
-f C:\LDIF\<ldif-file> -t 389
Where:

28 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
• -i turns on import mode (the default is export).
• -s <server> names the domain controller used by the import operation. By
default, ldifde uses the domain controller on which it is installed; so this
option may not be needed.
• -c specifies the location of the directory schema. Change YourDomainName
to the DN information you noted in Step 2. At run time, the DC=X value is
replaced by the resolved value entered for YourDomainName.
• -f specifies the location and name of the new or upgrade LDIF file.
• -t specifies the LDAP port number. For an Active Directory installation, run
the ldifde command without the -t option. For an ADAM installation, use
the -t option to specify a port if ADAM is not running on port 389. The
default port is 389 for a non-SSL connection and 636 for an SSL connection.
If you get the error message “0x202b A referral was returned from the
server," it indicates the value you set for YourDomainName on the -c option is not
correct.

Finding your DN
The following section shows to ways to find the DN of the schema entry in your
Active Directory. The first example uses the ldp.exe utility available on Windows
2000 and 2003. The second example uses the same utility you execute to install the
LDIF files.

To find a DN using ldp.exe


1 Run the ldp.exe file.
2 Select Connection > Connect.
3 Enter the name of your Active Directory server.
4 Verify that the port setting is correct.
5 Click OK.
6 Look for the line beginning with CN=Schema in the list of information the utility
generates. This line gives the complete DN of your Active Directory.
For more information on this utility, see the article “Using Ldp.exe to Find Data in the
Active Directory” available at: http://support.microsoft.com.

To find a DN using ldifde


1 Enter the following command:
ldifde -d "" -s localhost -p base -l schemaNamingContext
-f output.txt
Where:

Configuring Active Directory and Active Directory Application Mode 29


Feedback on guide
• -d is the search base to search. The empty string "" indicates the root entry.
• -s names the location where ldifde will search.
• -p base specifies the scope of the search.
• -l lists of attributes to return. In this case, just schemaNamingContext.
2 Open the output.txt file. It contains the value for schemaNamingContext,
which is the DN you need.
For more information on this utility, see: http://support.microsoft.com.
Once you successfully load the LDIF file for a new installation, follow the instructions
under “Creating a user to store policies” on page 32.

Configuring Active Directory manually


The procedure below applies if you did not import an Entrust IdentityGuard LDIF file,
as described above in “Configuring Active Directory with LDIF files” on page 27.
Entrust IdentityGuard uses several directory attributes to store information. Modify
your LDAP directory schema to define these attributes following the steps in this
section.

To configure the LDAP directory manually


1 Use your schema configuration tool to add attributes with the names and types
listed in Table 2 on page 11.

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.

2 Modify your LDAP schema so that the Entrust IdentityGuard attributes can be
added to existing user entries. Typically, this is done by adding them as optional
attributes of an existing object class. Since Active Directory does not allow the
object class of user entries to be changed, you must update the Active Directory
schema by adding the Entrust IdentityGuard specific object classes as auxiliary
classes. When added as auxiliary classes, they are associated with the User class.
This allows Entrust IdentityGuard to add the attributes in the Entrust
IdentityGuard object classes to the users.
Manually add the object classes and their attributes listed in Table 3 on page 14.
Specify all attributes as optional (that is, use the MAY CONTAIN option).

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.

30 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
3 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify user information. (See “Creating a custom administrator” on
page 31.)
With an Active Directory domain, these changes will take effect when Active
Directory updates its memory cache (within approximately five minutes). Optionally,
you can use the Schema Management plug-in to force a reload of the cache or you
can restart the server. The schema changes will replicate to other domains in the
forest after a time that depends on your Active Directory configuration.

Configuring the index attributes


Indexes can improve search performance in a large repository. For a new installation
or upgrade of Entrust IdentityGuard, configure the attributes entrustIGGroup and
entrustIGAliases for indexing by setting their searchFlags attribute to 1.
For example, the entrustIGAliases attribute configuration would look
something like this:
dn: CN=entrustIGAliases,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
lDAPDisplayName: entrustIGAliases
isSingleValued: FALSE
oMSyntax: 64
attributeID: 2.16.840.1.114027.200.2.2.25
attributeSyntax: 2.5.5.12
searchFlags: 1

Creating a custom administrator


The administrator user that Entrust IdentityGuard uses to connect to the repository
must have sufficient privileges to make changes to the user and policy objects.
Applicable administrator user types are:
• account operators
• administrators
• domain administrators
• enterprise administrators

Configuring Active Directory and Active Directory Application Mode 31


Feedback on guide
If you do not want to grant Entrust IdentityGuard the privileges associated with
standard administrator user types, follow the steps below. (This procedure requires
the dsacls utility. It is part of the Windows support tools installed from the Windows
installation CD.)

