Professional Documents
Culture Documents
LDAP/Active Directory Guide: Release 4.0
LDAP/Active Directory Guide: Release 4.0
Release 4.0
Publication date: October 2004
Copyright © 2004 Xerox Corporation. All Rights Reserved. Xerox ®, The Document
Company®, the digital X and DocuShare® are trademarks of Xerox Corporation. All other
signs or marks are the properties of their respective companies, and recognized as such.
Specifications accurate at time of publication. Specifications subject to change without
notice.
Table of Contents
Chapter 1 Understanding the LDAP structure
LDAP overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–2
LDAP structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
Relative Distinguished Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–3
Distinguished Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–4
Directory Information Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5
DIT organization based on geographical domains . . . . . . . . . . . . . . . . . . . . . . 1–5
DIT organization based on DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5
iv Release 4.0
Understanding the LDAP structure
LDAP overview
While some background information is provided for understanding basic concepts, this
guide does not provide instructions for implementing either LDAP or Windows Active
Directory. The information in this guide assumes the Active Directory server is already in
place and is being managed by either an Active Directory administrator or by an LDAP
administrator. Examples shown in this appendix use Microsoft Windows 2000 Server with
Microsoft Internet Explorer (IE) V.6.X.
LDAP is the protocol that is used between a directory client and a server. LDAP defines
the content of messages exchanged between an LDAP client and an LDAP server. The
LDAP client, in this case the DocuShare server, communicates to the LDAP server. The
LDAP server, acting as a gateway, accesses the LDAP directory. The LDAP directory may
be implemented either as a stand-alone on the LDAP server or as a directory on an X.500
server.
DocuShare submits directory content queries to the LDAP server. The LDAP server
accesses the directory, either LDAP or X.500, and returns the results to DocuShare. The
LDAP protocol allows for read and for update client operations on the directory data.
NOTE: DocuShare does not update LDAP directory data. DocuShare only reads the
results of the queries that it sends to the LDAP server.
LDAP structure
Entries within an LDAP directory are organized in a specific hierarchical structure.
Directories
A directory is a special type of database. Directories are optimized to support a high
volume of read requests along with write access that is generally limited to system
administrators. Similar to the white pages of a telephone book, an LDAP directory is read
more times than it is updated.
Attributes
Each object entry within an LDAP directory contains one or more attributes. Each attribute
is comprised of a type and a value. A telephone book entry has attributes such as the
name of a person and a corresponding telephone number. LDAP attributes appear in the
format of commonName=Jane Smith telephoneNumber=555-555-5555. Table 1–1 lists
some common LDAP attributes, along with the alias associated with the attribute.
Table 1–1:
Attribute
LDAP Attribute Description of Attribute Example
Alias
cn=Jane Doe
uid=smith
ou=marketing
dc=Xerox
Distinguished Name
Entries in the directory are organized by a Distinguished Name (DN). Distinguished Name
is similar to the absolute path to a file in the Windows file system. The DN of an object is
made up of the name and the location of the entry within the directory.
cn=John Smith,ou=marketing,dc=Xerox,dc=com
cn=John Smith,ou=engineering,dc=Xerox,dc=com
The path for a DN is from the lowest order to highest order. This is the reverse of the order
that is used in the Windows file system. Just as the Windows file system allows numerous
files to have the same name, if each file is in a different file directory, numerous users can
have the same RDN as long as each DN is unique. As the DN example above shows, a
John Smith can be listed in the marketing department and a John Smith can be listed in
the engineering department.
To define an external domain for the importing department at Acme, the administrator
would define the Relative Authentication and the Directory Service Locator as ou=import.
for the marketing, engineering, and finance divisions. By defining the DIT root as
dc=mycompany, dc=com, the administrator can create a DocuShare external domain for
each department within a division.
To define an external domain for the Accounts Receivable department in the Finance
division, the administrator would define the Relative Authentication and the Directory
Service Locator as ou=accts recv, dc=finance.
DocuShare Configuration
To configure your DocuShare site to use LDAP/Active Directory, login as admin to your
DocuShare site, then follow procedures A through F. To configure DocuShare correctly,
use either the Active Directory Administration Tool or the Active Directory LDIFDE
command to gather the necessary information. Both information gathering processes are
described in this chapter.
