LDAP/Active Directory Guide

Release 4.0
Publication date: October 2004

Copyright © 2004 Xerox Corporation. All Rights Reserved. Xerox ®, The Document
Company®, the digital X and DocuShare® are trademarks of Xerox Corporation. All other
signs or marks are the properties of their respective companies, and recognized as such.
Specifications accurate at time of publication. Specifications subject to change without
notice.
Table of Contents
Chapter 1 Understanding the LDAP structure
LDAP overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–2
LDAP structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
Relative Distinguished Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
Distinguished Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–4
Directory Information Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5
DIT organization based on geographical domains . . . . . . . . . . . . . . . . . . . . . . 1–5
DIT organization based on DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5

Chapter 2 LDAP/DocuShare configuration

DocuShare Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–8
LDAP and SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–12
Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–12
Import the Certificate to DocuShare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–12
Export the Certificate and Save as a CER File . . . . . . . . . . . . . . . . . . . . . . . . 2–13
Placing the Certificate into DSTrustStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–13
The Active Directory Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–16
Using the Active Directory Administration tool. . . . . . . . . . . . . . . . . . . . . . . . . 2–17
The Active Directory LDIFDE command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–20
LDIFDE command syntax and usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–21
LDIFDE command example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–22
Analyzing the adexport.txt file contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–25

DocuShare LDAP/Active Directory Guide iii

 Table of Contents

iv Release 4.0
Understanding the LDAP structure

DocuShare LDAP/Active Directory Guide 1–1

LDAP overview Understanding the LDAP structure

LDAP overview
While some background information is provided for understanding basic concepts, this
guide does not provide instructions for implementing either LDAP or Windows Active
Directory. The information in this guide assumes the Active Directory server is already in
place and is being managed by either an Active Directory administrator or by an LDAP
administrator. Examples shown in this appendix use Microsoft Windows 2000 Server with
Microsoft Internet Explorer (IE) V.6.X.

LDAP, or Lightweight Directory Access Protocol, is a lightweight alternative to the X.500

Directory Access Protocol (DAP). LDAP uses the TCP/IP protocol stack instead of the OSI
protocol stack that is required by X.500. As a lightweight alternative, LDAP simplifies
some operations, but lacks support for some of the features of X.500 DAP.

LDAP is the protocol that is used between a directory client and a server. LDAP defines
the content of messages exchanged between an LDAP client and an LDAP server. The
LDAP client, in this case the DocuShare server, communicates to the LDAP server. The
LDAP server, acting as a gateway, accesses the LDAP directory. The LDAP directory may
be implemented either as a stand-alone on the LDAP server or as a directory on an X.500
server.

DocuShare submits directory content queries to the LDAP server. The LDAP server
accesses the directory, either LDAP or X.500, and returns the results to DocuShare. The
LDAP protocol allows for read and for update client operations on the directory data.

NOTE: DocuShare does not update LDAP directory data. DocuShare only reads the
results of the queries that it sends to the LDAP server.

1–2 Release 4.0

Understanding the LDAP structure LDAP structure

LDAP structure
Entries within an LDAP directory are organized in a specific hierarchical structure.

Directories
A directory is a special type of database. Directories are optimized to support a high
volume of read requests along with write access that is generally limited to system
administrators. Similar to the white pages of a telephone book, an LDAP directory is read
more times than it is updated.

Just as a telephone book lists individuals, companies, and organizations, an LDAP

directory lists objects such as users, servers, and printers. In the same way that a
telephone book contains information about each listing, such as name, number, and
address, the entries in the LDAP directory contain pertinent information about each object.
This object information is referred to as attributes.

Attributes
Each object entry within an LDAP directory contains one or more attributes. Each attribute
is comprised of a type and a value. A telephone book entry has attributes such as the
name of a person and a corresponding telephone number. LDAP attributes appear in the
format of commonName=Jane Smith telephoneNumber=555-555-5555. Table 1–1 lists
some common LDAP attributes, along with the alias associated with the attribute.

Table 1–1:

Attribute
LDAP Attribute Description of Attribute Example
Alias

commonName cn Common name of an entry Jane Doe

Surname sn Last name of the person Doe

userID uid User ID or login name jdoe

telephoneNumber - Telephone number 555-123-4567

origanizationalUnitName ou Name of organizational unit my department

organization o Name of organization my company

domainComponent dc DNS component xyz.com

Relative Distinguished Name

The Relative Distinguished Name, or RDN, is represented in the form of an attribute data
pair (type and value), such as:

cn=Jane Doe

uid=smith

ou=marketing

dc=Xerox

DocuShare LDAP/Active Directory Guide 1–3

LDAP structure Understanding the LDAP structure

Distinguished Name
Entries in the directory are organized by a Distinguished Name (DN). Distinguished Name
is similar to the absolute path to a file in the Windows file system. The DN of an object is
made up of the name and the location of the entry within the directory.