To create a custom user


1 Log in as domain administrator.
2 Create a user object in the directory.
a In the Active Directory Users and Computers administration console, create
an ordinary user (for example, igDirAdmin). No special group membership is
required.
b Set the cn and sAMAccountName attribute to the new user (that is,
igDirAdmin).
c Assign a password to this user.
d Close the console.
3 Run the dsacls command:
a Open a command prompt.
b Navigate to the Windows support tools folder.
c Enter the dsacls command using the following syntax:
dsacls <search base> /I:T /G <UPN>:GA
Where:
– search base is your primary search base where Entrust IdentityGuard
data is stored. The entry should follow this format:
“ou=igexample,dc=ig4,dc=people,dc=entrust,dc=com.”
– /I:T indicates that all existing and future subobjects will inherit this
permission.
– UPN is the new user principal name that Entrust IdentityGuard will use to
connect to the repository. The entry should follow this format:
“igDirAdmin@ig4.people.entrust.com.”
– GA sets the generic-all privilege.
4 Repeat the dsacls command for each search base (ou) or branch that is not inside
the primary search base.

Creating a user to store policies


Once you complete the automatic or manual configuration for a new installation, you
must create a directory user, which Entrust IdentityGuard will use to store policies.
Create this entry under the same base DN as the default search base used by Entrust
IdentityGuard. Give the user a recognizable name, such as IG Policy.

32 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Create the user with the same kind of object class you used for existing users in the
directory. A typical Active Directory object class in this case is
organizationalPerson; though any entry derived from the Person object class
will do.

Note: Later, during Entrust IdentityGuard installation, you will be asked to


supply the LDAP policy RDN. This is the name of the user you just created,
relative to the base DN. For example, if all the users exist under the base DN
dc=Remote,dc=CompanyOne,dc=com and the DN of the policy user is cn=IG
Policy,dc=Remote,dc=CompanyOne,dc=com, then provide cn=IG Policy as
the LDAP policy RDN during installation.

Your LDAP directory is now configured to work with Entrust IdentityGuard.

Configuring Active Directory and Active Directory Application Mode 33


Feedback on guide
34 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0
Feedback on guide
Chapter 2

Configuring Critical Path


Directory

This chapter provides instructions on how to configure Entrust IdentityGuard 8.1 to


operate with Critical Path Directory.
The Critical Path Directory administrator must be involved in planning and carrying
out specific tasks.

35
Preparing the Critical Path Directory
This chapter includes the following sections:
• “Choosing your configuration method” on page 36
• “Configuring the Critical Path Directory with LDIF files” on page 36
• “Configuring the Critical Path Directory manually” on page 38
• “Synchronizing the indexes after an upgrade” on page 39
• “Creating a user to store policies” on page 40
• “Configure the directory size limit” on page 40

Choosing your configuration method


Before you install Entrust IdentityGuard, you must prepare your LDAP directory for
use with Entrust IdentityGuard.
Choose one of the following configuration methods:
• Use the LDIF files supplied with Entrust IdentityGuard to prepare the LDAP
directory automatically. See “Configuring the Critical Path Directory with
LDIF files” on page 36.
• Alternatively, you can prepare the LDAP directory manually. See
“Configuring the Critical Path Directory manually” on page 38.
Whatever configuration method you choose, some manual preparation is required for
an upgrade. See “Synchronizing the indexes after an upgrade” on page 39.
For a new installation, also see “Creating a user to store policies” on page 40.

Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema.

Note: Complete the procedures in this guide before you install or upgrade
Entrust IdentityGuard.

Configuring the Critical Path Directory with


LDIF files
Entrust IdentityGuard uses several directory attributes to store information specific to
Entrust IdentityGuard; so, you need to modify your LDAP directory schema to define
these attributes.

36 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
The recommended method is to use one of the LDIF files included with the Entrust
IdentityGuard installation package. The LDIF files set up the required attributes
automatically.