A- LDAP Configuration
Use the DocuShare administration LDAP Configuration page to establish a connection
between your DocuShare server and your LDAP server, and to define the Directory
Information Tree that is used to create DocuShare external domains.
NOTE: This test does not check the validity of the DIT Root nor the Relative
Authentication Locator of any external domains.The test checks only whether
DocuShare received a positive response from the LDAP server.
B- Advanced Configuration
Use LDAP Advanced configuration to set how specific object classes are defined on your
LDAP server.
D- Bind User
Use the DocuShare administration Bind User page to establish an association between
DocuShare account properties and LDAP account attributes.
E- Bind Group
Use the DocuShare administration Bind Group page to establish an association between
DocuShare account properties and LDAP account attributes.
1. Use the information you obtained using the LDIFDE command and enter those
attributes in the appropriate fields on the Bind Group page.
For more information, refer to the section of this chapter titled The Active
Directory LDIFDE command/Analyzing the adexport.text file contents/E.
Bind Group Properties.
2. Click Apply the save this information.
F- Create Domain
Use the DocuShare administration Domains page to create external domains on your
local DocuShare site. Each DocuShare external domain represents a branch in the LDAP
directory tree. And each branch contains a collection of DocuShare user and group
accounts.
G- Add
After you have completed the LDAP Configuration, Providers, Bind User, and Domains
pages, you are ready to add user and group accounts to the external domain on your
DocuShare site. If you were to List Users or List Groups in the new external domain, the
domain would be empty. What you must do now is open the domain on the LDAP server,
and select those user and group account that you want as members of your local external
domain.
H- View Login
1. Return to the DocuShare home page.
2. In the Login section of the home page, the new external domain should appear in
the Login Domain menu.
3. A user of an external domain must select the correct domain for login, or
DocuShare displays a login error message and a request to retry.
Certificates
When using SSL, servers and clients use certificates to provide proof of identity prior to
establishing a secure connection. A certificate also contains public and private keys that
are used to establish a session. Servers and clients use session keys to encrypt and
decrypt data.
Certificates may be self-signed or they can be issued by a certificate authority (CA) such
as Entrust, Equifax, Valicert, or Verisign. Certificates issued by a CA are considered to be
from a trusted third-party authority. Basically, third-party authority vouches for the
identity of a user. Most client browsers are configured to recognize and trust certificates
issued by CAs.
When certificates are self-signed the user is acting as a certificate authority. A self-signed
certificate must be installed in the browsers authorities' store and the certificate is not
recognized as a trusted third-party authority.
Certificates are issued as either client or server certificates. DocuShare does not support
client-side certificates. DocuShare uses a copy of the LDAP server's certificate to
establish the SSL session with the LDAP server.
1. Locate the .cer file you exported using the Certificate Export Wizard.
2. Copy the .cer file to the directory containing the DSTrustStore file <ds3_install-
dir>\jdk1.3.1\jre\lib\security.
C:\Xerox\DocuShare\jdk1.3.1\jre\lib\security
4. At the command prompt, enter the set PATH command to set the PATH
environment variable. Use set PATH=%PATH%;<ds3_install-dir>\jdk1.3.1\bin.
C:\Xerox\Docushare\jkd1.3.1\jre\lib\security>set
PATH=%PATH%;C:\XEROX\DocuShare\jdk1.3.1\jre\bin
5. After you have set the PATH variable, at the command prompt, enter keytool,
without arguments.
The Keytool Utility help appears. The Keytool Utility places the SSL certificate in
the DSTrustStore.
6. At the command prompt, enter the keytool utility command keytool -import -alias
<alias_name> -file <cert_file> -keystore dstruststore
Replace <alias_name> with a unique name for the certificate file.
Replace <cert_file> with the name of the certificate file (.cer) that you exported
and copied to the directory containing the dstruststore file.
C:\Xerox\DocuShare\jdk1.3.1\jre\lib\security>
9. Examine the screen output to ensure that Keytool successfully added the
certificate to the keystore. If Keytool completed the operation, your DocuShare
server is now ready to use the certificate to establish and SSL session with your
LDAP server.