A DN is made up of RDN attribute data pairs, separated by commas, such as:

cn=John Smith,ou=marketing,dc=Xerox,dc=com

cn=John Smith,ou=engineering,dc=Xerox,dc=com

The path for a DN is from the lowest order to highest order. This is the reverse of the order
that is used in the Windows file system. Just as the Windows file system allows numerous
files to have the same name, if each file is in a different file directory, numerous users can
have the same RDN as long as each DN is unique. As the DN example above shows, a
John Smith can be listed in the marketing department and a John Smith can be listed in
the engineering department.

1–4 Release 4.0

Understanding the LDAP structure Directory Information Tree

Directory Information Tree

The directory arranges entries in a hierarchical tree-like structure called the Directory
Information Tree or DIT. A DIT is based on the Distinguished Name of the entries, with the
Distinguished Names organized into branches that generally represent a geographical or
organizational structure. Microsoft Active Directory is often organized either by
geographical domains or by DNS.

DIT organization based on geographical domains

The illustration below shows how the administrator at seafood importing corporation might
organize the LDAP directory hierarchy according to geography. To host a DocuShare
server for their Acme company in the US, the administrator would define the DIT Root as
o=Acme, c=us.

To define an external domain for the importing department at Acme, the administrator
would define the Relative Authentication and the Directory Service Locator as ou=import.

DIT organization based on DNS

The illustration below shows how the administrator at corporation might organize the
LDAP directory hierarchy according to DNS. The company uses Windows domain servers

DocuShare LDAP/Active Directory Guide 1–5

Directory Information Tree Understanding the LDAP structure

for the marketing, engineering, and finance divisions. By defining the DIT root as
dc=mycompany, dc=com, the administrator can create a DocuShare external domain for
each department within a division.

To define an external domain for the Accounts Receivable department in the Finance
division, the administrator would define the Relative Authentication and the Directory
Service Locator as ou=accts recv, dc=finance.

1–6 Release 4.0

LDAP/DocuShare configuration

DocuShare LDAP/Active Directory Guide 2–7

DocuShare Configuration LDAP/DocuShare configuration

DocuShare Configuration
To configure your DocuShare site to use LDAP/Active Directory, login as admin to your
DocuShare site, then follow procedures A through F. To configure DocuShare correctly,
use either the Active Directory Administration Tool or the Active Directory LDIFDE
command to gather the necessary information. Both information gathering processes are
described in this chapter.

A- LDAP Configuration
Use the DocuShare administration LDAP Configuration page to establish a connection
between your DocuShare server and your LDAP server, and to define the Directory
Information Tree that is used to create DocuShare external domains.

1. Open the LDAP Configuration page of the Administration UI.

2. Enter in the Host(s) field, the Host Name, or the IP address, or the DNS name of
the LDAP/Active Directory server (FQDN preferred, or IP address if not FQDN).
Use a space to separate multiple LDAP server address entries.
3. Enter in the Port field, the port number that is used by your LDAP server if other
than the default port number 389.
4. Optional: Enter in the SSL field, the port number used for Secure Socket Layer.
5. Enter in the DIT Root field, the information you obtained using the Active
Directory Administration Tool search for a reference to namingContext. For
example, this information would be in the format of dc=adoc,dc=Xerox,dc=com.
6. Enter in the User RDN Key field, the attribute cn. This is the alias for the attribute
commonName. The attribute my be different, depending on the type of LDAP
server used (iPlanet etc).
7. Select Agent in the System Agent field.
Most Active Directory servers require either an Agent or a Service account login.
8. Enter in the DN field, the Distinguished Name of the agent account.
For example, cn=john,cn=users,dc=adoc,dc=xerox.
9. Enter in the Password field, the password for the Agent account.
10. Go to the Test LDAP section at the bottom of the LDAP Configuration page.
Use Test LDAP to check for a valid connection and a successful login to the LDAP
server.
11. Select Agent in the Connection DN field.
12. Enter in the Name field, the Distinguished Name that you entered in the DN field
in step 7.
13. Enter in the Password field, the password that you entered in the Password field
in step 8.