To access LDIF files


1 Extract the applicable archive file for your operating system. Refer to the Entrust
IdentityGuard Installation Guide for details.
LDIF files for Critical Path Directory are available under the /IG_81/ldif
directory included with the Entrust IdentityGuard installation package. You can
access them without having to install Entrust IdentityGuard.
• If you are installing a new version of Entrust IdentityGuard, use the file
criticalpath_v81_schema.ldif.
• If you are upgrading from version 8.0 of Entrust IdentityGuard, use the file
criticalpath_v80_to_v81_upgrade.ldif.

Loading the LDIF files


To load the directory schema changes, run ldapmodify on the Critical Path Directory
server as described below. The ldapmodify command opens a connection to an
LDAP server, and modifies or adds entries.

Note: Before you run ldapmodify, ensure that the Critical Path Directory is
running. If not, use the odsstart command to start it.

To load the LDIF files


1 With the Critical Path Directory running, open a command window.
2 Navigate to the directory where the Critical Path ldapmodify tool is located.
The location varies depending on the operating system. In Windows, look in the
folder c:\Program Files\CriticalPath\CPDS\bin.
3 Import the applicable LDIF file like this:
ldapmodify -h cp42.entrust.com -p 389 -D "cn=Directory
Manager" -w ldappass -f <ldif-file>
Where:
• -h specifies the LDAP host name.
• -p specifies the LDAP port number. The default port is 389 for a non-SSL
connection and 636 for an SSL connection.
• -D specifies a directory administrator who has authority to update the
schema.

Configuring Critical Path Directory 37


Feedback on guide
• -f specifies the name of the LDIF file. It can be a fully-qualified path name.
• -w specifies the password used for simple authentication.
• ldif-file is the name of the new or upgrade LDIF file.

Configuring the Critical Path Directory


manually
All procedures in this section apply only if you did not import an Entrust IdentityGuard
LDIF file, as described above in “Configuring the Critical Path Directory with LDIF
files” on page 36.
Entrust IdentityGuard uses several directory attributes to store information. If you do
not use an LDIF file to modify your directory, you must manually modify your LDAP
directory schema to define these attributes following the steps in this section. View
the applicable LDIF to see how to set the attributes.
If you are upgrading from an earlier version of Entrust IdentityGuard, review these
steps and follow those that apply.

To configure the LDAP directory manually


1 Use your schema configuration tool to add attributes with the names and types
listed in Table 2 on page 11.

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.

2 Configure those attributes for ordering and matching as shown in Table 4 on


page 15.
3 The following attributes must be optimized for indexing so that Entrust
IdentityGuard can look them up in the directory. Make sure you configure them
as listed below.

Table 7: LDAP indexing

Attribute Indexing rules

entrustIGUserNumber Match on ordering, invert on value.

entrustIGUserInfoMac Invert on type.

entrustIGAdminData Invert on type.

entrustIGGroup Invert on value.

entrustIGAliases Invert on value.

38 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
4 Manually add the object classes and their attributes listed in Table 3 on page 14.
Specify all attributes as optional (that is, use the MAY CONTAIN option).

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.

5 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify Entrust IdentityGuard user information.

Synchronizing the indexes after an upgrade


If you are upgrading from a previous version of Entrust IdentityGuard, complete the
following procedure. This is required to synchronize and update the search indexes.
It applies whether you prepare the LDAP directory manually or use an LDIF file.
1 From the Start menu, select Programs > Critical Path > CP Directory Server >
CPDS Icon.
2 At the prompt, enter the iCon manager name and password. The iCon Session
login screen appears.
3 Enter the directory administrator DN and password.

Note: As noted in the iCon documentation, many special characters are not
allowed in passwords, including (but not limited to) quotes, numbers signs,
forward and backward slashes, and common currency symbols.

4 On the left-hand menu, click schema.


5 On the upper menu bar, click attributes.
6 In the attribute search field, type entrustIGGroup and click the Find attribute
button.
7 In the attribute list returned, select the entrustiggroup entry.
8 Scroll down and ensure that the equality option in the inv column is selected.
9 Click the Change attribute button.
10 Repeat steps 5 through 9 for the entrustIGAliases attribute.
11 On the upper menu bar, click attributes.
12 In the attribute search field, type entrustIGChallengeCount and click the Find
attribute button.
13 In the attribute list returned, select the entrustigchallengecount entry.