To install and use the Active Directory Administration Tool to help configure your
DocuShare site:
1. Open the Windows 2000 server software CD, and locate and read the
sreadme.doc file.
2. Locate the file setup.exe in the Support\Tools directory.
3. Click the setup.exe file to begin the installation of the ldp.exe file.
4. Follow the on screen instructions to install the ldp.exe.
5. After installation has completed, open the Windows Start menu and click the
Active Directory Administration Tool.
This launches ldp.exe and the Active Directory Administration Tool appears. The
Tool has a navigation bar with commands, and a left and right frame where it
displays information.
NOTE: This procedure is based on using the tool to collect information from a typical
LDAP server setup. Variations may occur, depending on how the server was
configured.
A- Connect
1. Select Connection from the Active Directory Administration Tool navigation bar,
and then select Connect from the Connection menu.
The Connect dialog box appears.
2. Enter in the Server field either the IP address or the DNS name of the LDAP
Active Directory server.
3. Enter in the Port field the port number used, if other than the displayed default.
4. Click OK.
You have now set the LDAP server address and port number.
B- Bind
After setting up the connection to the LDAP server, you must now bind the server to an
administrator account that has access permission to search the directory.
1. Select Connection from the Active Directory Administration Tool navigation bar,
and then select Bind from the Connection menu.
The Bind dialog box appears.
2. Enter the user account name in the User field, password in the Password field,
and domain in the Domain field.
3. Click OK.
If you have successfully connected to and created a bind to the LDAP server, the
server displays response text in the right frame of the Active Directory
Administration Tool.
1. Search the response text of the right frame of the Active Directory Administration
Tool for a reference to namingContext.
The format of the namingContext will vary depending on the LDAP server that you
are using.
2. The highlighted text is the base Distinguished Name for the DIT.
For an example, the highlighted base DN might be dc=adoc,dc=Xerox,dc=com.
Your actual Base DN may differ according to the unique structure of your LDAP
directory tree. Write down this information for later use.
1. Select Browse from the Active Directory Administration Tool navigation bar, and
then select Search from the Browse menu.
The Search dialog box appears.
2. Enter a Base DN in the Base DN field.
Depending on the Base DN value used and the location in the hierarchy of the
Agent account, you may need to select Subtree to expand the search scope.
3. Enter a filer in the Filter field.
We used the sAMAccoutName attribute for our filter since we knew the login
name of the Agent account. This attribute is unique to Active Directory and is a
carryover from Windows NT. If we knew the commonName (cn) of the account we
could have used commonName=Peter Pan for example. An iPlanet server may
use the uid or commonName (cn) attribute.
4. Select the Scope of the search.
Select Subtree is One Level is not wide enough.
5. Click Run.
The results of your search appears as text in the right frame of the Active
Directory Administration Tool window. For example, a search might show that the
distinguishedName for the Agent account is
cn=TestUser1,cn=users,dc=adoc,dc=xerox,dc=com.
F- Next step
After following procedures A through E, you should be able to use Active Directory
Administration Tool to gather the information you need to configure your DocuShare site
to use LDAP for user account authentication.
The text file generated by LDIFDE is the primary file that is used by DocuShare Support to
troubleshoot LDAP configuration issues.
General Parameters
==================
-i Turn on Import Mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to (Default to DC of logged in Domain)
-c FromDN ToDN Replace occurences of FromDN to ToDN
-v Turn on Verbose Mode
-j Log File Location
-t Port Number (default = 389)
-u Use Unicode format
-? Help
Export Specific
===============
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to "(objectClass=*)")
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma separated) to look for in an LDAP search
-o list List of attributes (comma separated) to omit from input.
-g Disable Paged Search.
-m Enable the SAM logic on export.
-n Do not export binary values
Import
======
-k The import will go on ignoring 'Constraint Violation' and 'Object
Already Exists' errors
-y The import will use lazy commit for better performance
Credentials Establishment
=========================
Note that if no credentials is specified, LDIFDE will bind as the currently
logged on user, using SSPI.
Connecting to "corvette"
Logging in as current user using SSPI
Exporting directory to file adexport.txt
Searching for entries...
Writing out entries.............................................................
.......................................................................