2–8 Release 4.0

LDAP/DocuShare configuration DocuShare Configuration

14. Click Apply and Test.

You will see a "Success" message if you have correctly established a connection
to the LDAP server.
15. Repeat steps 11 through 14 but select User in the Connection DN field.

NOTE: This test does not check the validity of the DIT Root nor the Relative
Authentication Locator of any external domains.The test checks only whether
DocuShare received a positive response from the LDAP server.

B- Advanced Configuration
Use LDAP Advanced configuration to set how specific object classes are defined on your
LDAP server.

1. Click Advanced located at the bottom of the LDAP Configuration page.

The LDAP Advanced Configuration page appears.
2. At the bottom of the LDAP Advanced Configuration page, locate the section title
Object Classes.
3. In the User field, replace the default entry person, with the word user (all
lowercase).
4. In the Static Group field, replace the default entry groupOfUniqueNames, with
the word group (all lowercase).
5. Click Apply.

C- Enable LDAP Providers

Use the DocuShare administration Security Services and Directory Service pages to
enable both the Security and Directory Provider Services for LDAP. This allows users to
select the LDAP External Domains from the Domains drop down list at the Login prompts.

1. Open the Security Services page of the Administration UI.

2. On the Security Services page, check the LDAP box to enable LDAP as the
authentication provider for all external domains, then click Apply.
3. Open the Directory Service page of the Administration UI.
4. On the Directory Service page, check the LDAP box to enable LDAP as the
directory service provider for all external domains, then click Apply.

DocuShare LDAP/Active Directory Guide 2–9

DocuShare Configuration LDAP/DocuShare configuration

D- Bind User
Use the DocuShare administration Bind User page to establish an association between
DocuShare account properties and LDAP account attributes.

1. Open the Bind User page of the Administration UI.

2. In the First Name field, enter the attribute that LDAP uses for the first name of a
user. This is generally givenName.
3. In the Last Name field, enter the attribute that LDAP uses for the last name of a
user. This is generally surname or sn. This is a required field.
4. In the Username field, enter the attribute that LDAP uses for the login name of a
user. This is generally sAMAccountName. This is a required field.
5. If the LDAP directory contains attributes for addition attributes, such as email
address, mail stop, telephone number, or home page, enter those attributes in the
appropriate fields on the Bind User page.
6. Click Apply the save this information.

E- Bind Group
Use the DocuShare administration Bind Group page to establish an association between
DocuShare account properties and LDAP account attributes.

1. Use the information you obtained using the LDIFDE command and enter those
attributes in the appropriate fields on the Bind Group page.
For more information, refer to the section of this chapter titled The Active
Directory LDIFDE command/Analyzing the adexport.text file contents/E.
Bind Group Properties.
2. Click Apply the save this information.

F- Create Domain
Use the DocuShare administration Domains page to create external domains on your
local DocuShare site. Each DocuShare external domain represents a branch in the LDAP
directory tree. And each branch contains a collection of DocuShare user and group
accounts.

1. Open the Domains page of the Administration UI.

2. In the Add field, enter the name of the external domain that you want to add to
your local site.
This may be simply a description name, such as Engineering.
3. Select LDAP/LDAP in the Providers/Security Services and Providers/Directory
Services pages of the Admin UI.
4. In the Relative Authentication Locator field, enter one or more attribute pairs to
define the path to the directory that contains the user and group accounts.
Use the attribute components of the DN that are to the left of the DIT root and to
the right of the user RDN.

2–10 Release 4.0

LDAP/DocuShare configuration DocuShare Configuration

For example, the DN for a user account in a domain is cn=users

name,ou=engineering,ou=docushare,dc=adoc,dc=xerox,dc=com. The
Engineering domain is in ou=engineering, ou=docushare branch. The DIT root is
dc=adoc, dc=xerox, dc=com.
5. In the Relative Directory Service Locator field, enter one or more attribute pairs.
Use the same attribute pairs that you entered in the Relative Authentication
Locator field.
DocuShare 3.0 supports only LDAP for Authentication and Directory services, so
the values for Relative Authentication Locator and Relative Directory Service
Locator are identical.
6. Click Add to add this external domain to your local login menu.

G- Add
After you have completed the LDAP Configuration, Providers, Bind User, and Domains
pages, you are ready to add user and group accounts to the external domain on your
DocuShare site. If you were to List Users or List Groups in the new external domain, the
domain would be empty. What you must do now is open the domain on the LDAP server,
and select those user and group account that you want as members of your local external
domain.