Configuring Critical Path Directory 39


Feedback on guide
14 Scroll down and ensure that the integerOrderingMatch option in the match
column is selected.
15 Click the Change attribute button.
16 Repeat steps 11 through 15 for the entrustIGLeastUsedCellUsageCount
attribute.
Once the above procedure is complete, you can terminate the iCon session.

Creating a user to store policies


Once you complete the automatic or manual configuration for a new installation, you
must create a directory user, which Entrust IdentityGuard will use to store policies.
Create this entry under the same base DN as the default search base used by Entrust
IdentityGuard. Give the user a recognizable name, such as IG Policy.
Create the user with the same kind of object class you used for existing users in the
directory. A typical Critical Path Directory object class in this case is person; though
any entry derived from the person object class will do.

Note: Later, during Entrust IdentityGuard installation, you will be asked to


supply the LDAP policy RDN. This is the name of the user you just created,
relative to the base DN. For example, if all the users exist under the base DN
dc=Remote,dc=CompanyOne,dc=com and the DN of the policy user is cn=IG
Policy,dc=Remote,dc=CompanyOne,dc=com, then provide cn=IG Policy as
the LDAP policy RDN during installation.

Configure the directory size limit


You need to review the size limit placed on your directory. If you attempt to generate
a list of directory users (for example, by using a master user shell command)
and the list size exceeds the set limit, you will see a message similar to this:
[5202242] Error retrieving next block of search results
To fix or prevent this problem, do the following.

To set a directory size limit


1 Open the Critical Path Directory Server DAC.
2 Select Configuration > Miscellaneous Parameters.
3 Change the Size Limit entry under Administrative Limits to 500 or more
depending on your needs.
4 Save your settings.
You have now configured your LDAP directory to work with Entrust IdentityGuard.

40 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Chapter 3

Configuring IBM Tivoli Directory


Server

This chapter provides instructions on how to configure Entrust IdentityGuard 8.1 to


operate with IBM Tivoli Directory Server.
The IBM Tivoli Directory administrator must be involved in planning and carrying out
specific tasks.

41
Preparing the Tivoli Directory
This chapter includes the following sections:
• “Choosing your configuration method” on page 42
• “Configuring the Tivoli Directory with LDIF files” on page 42
• “Configuring the Tivoli Directory manually” on page 44
• “Creating a user to store policies” on page 45

Choosing your configuration method


Before you install Entrust IdentityGuard, you must prepare your LDAP directory for
use with Entrust IdentityGuard.
Choose one of the following configuration methods:
• Use the LDIF files supplied with Entrust IdentityGuard to prepare the LDAP
directory automatically. See “Configuring the Tivoli Directory with LDIF
files”.
• Alternatively, you can prepare the LDAP directory manually. See
“Configuring the Tivoli Directory manually” on page 44.
For a new installation, also see “Creating a user to store policies” on page 45.

Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema.

Note: Complete the procedures in this guide before you install Entrust
IdentityGuard.

Configuring the Tivoli Directory with LDIF files


Entrust IdentityGuard uses several directory attributes to store information specific to
Entrust IdentityGuard; so, you need to modify your LDAP directory schema to define
these attributes.
The recommended method is to use one of the LDIF files included with the Entrust
IdentityGuard installation package. The LDIF files set up the required attributes and
object classes automatically.

To access the LDIF file


1 Extract the applicable archive file for your operating system. Refer to the Entrust
IdentityGuard Installation Guide for details.

42 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
LDIF files for IBM Tivoli Directory are available under the /IG_81/ldif
directory included with the Entrust IdentityGuard installation package. You can
access them without having to install Entrust IdentityGuard.
• If you are installing a new version of Entrust IdentityGuard, use the file
ibm_v81_schema.ldif.
• If you are upgrading from version 8.0 of Entrust IdentityGuard, use the file
ibm_v80_to_v81_upgrade.ldif.

Loading the LDIF file


To load the directory schema changes, run ldapmodify on the IBM Tivoli Directory
server as described below. The ldapmodify command opens a connection to an
LDAP server, and modifies or adds entries.

Note: Do not use the IBM Tivoli Directory Configuration Tool to import the LDIF
files. Use ldapmodify instead.