132 entries exported
dn: DC=infodev,DC=dsbu,DC=xerox,DC=com
changetype: add
masteredBy:CN=NTDS Settings, CN=CORVETTE, CN=Servers, CN=infodev-dsbu-
site, CN=Sites,CN=Configuration, DC=infodev, DC=dsbu, DC=xerox, DC=com
auditingPolicy:: AAE=
creationTime: 127199619543431088
dc: infodev
forceLogoff: -9223372036854775808
fSMORoleOwner:CN=NTDS Settings, CN=CORVETTE, CN=Servers,CN=infodev-
dsbu-site, CN=Sites, CN=Configuration, DC=infodev, DC=dsbu, DC=xerox, DC=com
z
z
z
[Sample Directory Record for a single User]
dn: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu,
DC=xerox, DC=com
changetype: add
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: Duncan Donkey
countryCode: 0
displayName: Duncan Donkey
mail: ddonkey@infodev.xerox.com
givenName: Duncan
instanceType: 4
lastLogoff: 0
lastLogon: 0
logonCount: 0
distinguishedName: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev,
DC=dsbu, DC=xerox, DC=com
objectCategory:CN=Person, CN=Schema, CN=Configuration, DC=infodev, DC=dsbu,
DC=xerox,DC=com
objectClass: user
objectGUID:: xmi02W78lEmpYca7AtiupQ==
objectSid:: AQUAAAAAAAUVAAAAqDfWZRUlr0f4n7R0bgQAAA==
primaryGroupID: 513
pwdLastSet: 127293917905389760
name: Duncan Donkey
sAMAccountName: duncan
sAMAccountType: 805306368
sn: Donkey
userAccountControl: 512
userPrincipalName: duncan@infodev.dsbu.xerox.com
uSNChanged: 7353
uSNCreated: 7349
whenChanged: 20040518220950.0Z
whenCreated: 20040518220933.0Z
z
z
z
In our example, the DN for Duncan Donkey is defined as: CN=Duncan Donkey,
OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox, DC=com
By examining a users Distinguished Name you can find the information necessary to
identify the:
Set the DIT root at the level of the directory tree that will include all branches of the
directory that contain users who need access to the DocuShare server. In our example,
only members of the DSBU organization at Xerox will have access to our sample
DocuShare server.
The DSBU organization includes several departments and teams within each department.
These departments and teams are organized in the LDAP Directory by Domain
Components (DC) and Organizational Units (OU). For our example we will setup an
External Domain in DocuShare to authenticate users who are members of the Digital
Actors Team in the InfoDev department at DSBU within Xerox Corporation.
In our example, the DIT root of the DN for Duncan Donkey is shown here bolded:
CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox,
DC=com
By defining the DIT root at this level in the hierarchy, external domains can be created for
each department/team within DSBU.
The User RDN Key is the attribute alias used to identify the User.
In our example, the User RDN key of the DN for Duncan Donkey is shown here bolded:
CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu, DC=xerox,
DC=com
The Relative Authentication and Directory Service Locators are the pointers to the
directory branch of the external domain that contains a specific user, users, or group.
In our example, the Relative Authentication and Directory Service Locator is shown here
bolded: CN=Duncan Donkey, OU=Digital, OU=Actors, DC=infodev, DC=dsbu,
DC=xerox, DC=com.
The text file generated by the FDIFDE command contains the attributes alias that are
used to identify the last name, user name, and Email address of each user listed. You will
use these attributes aliases to configure the DocuShare LDAP Bind User properties.
In the FDIFDE command text file, users within the LDAP directory are identified with the
entry objectClass: user.
In our example, you will find the LDAP attribute aliases for the following properties:
Last Name = sn
In our example, the values given to these LDAP attribute aliases are:
sn: Donkey
sAMAccountName: duncan
mail: ddonkey@infodev.xerox.com
The text file generated by the FDIFDE command contains the attributes alias that are
used to identify the title, description, and summary information of each group listed. You
will use these attributes aliases to configure the DocuShare LDAP Bind Group properties.
In the FDIFDE command text file, groups within the LDAP directory are identified with the
entry objectClass: group.
In our example, you will find the LDAP attribute aliases for the following properties:
Title = cn
Description = description
Summary = info
In our example, the values given to these LDAP attribute aliases are:
cn: labusers