1. Open the Add page of the Administration UI.

This is not the same page as Add User.
2. Select a domain from the By User domain menu.
3. Select one or more accounts from the User or Group list.
Accounts not selected will not be able to login nor access the DocuShare site.
4. Click Add.
The accounts selected now are part of the external domain as it appears on the
DocuShare site.
5. Open the List Users page of the Administration UI, and select the newly added
domain from the Domain menu.
The List Users page displays all of the accounts that you just added to the
external domain.

H- View Login
1. Return to the DocuShare home page.
2. In the Login section of the home page, the new external domain should appear in
the Login Domain menu.
3. A user of an external domain must select the correct domain for login, or
DocuShare displays a login error message and a request to retry.

DocuShare LDAP/Active Directory Guide 2–11

LDAP and SSL LDAP/DocuShare configuration

LDAP and SSL

Secure Socket Layer, or SSL, is a protocol that was developed by Netscape for
transmitting private documents via the Internet. SSL works by using a public key to
encrypt data that is transferred over an SSL connection. Both Netscape Navigator and
Internet Explorer support SSL. Many Web sites use SSL to obtain confidential user
information, such as credit card numbers and account passwords. An SSL session is
initiated by using a URL that begins with https instead of http.

Certificates
When using SSL, servers and clients use certificates to provide proof of identity prior to
establishing a secure connection. A certificate also contains public and private keys that
are used to establish a session. Servers and clients use session keys to encrypt and
decrypt data.

Certificates may be self-signed or they can be issued by a certificate authority (CA) such
as Entrust, Equifax, Valicert, or Verisign. Certificates issued by a CA are considered to be
from a trusted third-party authority. Basically, third-party authority vouches for the
identity of a user. Most client browsers are configured to recognize and trust certificates
issued by CAs.

When certificates are self-signed the user is acting as a certificate authority. A self-signed
certificate must be installed in the browsers authorities' store and the certificate is not
recognized as a trusted third-party authority.

Certificates are issued as either client or server certificates. DocuShare does not support
client-side certificates. DocuShare uses a copy of the LDAP server's certificate to
establish the SSL session with the LDAP server.

Import the Certificate to DocuShare

Depending on the CA that issued the certificate, the administrator may need to import the
certificate from the LDAP server to the DocuShare server web browser certificate store. If
the certificate is self-signed, the administrator must import the certificate to the
DocuShare server web browser certificate store.

To import the certificate from a specific LDAP server:

1. Open a web browser at the DocuShare server.

2. Connect to the LDAP server using the address -
https://<your.ldap.server>:636.
Port 636 is the standard port for SSL.
3. If the certificate has not been installed on the DocuShare server's browser, a
Security Alert window appears prompting you to install the certificate.
4. To install the certificate, click View Certificate at the bottom of the Security Alert
window.
A Certificate window appears.
5. Click the Details tab, then click the Copy to File button.

2–12 Release 4.0

LDAP/DocuShare configuration LDAP and SSL

Export the Certificate and Save as a CER File

After you have imported the certificate from the LDAP server, you now need to export the
certificate to DocuShare directory and save it as a certificate file.

To export the certificate and save it as a certificate file:

1. Click Next at the bottom of the Wizard window.

If the certificate contained a private key, the Export Private Key window appears.
2. In the Export Private Key window, select No, do not export the private key.
DocuShare will not need a private key to establish an SSL session with the LDAP
server.
3. Click Next.
The Export File Format window appears.
4. Select Base-64 encoded X.509 (.CER) in the Export File Format window.
5. Click Next.
The File to Export prompt window appears.
6. Enter in the File name field, the directory path to a location on your drive where
you want to export the certificate. For example D:\.
7. Enter in the File name field, behind the directory path, a file name for the
certificate with the extension .cer. For example D:\SSL_Cert4LDAP.cer.
8. Click Next to complete the certificate export.
The Completing Certificate Export Wizard window appears.
9. Click Finish to close the Wizard.
The LDAP certificate is saved as a .cer file on your DocuShare site.
10. Follow the instructions on the next page, Placing the certificate into
DSTrustStore.

Placing the Certificate into DSTrustStore

Now that you have saved the certificate as a certificate file, you must place it in the
DSTrustStore file.

To place the certificate .cer file into the DSTrustStore file:

1. Locate the .cer file you exported using the Certificate Export Wizard.
2. Copy the .cer file to the directory containing the DSTrustStore file <ds3_install-
dir>\jdk1.3.1\jre\lib\security.

DocuShare LDAP/Active Directory Guide 2–13

LDAP and SSL LDAP/DocuShare configuration

3. Open a command prompt window and navigate to the directory containing

dstruststore.