To load the LDIF files


1 Open a command window.
2 Navigate to the directory where IBM’s ldapmodify tool is located. The location
varies depending on the operating system. In Windows, look in the folder
c:\Program Files\IBM\LDAP\bin.
3 Import the applicable LDIF file like this:
ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w
ldappass -i <ldif-file> -c
Where:
• -h specifies the LDAP host name. In the above example, the directory is
running on localhost.
• -p specifies the LDAP port number. The default port is 389 for a non-SSL
connection and 636 for an SSL connection.
• -D specifies a directory administrator who has authority to update the
schema.
• -i specifies the name of the LDIF file. It can be a fully-qualified path name.
• -w specifies the password used for simple authentication.
• -c specifies continuous operation mode. When set, if ldapmodify
encounters existing attributes, it updates them, reports the changes as errors,
and continues.
• ldif-file is the name of the new or upgrade LDIF file.

Configuring IBM Tivoli Directory Server 43


Feedback on guide
Once you successfully load the LDIF file for a new installation, follow the instructions
under “Creating a user to store policies” on page 45.

Configuring the Tivoli Directory manually


All procedures in this section apply only if you did not import an Entrust IdentityGuard
LDIF file, as described above in “Configuring the Tivoli Directory with LDIF files” on
page 42.
Entrust IdentityGuard uses several directory attributes to store information. If you do
not use an LDIF file to modify your directory, you must modify your LDAP directory
schema to define these attributes following the steps in this section.

To configure the LDAP directory manually


1 Use your schema configuration tool to add attributes with the names and types
listed in Table 2 on page 11. Entrust IdentityGuard populates these attributes.

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.

2 Configure those attributes for ordering and matching as shown in Table 4 on


page 15.
3 Indexes can improve search performance, but as a general rule, create new
indexes only if you suspect there are performance issues with a particular
directory lookup.
In this example for the entrustIGUserNumber attribute, the DBNAME
parameter of the attribute definition specifies that etIGUserNumber is the table
to index:
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( 2.16.840.1.114027.200.2.2.7 NAME
'entrustIGUserNumber' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE
userApplications )
IBMattributetypes: ( 2.16.840.1.114027.200.2.2.7 DBNAME(
'etIGUserNumber' 'etIGUserNumber' ) ACCESS-CLASS normal
EQUALITY ORDERING )

44 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Other likely candidates for indexing are entrustIGGroup, and
entrustIGAliases. See the ibm_v81_schema.ldif schema file for a
complete example of an attribute entry.
To upgrade from version 8.0 of Entrust IdentityGuard to 8.1, copy the applicable
entries from the ibm_v81_schema.ldif schema file and change the line
add: attributetypes
to
replace: attributetypes.
The IBM Tivoli Directory server automatically creates a presence index of LDAP
attributes.
4 Manually add the object classes and their attributes listed in Table 3 on page 14.
Specify all attributes as optional (that is, use the MAY CONTAIN option).

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.

5 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify Entrust IdentityGuard user information.

Creating a user to store policies


Once you complete the automatic or manual configuration for a new installation, you
must create a directory user, which Entrust IdentityGuard will use to store policies.
Create this entry under the same base DN as the default search base used by Entrust
IdentityGuard. Give the user a recognizable name, such as IG Policy.
Create the user with the same kind of object class you used for existing users in the
directory. A typical IBM Tivoli Directory object class in this case is
organizationalPerson; though any entry derived from the person object class
will do.

Note: Later, during Entrust IdentityGuard installation, you will be asked to


supply the LDAP policy RDN. This is the name of the user you just created,
relative to the base DN. For example, if all the users exist under the base DN
dc=Remote,dc=CompanyOne,dc=com and the DN of the policy user is cn=IG
Policy,dc=Remote,dc=CompanyOne,dc=com, then provide cn=IG Policy as
the LDAP policy RDN during installation.

Your LDAP directory is now configured to work with Entrust IdentityGuard.

Configuring IBM Tivoli Directory Server 45


Feedback on guide
46 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0
Feedback on guide
Chapter 4

Configuring Novell® eDirectory™

This chapter provides instructions on how to configure Entrust IdentityGuard 8.1 to


operate with Novell® eDirectory™.
The Novell eDirectory administrator must be involved in planning and carrying out
specific tasks.

47
Preparing the Novell eDirectory
This chapter includes the following sections:
• “Choosing your configuration method” on page 48
• “Configuring the Novell eDirectory with LDIF files” on page 48
• “Configuring the Novell eDirectory manually” on page 50
• “Creating a user to store policies” on page 51

Choosing your configuration method


Before you install Entrust IdentityGuard, you must prepare your LDAP directory for
use with Entrust IdentityGuard.
Choose one of the following configuration methods:
• Use the LDIF files supplied with Entrust IdentityGuard to prepare the LDAP
directory automatically. See “Configuring the Novell eDirectory with LDIF
files”.
• Alternatively, you can prepare the LDAP directory manually. See
“Configuring the Novell eDirectory manually” on page 50.
For a new installation, also see “Creating a user to store policies” on page 51.

Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema.

Note: Complete the procedures in this guide before you install Entrust
IdentityGuard.

Attention: Once you install or upgrade Entrust IdentityGuard, ensure that you
set the identityguard.ldap.GeneralizedTimeWithSubSecs property in
the identityguard.properties file to false. Your Novell eDirectory will
not function properly unless you make this setting.

Configuring the Novell eDirectory with LDIF


files
Entrust IdentityGuard uses several directory attributes to store information specific to
Entrust IdentityGuard; so, you need to modify your LDAP directory schema to define
these attributes.

48 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
The recommended method is to use one of the LDIF files included with the Entrust
IdentityGuard installation package. The LDIF files set up the required attributes
automatically.

To access the LDIF files


1 Extract the applicable archive file for your operating system. Refer to the Entrust
IdentityGuard Installation Guide for details.
LDIF files are available under the /IG_81/ldif directory included with the
Entrust IdentityGuard installation package. You can access them without having
to install Entrust IdentityGuard.
• If you are installing a new version of Entrust IdentityGuard, use the file
edirectory_v81_schema.ldif.
• If you are upgrading from version 8.0 of Entrust IdentityGuard, use the file
edirectory_v80_to_v81_upgrade.ldif.
• If you are upgrading from version 7.2 of Entrust IdentityGuard, use the file
edirectory_v7x_to_v81_upgrade.ldif.

Loading the LDIF files


To load the directory schema changes, run ldapmodify on the Novell eDirectory
server as described below. The ldapmodify command opens a connection to an
LDAP server, and modifies or adds entries.

To load the LDIF files


1 Open a command window.
2 Navigate to the directory where Novell’s ldapmodify tool is located. The
location varies depending on the operating system. In Windows, look in the
folder C:\novell\consoleone\1.2\bin.
3 Import the applicable LDIF file like this:
ldapmodify -h localhost -D "cn=Directory Manager" -p 389 -w
ldappass -f <ldif-file>
Where:
• -h specifies the LDAP host name. In the above examples, the directory is
running on localhost.
• -D specifies a directory administrator DN, such as cn=admin,o=novell,
who has authority to update the schema.
• -p specifies the LDAP port number. The default port is 389 for a non-SSL
connection and 636 for an SSL connection.
• -f specifies the name of the LDIF file. It can be a fully-qualified path name.

Configuring Novell® eDirectory™ 49


Feedback on guide
• -w specifies the password used for simple authentication.
• ldif-file is the name of the new or upgrade LDIF file.
Once you successfully load the LDIF file for a new installation, follow the instructions
under “Creating a user to store policies” on page 51.

Configuring the Novell eDirectory manually


All procedures in this section apply only if you did not import an Entrust IdentityGuard
LDIF file, as described above in “Configuring the Novell eDirectory with LDIF files”
on page 48.
Entrust IdentityGuard uses several directory attributes to store information If you do
not use an LDIF file to modify your directory, you must manually modify your LDAP
directory schema to define these attributes following the steps in this section.

To configure the LDAP directory manually


1 Use your schema configuration tool to add attributes with the names and types
listed in Table 2 on page 11.

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.

2 Configure those attributes for ordering and matching as shown in Table 4 on


page 15.
3 Typically, Entrust IdentityGuard does not require indexing with eDirectory and
the LDIF files do not set up indexing. Indexes can improve search performance;
though additional indexes can increase the time spent updating the directory. As
a general rule, create new indexes only if you suspect there are performance
issues with a particular directory lookup. Refer to your eDirectory documentation
for advice on indexing. If you use indexing, configure the attributes as listed
below.