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.
C:\>cd\xerox\docushare\jkd1.3.1\jre\lib\security
C:\Xerox\DocuShare\jkd1.3.1\jre\lib\security\dir
Volume in drive C is Local Disk
Volume in Serial Number is 508B-0D2F
Directory of C:\Xerox\DocuShare\jdk1.3.1\jre\lib\security
18-11-02 15:55 <DIR> -
18-11-02 15:55 <DIR> --
02-10-02 12:25 7,365 cacerts
02-10-02 12:26 589 dstruststore
02-10-02 12:26 2,271 java.policy
02-10-02 12:26 4,115 java.security
10-11-02 15:43 844 SLL_Cert4LDAP.cer
5 Files(s) 15,184 bytes
2 Dir(s) 1,486,024,704 bytes free

C:\Xerox\DocuShare\jdk1.3.1\jre\lib\security

4. At the command prompt, enter the set PATH command to set the PATH
environment variable. Use set PATH=%PATH%;<ds3_install-dir>\jdk1.3.1\bin.

C:\Xerox\Docushare\jkd1.3.1\jre\lib\security>set
PATH=%PATH%;C:\XEROX\DocuShare\jdk1.3.1\jre\bin

5. After you have set the PATH variable, at the command prompt, enter keytool,
without arguments.
The Keytool Utility help appears. The Keytool Utility places the SSL certificate in
the DSTrustStore.
6. At the command prompt, enter the keytool utility command keytool -import -alias
<alias_name> -file <cert_file> -keystore dstruststore
Replace <alias_name> with a unique name for the certificate file.
Replace <cert_file> with the name of the certificate file (.cer) that you exported
and copied to the directory containing the dstruststore file.

2–14 Release 4.0

LDAP/DocuShare configuration LDAP and SSL

7. Press Enter to start the command.

A request for a password appears.
8. Enter password and press Enter.

C:\Xerox\Docushare\jkd1.3.1\jre\lib\security>keytool -import -alias Test LDAPss1 -file

SDL_Cert4LDAP.cer -keystore dstruststore

Enter keystore password: password

Owner: OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Issuer: OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Serial number: 5ee8abd44c2cd2b14ffbee159f03d354
Valid from: Tue Feb 19 10:57:21 PST 2002 until: Thu Jan 26 10:57:21 PST 2102
Certificate fingerprints:
MD5: 78:C7:A3:04:32:69:EB:97:76:FE:F4:8A:11:A2:65:26
SHA1: 02:DD:9A:BE:BE:DE:3C:AA:22:AE:14:9A:F2:F2:5B:11:61:6D:5A:5F
Trust this certificate? [no]: yes
Certificate was added to keystore

C:\Xerox\DocuShare\jdk1.3.1\jre\lib\security>

9. Examine the screen output to ensure that Keytool successfully added the
certificate to the keystore. If Keytool completed the operation, your DocuShare
server is now ready to use the certificate to establish and SSL session with your
LDAP server.

DocuShare LDAP/Active Directory Guide 2–15

The Active Directory Administration Tool LDAP/DocuShare configuration

The Active Directory Administration Tool

You can use the Active Directory Administration Tool to perform various operations to an
Active Directory and to query an LDAP directory server.

To install and use the Active Directory Administration Tool to help configure your
DocuShare site:

1. Open the Windows 2000 server software CD, and locate and read the
sreadme.doc file.
2. Locate the file setup.exe in the Support\Tools directory.
3. Click the setup.exe file to begin the installation of the ldp.exe file.
4. Follow the on screen instructions to install the ldp.exe.
5. After installation has completed, open the Windows Start menu and click the
Active Directory Administration Tool.
This launches ldp.exe and the Active Directory Administration Tool appears. The
Tool has a navigation bar with commands, and a left and right frame where it
displays information.

2–16 Release 4.0

LDAP/DocuShare configuration The Active Directory Administration Tool

Using the Active Directory Administration tool

You can use the Active Directory Administration Tool to collect information about your
LDAP server that you need to configure your DocuShare site to use the server for external
domains. Follow procedures A through F.

NOTE: This procedure is based on using the tool to collect information from a typical
LDAP server setup. Variations may occur, depending on how the server was
configured.

A- Connect
1. Select Connection from the Active Directory Administration Tool navigation bar,
and then select Connect from the Connection menu.
The Connect dialog box appears.
2. Enter in the Server field either the IP address or the DNS name of the LDAP
Active Directory server.
3. Enter in the Port field the port number used, if other than the displayed default.
4. Click OK.
You have now set the LDAP server address and port number.