Table 8: LDAP indexing

Attribute Indexing rules

entrustIGUserNumber Index for value.

entrustIGUserInfoMac Index for presence.

entrustIGAdminData Index for presence.

entrustIGGroup Index for value.

entrustIGAliases Index for value.

50 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
4 Manually add the object classes and their attributes listed in Table 3 on page 14.
Specify all attributes as optional (that is, use the MAY CONTAIN option).

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.

5 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify Entrust IdentityGuard user information.

Creating a user to store policies


Once you complete the automatic or manual configuration for a new installation, you
must create a directory user, which Entrust IdentityGuard will use to store policies.
Create this entry under the same base DN as the default search base used by Entrust
IdentityGuard. Give the user a recognizable name, such as IG Policy.
Create the user with the same kind of object class you used for existing users in the
directory. A typical Novell eDirectory object class in this case is inetOrgPerson;
though any entry derived from the Person object class will do.

Note: Later, during Entrust IdentityGuard installation, you will be asked to


supply the LDAP policy RDN. This is the name of the user you just created,
relative to the base DN. For example, if all the users exist under the base DN
dc=Remote,dc=CompanyOne,dc=com and the DN of the policy user is cn=IG
Policy,dc=Remote,dc=CompanyOne,dc=com, then provide cn=IG Policy as
the LDAP policy RDN during installation.

Your LDAP directory is now configured to work with Entrust IdentityGuard.

Configuring Novell® eDirectory™ 51


Feedback on guide
52 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0
Feedback on guide
Chapter 5

Configuring Sun™ ONE Directory

This chapter provides instructions on how to configure Entrust IdentityGuard 8.1 to


operate with Sun™ ONE Directory.
The Sun ONE Directory administrator must be involved in planning and carrying out
specific tasks.

53
Preparing the Sun ONE Directory
This chapter includes the following sections:
• “Choosing your configuration method” on page 54
• “Configuring the Sun ONE Directory with LDIF files” on page 54
• “Configuring the Sun ONE Directory manually” on page 56
• “Creating a user to store policies” on page 57

Choosing your configuration method


Before you install Entrust IdentityGuard, you must prepare your LDAP directory for
use with Entrust IdentityGuard.
Choose one of the following configuration methods:
• Use the LDIF files supplied with Entrust IdentityGuard to prepare the LDAP
directory automatically. See “Configuring the Sun ONE Directory with LDIF
files”.
• Alternatively, you can prepare the LDAP directory manually. See
“Configuring the Sun ONE Directory manually” on page 56.
For a new installation, also see “Creating a user to store policies” on page 57.

Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema. Restoring your directory from backup files enables you to
undo changes made by any errors, as well as recover from system failures.

Note: Complete the procedures in this guide before you install Entrust
IdentityGuard.

Configuring the Sun ONE Directory with LDIF


files
Entrust IdentityGuard uses several directory attributes to store information specific to
Entrust IdentityGuard. Modify your LDAP directory schema to define these attributes.
The recommended method is to use one of the LDIF files included with the Entrust
IdentityGuard installation package. The LDIF files set up the required attributes
automatically.

54 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
To access the LDIF files
1 Extract the applicable archive file for your operating system. Refer to the Entrust
IdentityGuard Installation Guide for details.
LDIF files are available under the /IG_81/ldif directory included with the
Entrust IdentityGuard installation package. You can access them without having
to install Entrust IdentityGuard.
• If you are installing a new version of Entrust IdentityGuard, use the file
sunone_v81_schema.ldif.
• If you are upgrading from version 8.0 of Entrust IdentityGuard, use the file
sunone_v80_to_v81_upgrade.ldif.
• If you are upgrading from version 7.2 of Entrust IdentityGuard, use the file
sunone_v7x_to_v81_upgrade.ldif.

Loading the LDIF files


To load the directory schema changes, run ldapmodify on the Sun ONE Directory
server as described below. The ldapmodify command opens a connection to an
LDAP server, and modifies or adds entries.

Note: Do not use the Sun ONE GUI tool to import the LDIF files. Use Sun’s
ldapmodify tool instead.