B- Bind
After setting up the connection to the LDAP server, you must now bind the server to an
administrator account that has access permission to search the directory.

1. Select Connection from the Active Directory Administration Tool navigation bar,
and then select Bind from the Connection menu.
The Bind dialog box appears.
2. Enter the user account name in the User field, password in the Password field,
and domain in the Domain field.
3. Click OK.
If you have successfully connected to and created a bind to the LDAP server, the
server displays response text in the right frame of the Active Directory
Administration Tool.

DocuShare LDAP/Active Directory Guide 2–17

The Active Directory Administration Tool LDAP/DocuShare configuration

C- Locate the base Distinguished Name

The base DN will be the starting point for our examination of the directory tree.

1. Search the response text of the right frame of the Active Directory Administration
Tool for a reference to namingContext.
The format of the namingContext will vary depending on the LDAP server that you
are using.
2. The highlighted text is the base Distinguished Name for the DIT.
For an example, the highlighted base DN might be dc=adoc,dc=Xerox,dc=com.
Your actual Base DN may differ according to the unique structure of your LDAP
directory tree. Write down this information for later use.

D- View the Directory Information Tree

1. Select View from the Active Directory Administration Tool navigation bar, and
then select Tree from the View menu.
The Tree View dialog box appears.
2. In the BaseDN field, enter the base Distinguished Name that you found in your
namingContext search above.
3. Click OK.
The DIT for your LDAP server is displayed in the left frame of the Active Directory
Administration Tool window.
4. Examine the Tree to determine where your DIT root will be for any DocuShare
external domains that you want to create.
The root should be high enough in the hierarchy so it includes all of the branches
(such as organizationUnit and domainComponents) that will have access to the
DocuShare server.
For our example, we are going to use dc=adoc, dc=xerox,dc=com as our DIT root
because we want to include only the users in the ADOC domain and not everyone
at Xerox.com.

E- Find the Agent Account

In most cases an Active Directory does not accept anonymous queries to the
directory.This requires the use of either an Agent or a Service account to query the server.
Use the Search command to find the DN of the Agent account.

1. Select Browse from the Active Directory Administration Tool navigation bar, and
then select Search from the Browse menu.
The Search dialog box appears.
2. Enter a Base DN in the Base DN field.
Depending on the Base DN value used and the location in the hierarchy of the
Agent account, you may need to select Subtree to expand the search scope.
3. Enter a filer in the Filter field.
We used the sAMAccoutName attribute for our filter since we knew the login
name of the Agent account. This attribute is unique to Active Directory and is a
carryover from Windows NT. If we knew the commonName (cn) of the account we

2–18 Release 4.0

LDAP/DocuShare configuration The Active Directory Administration Tool

could have used commonName=Peter Pan for example. An iPlanet server may
use the uid or commonName (cn) attribute.
4. Select the Scope of the search.
Select Subtree is One Level is not wide enough.
5. Click Run.
The results of your search appears as text in the right frame of the Active
Directory Administration Tool window. For example, a search might show that the
distinguishedName for the Agent account is
cn=TestUser1,cn=users,dc=adoc,dc=xerox,dc=com.

F- Next step
After following procedures A through E, you should be able to use Active Directory
Administration Tool to gather the information you need to configure your DocuShare site
to use LDAP for user account authentication.

• The IP address or the DNS name of the LDAP server

• The DIT Root
• The Agent account for DocuShare

DocuShare LDAP/Active Directory Guide 2–19

The Active Directory LDIFDE command LDAP/DocuShare configuration

The Active Directory LDIFDE command

If you are running your LDAP server under Windows 2000 or Windows 2003 you can use
the LDIFDE command to write to a text file, the contents of the entire LDAP directory or a
specific domain within the LDAP directory. This text file contains most of the information
you need to configure DocuShare for use with LDAP.

The text file generated by LDIFDE is the primary file that is used by DocuShare Support to
troubleshoot LDAP configuration issues.

RESOURCES: For more information on using the LDIFDE command, go to http://

support.microsoft.com/default.aspx?scid=http://
support.microsoft.com:80/support/kb/articles/Q237/6/
77.ASP&NoWebContent=1

2–20 Release 4.0

LDAP/DocuShare configuration The Active Directory LDIFDE command

LDIFDE command syntax and usage

To use the LDIFDE command, open a command prompt window on your LDAP server
and enter C:\Windows\system32>idifde -? and press Enter.

LDIFDE returns the following:

LDIF Directory Exchange

General Parameters
==================
-i Turn on Import Mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to (Default to DC of logged in Domain)
-c FromDN ToDN Replace occurences of FromDN to ToDN
-v Turn on Verbose Mode
-j Log File Location
-t Port Number (default = 389)
-u Use Unicode format
-? Help

Export Specific
===============
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to "(objectClass=*)")
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma separated) to look for in an LDAP search
-o list List of attributes (comma separated) to omit from input.
-g Disable Paged Search.
-m Enable the SAM logic on export.
-n Do not export binary values

Import
======
-k The import will go on ignoring 'Constraint Violation' and 'Object
Already Exists' errors
-y The import will use lazy commit for better performance

Credentials Establishment
=========================
Note that if no credentials is specified, LDIFDE will bind as the currently
logged on user, using SSPI.

-a UserDN [Password | *] Simple authentication

-b UserName Domain [Password | *] SSPI bind method
Example: Simple import of current domain
ldifde -i -f INPUT.LDF

Example: Simple export of current domain

ldifde -f OUTPUT.LDF

Example: Export of specific domain with credentials

ldifde -m -f OUTPUT.LDF
-b USERNAME DOMAINNAME *
-s SERVERNAME
-d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
-r "(objectClass=user)"

DocuShare LDAP/Active Directory Guide 2–21

The Active Directory LDIFDE command LDAP/DocuShare configuration

LDIFDE command example

The following is an example of an LDIFDE command that writes the content of the Active
Directory on a server named Corvette, to a text file named adexport.txt.

Run the LDIFDE command:

Enter the command C:\Windows\system32\LDIFDE.exe -f adexport.txt -s corvette and
press Enter.

The command runs and displays its progress:

Connecting to "corvette"
Logging in as current user using SSPI
Exporting directory to file adexport.txt
Searching for entries...
Writing out entries.............................................................
.......................................................................
132 entries exported

The command has completed successfully

C:\Documents and Settings\Administrator>LDIFDE -f adexport.txt -s corvette

Connecting to "corvette"
Logging in as current user using SSPI
Exporting directory to file adexport.txt
Searching for entries...
Writing out entries.............................................................
.......................................................................
132 entries exported

The command has completed successfully

2–22 Release 4.0

LDAP/DocuShare configuration The Active Directory LDIFDE command

The generated adexport.txt file

Below is the contents of the adexport.txt file that the FDIFDE command generated in our
example. This example shows only a portion of the total file content. Pay close attention to
the bolded items; these are items you need to configure DocuShare to use this specific
LDAP server.

dn: DC=infodev,DC=dsbu,DC=xerox,DC=com
changetype: add
masteredBy:CN=NTDS Settings, CN=CORVETTE, CN=Servers, CN=infodev-dsbu-
site, CN=Sites,CN=Configuration, DC=infodev, DC=dsbu, DC=xerox, DC=com
auditingPolicy:: AAE=
creationTime: 127199619543431088
dc: infodev
forceLogoff: -9223372036854775808
fSMORoleOwner:CN=NTDS Settings, CN=CORVETTE, CN=Servers,CN=infodev-
dsbu-site, CN=Sites, CN=Configuration, DC=infodev, DC=dsbu, DC=xerox, DC=com
z
z
z
[Sample Directory Record for a single User]
dn: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu,
DC=xerox, DC=com
changetype: add
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: Duncan Donkey
countryCode: 0
displayName: Duncan Donkey
mail: ddonkey@infodev.xerox.com
givenName: Duncan
instanceType: 4
lastLogoff: 0
lastLogon: 0
logonCount: 0
distinguishedName: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev,
DC=dsbu, DC=xerox, DC=com
objectCategory:CN=Person, CN=Schema, CN=Configuration, DC=infodev, DC=dsbu,
DC=xerox,DC=com
objectClass: user
objectGUID:: xmi02W78lEmpYca7AtiupQ==
objectSid:: AQUAAAAAAAUVAAAAqDfWZRUlr0f4n7R0bgQAAA==
primaryGroupID: 513
pwdLastSet: 127293917905389760
name: Duncan Donkey
sAMAccountName: duncan
sAMAccountType: 805306368
sn: Donkey
userAccountControl: 512
userPrincipalName: duncan@infodev.dsbu.xerox.com
uSNChanged: 7353
uSNCreated: 7349
whenChanged: 20040518220950.0Z
whenCreated: 20040518220933.0Z
z
z
z

DocuShare LDAP/Active Directory Guide 2–23

The Active Directory LDIFDE command LDAP/DocuShare configuration

Text file continued...