To load the LDIF files


1 Open a command window.
2 Navigate to the directory where Sun’s ldapmodify tool is located. The location
varies depending on the operating system. In Windows, look for it in the
directory C:\Program Files\Sun\MPS\shared\bin.
3 Import the applicable LDIF file like this:
ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w
ldappass -f <ldif-file>
Where:
• -h specifies the LDAP host name. In the above examples, the directory is
running on localhost.
• -p specifies the LDAP port number. The default port is 389 for a non-SSL
connection and 636 for an SSL connection.
• -D specifies a directory administrator who has authority to update the
schema.
• -w specifies the password used for simple authentication.

Configuring Sun™ ONE Directory 55


Feedback on guide
• -f specifies the name of the LDIF file. It can be a fully-qualified path name.
• ldif-file is the name of the new or upgrade LDIF file.
Once you successfully load the LDIF file for a new installation, follow the instructions
under “Creating a user to store policies” on page 57.

Configuring the Sun ONE Directory manually


All procedures in this section apply only if you did not import an Entrust IdentityGuard
LDIF file, as described above in “Configuring the Sun ONE Directory with LDIF files”
on page 54.
Entrust IdentityGuard uses several directory attributes to store information. If you do
not use an LDIF file to modify your directory, you must manually modify your LDAP
directory schema to define these attributes following the steps in this section.

To configure the LDAP directory manually


1 Use your schema configuration tool to add attributes with the names and types
listed in Table 2 on page 11.

Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.

2 Configure those attributes for ordering and matching as shown in Table 4 on


page 15.
3 The following attributes require indexing so that Entrust IdentityGuard can look
them up in the directory. Make sure you configure them as listed below.

Table 9: LDAP indexing

Attribute Indexing rules

entrustIGUserNumber Index for equality, ordering.

entrustIGUserInfoMac Index for presence.

entrustIGAdminData Index for presence.

entrustIGGroup Index for equality.

entrustIGAliases Index for equality.

4 Manually add the object classes and their attributes listed in Table 3 on page 14.
Specify all attributes as optional (that is, use the MAY CONTAIN option).

56 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0


Feedback on guide
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.

5 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify Entrust IdentityGuard user information.

Creating a user to store policies


Once you complete the automatic or manual configuration for a new installation, you
must create a directory user, which Entrust IdentityGuard will use to store policies.
Create this entry under the same base DN as the default search base used by Entrust
IdentityGuard. Give the user a recognizable name, such as IG Policy.
Create the user with the same kind of object class you used for existing users in the
directory. A typical Sun ONE object class in this case is organizationalPerson;
though any entry derived from the Person object class will do.

Note: Later, during Entrust IdentityGuard installation, you will be asked to


supply the LDAP policy RDN. This is the name of the user you just created,
relative to the base DN. For example, if all the users exist under the base DN
dc=Remote,dc=CompanyOne,dc=com and the DN of the policy user is cn=IG
Policy,dc=Remote,dc=CompanyOne,dc=com, then provide cn=IG Policy as
the LDAP policy RDN during installation.

Your LDAP directory is now configured to work with Entrust IdentityGuard.

Configuring Sun™ ONE Directory 57


Feedback on guide
58 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0
Feedback on guide
Index
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
A Technical Support 23

Active Directory 25
ADAM 25 I
attribute
IBM Tivoli 41
LDAP user ID 19 indexing
attributes 11
Critical Path 38
indexing
Novell 50
Critical Path 38 Sun ONE 56
Novell 50
Sun ONE 56
ordering, matching 15 L
LDAP
C attributes 11
base DN 18
classes 11
host 18
configuration password 18
data 18
policy RDN 18
manual
port 18
Active Directory 30 user DN 18
Critical Path 38
LDAP policy RDN 40
eDirectory 50
LDIF files
Sun ONE 56 Active Directory 26
Tivoli 44
Critical Path 36
Critical Path 35
IBM Tivoli 42
Customer support 23 Novell eDirectory 48
Sun ONE 54
D
directory M
size limit 40 matching 15

E N
Entrust IdentityGuard
Novell eDirectory 47
about 8
repositories 9
O
G OID 11
ordering 15
Getting help

59
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
P
password 18
port 18
prepare
Active Directory 26
Professional Services 24

R
repository
size 9

S
sAMAccountName 19
size 9
Critical Path limit 40
SSL 18
store policies 32, 40, 45, 51, 57
Sun ONE 53

T
Technical Support 23
typographic conventions 20

U
UID 19

60 Entrust IdentityGuard 8.1 Directory Administration Guide Document issue: 1.0


- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -

Index 61