[Sample Directory Record for a Group]

dn: CN=labusers,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com
changetype: add
member: CN=Greg Wong,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com
member: CN=Janet Gilmore,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com
member: CN=Jennings\, Ferris,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com
member: CN=Cua\, Kiam T,CN=Users,DC=infodev,DC=dsbu,DC=xerox,DC=com
info: Authorized Login User to the InforDev Lab
cn: labusers
description: InfoDev Lab Users
groupType: -2147483644
instanceType: 4
distinguishedName:CN=labusers, CN=Users, DC=infodev, DC=dsbu, DC=xerox,
DC=com
objectCategory: CN=Group, CN=Schema, CN=Configuration, DC=infodev, DC=dsbu,
DC=xerox, DC=com
objectClass: group
objectGUID:: Cm9phZkOn0ig4iEWMRPWsg==
objectSid:: AQUAAAAAAAUVAAAAqDfWZRUlr0f4n7R0VgQAAA==
name: labusers
sAMAccountName: labusers
sAMAccountType: 536870912
uSNChanged: 3975
uSNCreated: 2540
whenChanged: 20040302161513.0Z
whenCreated: 20040130190128.0Z

2–24 Release 4.0

LDAP/DocuShare configuration The Active Directory LDIFDE command

Analyzing the adexport.txt file contents

Our example adexport.txt file uses the Distinguished Name (DN) for Duncan Donkey; a
member of the Digital Actors team in the InfoDev department of DSBU at Xerox
Corporation.

In our example, the DN for Duncan Donkey is defined as: CN=Duncan Donkey,
OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox, DC=com

By examining a users Distinguished Name you can find the information necessary to
identify the:

a. The Directory Information Tree (DIT) Root

b. The User RDN Key
c. The Relative Authentication and Directory Service Locators
d. Bind User Attributes
e. Bind Group Attributes

A. The Directory Information Tree (DIT) Root

Set the DIT root at the level of the directory tree that will include all branches of the
directory that contain users who need access to the DocuShare server. In our example,
only members of the DSBU organization at Xerox will have access to our sample
DocuShare server.

The DSBU organization includes several departments and teams within each department.
These departments and teams are organized in the LDAP Directory by Domain
Components (DC) and Organizational Units (OU). For our example we will setup an
External Domain in DocuShare to authenticate users who are members of the Digital
Actors Team in the InfoDev department at DSBU within Xerox Corporation.

In our example, the DIT root of the DN for Duncan Donkey is shown here bolded:
CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox,
DC=com

By defining the DIT root at this level in the hierarchy, external domains can be created for
each department/team within DSBU.

B. The User RDN Key

The User RDN Key is the attribute alias used to identify the User.

In our example, the User RDN key of the DN for Duncan Donkey is shown here bolded:
CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox,
DC=com

C. The Relative Authentication and Directory Service Locators

The Relative Authentication and Directory Service Locators are the pointers to the
directory branch of the external domain that contains a specific user, users, or group.

DocuShare LDAP/Active Directory Guide 2–25

The Active Directory LDIFDE command LDAP/DocuShare configuration

In our example, the Relative Authentication and Directory Service Locator is shown here
bolded: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu,
DC=xerox, DC=com.

D. Bind User Attributes

The text file generated by the FDIFDE command contains the attributes alias that are
used to identify the last name, user name, and Email address of each user listed. You will
use these attributes aliases to configure the DocuShare LDAP Bind User properties.

In the FDIFDE command text file, users within the LDAP directory are identified with the
entry objectClass: user.

In our example, you will find the LDAP attribute aliases for the following properties:

Last Name = sn

User Name = sAMAccountName

Email Address = mail

In our example, the values given to these LDAP attribute aliases are:

sn: Donkey

sAMAccountName: duncan

mail: ddonkey@infodev.xerox.com

E. Bind Group Attributes

The text file generated by the FDIFDE command contains the attributes alias that are
used to identify the title, description, and summary information of each group listed. You
will use these attributes aliases to configure the DocuShare LDAP Bind Group properties.

In the FDIFDE command text file, groups within the LDAP directory are identified with the
entry objectClass: group.

In our example, you will find the LDAP attribute aliases for the following properties:

Title = cn

Description = description

Summary = info

In our example, the values given to these LDAP attribute aliases are:

cn: labusers

description: InfoDev Lab Users

summary: Authorized Login User to the InfoDev Lab

2–26 Release 4.0