Unless you are planning a very small Novell Teaming site, the most efficient way to create Teaming users is to synchronize initial user information from your network directory service (Novell eDirectory, Microsoft Active Directory, or other LDAP directory service) after you have installed the Teaming software. Over time, you can continue to synchronize user information from the LDAP directory to your Teaming site.
IMPORTANT:Teaming performs one-way synchronization from the LDAP directory to your Teaming site. If you change user information on the Teaming site, the changes are not synchronized back to your LDAP directory.
You can synchronize initial Novell Teaming user information from any LDAP directory. This guide provides instructions for synchronizing user information from eDirectory and Active Directory. If you are using another LDAP directory, the instructions provide guidelines for the tasks you need to perform.
You can configure one or more LDAP connections. Each connection requires the following configuration information:
In order to synchronize initial user information, Novell Teaming needs to access an LDAP server where your directory service is running. You need to provide the hostname of the server using a URL of the following format:
ldap://hostname
If the LDAP server requires a secure SSL connection, use the following format:
ldaps://hostname
If the LDAP server is configured with a default port number (389 for non-secure connections or 636 for secure SSL connections), you do not need to include the port number in the URL. If the LDAP server uses a different port number, use the following format for the LDAP URL:
ldap://hostname:port_number ldaps://hostname:port_number
In addition, Teaming needs the username and password of a user on the LDAP server who has sufficient rights to access the user information stored there. You need to provide the username, along with its context in your LDAP directory tree, in the format expected by your directory service.
|
Directory Service |
Format for Username |
|---|---|
|
eDirectory |
cn=username,ou=organizational_unit,o=organization |
|
Active Directory |
cn=username,ou=organizational_unit,dc=domain_component |
|
BASIC TEAMING INSTALLATION SUMMARY SHEET |
|---|
|
Under , specify the LDAP URL of the server, a fully qualified username with sufficient rights to read the user information, and the password for that user. |
If the LDAP server requires a secure SSL connection, additional setup is required. You need to complete the steps in Securing LDAP Synchronization
in Site Security
in the Novell Teaming 2.0 Administration Guide to create a public-key certificate for the Teaming server.
LDAP directories differ in the LDAP attribute used to identify a User object. eDirectory and Active Directory both use the cn (common name) attribute. Other LDAP directories might use the uid (unique ID) attribute. Novell Teaming needs to know which attribute to look for in order to find User objects.
|
BASIC TEAMING INSTALLATION SUMMARY SHEET |
|---|
|
Under , mark cn or uid, based on the convention used by your LDAP directory service for User objects. |
Teaming calls the User object attribute screenName, so when you configure LDAP synchronization, you map screenName to either cn or uid.
As needed, other LDAP attributes can be used for logging in to the Teaming site, as long as the attribute is unique for each User object. For example, the mail LDAP attribute on User objects could be used to enable Teaming users to log in to the Teaming site using their e-mail addresses.
Novell Teaming can find and synchronize initial user information from User objects located in one or more containers in the LDAP directory tree. A container under which User objects are located is called a base DN (distinguished name). The format you use to specify a base DN depends on your directory service.
|
Directory Service |
Format for the User Container |
|---|---|
|
eDirectory |
ou=organizational_unit,o=organization |
|
Active Directory |
ou=organizational_unit,dc=domain_component |
To identify potential Teaming users, Teaming by default filters on the following LDAP directory object attributes:
Person
orgPerson
inetOrgPerson
If you want to create Teaming groups based on information in your LDAP directory, Teaming filters on the following LDAP directory object attributes:
group
groupOfNames
groupOfUniqueNames
You can add attributes to the user or group filter list if necessary. You can use the following operators in the filter:
| OR (the default)
& AND
! NOT
You can choose whether you want Teaming to search for users (and optionally, groups) in containers underneath the base DN (that is, in subtrees).
You might find it convenient to create a group that consists of all the users that you want to set up in Teaming, regardless of where they are located in your LDAP directory. After you create the group, you can use the following filter to search for User objects that have the specified group membership attribute:
(groupMembership=cn=group_name,ou=organizational_unit,o=organization)
IMPORTANT:Be sure to include the parentheses in your filter.
The following synchronization options apply to all LDAP configurations within the same Novell Teaming zone:
NOTE:Because the synchronization options apply to all LDAP configurations within the same zone, you cannot have customized synchronization settings for each LDAP configuration. A Novell Teaming site can have multiple zones. For more information about zones, see Setting Up Zones (Virtual Teaming Sites)
in Site Setup
in the Novell Teaming 2.0 Administration Guide.
When you enable LDAP synchronization, you can set up a schedule for when it is convenient for synchronization to occur. In planning the schedule, take into account how often your LDAP directory user (and, optionally, group) information changes and the server resources required to perform the synchronization for the number of users (and, optionally, groups) that you have.
You can choose to have LDAP synchronization performed every day (for example, on Saturday), or you can select specific days of the week when you want it performed (for example, on Monday, Wednesday, and Friday). You can choose to have it performed once a day at a specified time (for example, at 2:00 a.m.), or you can set a time interval, so that it is performed multiple times each day (for example, every four hours). The smallest time interval you can set is .25 hours (every 15 minutes).
The following options are available for enabling and configuring user synchronization from your LDAP directory to your Novell Teaming site:
Synchronize User Profiles: Select this option to synchronize the following user information from the LDAP directory into Teaming and to continue to synchronize it whenever the LDAP directory information changes:
First name
Last name
Phone number
E-mail address
Description
If you do not select this option, you must create Teaming users manually, as described in Section 5.2, Creating a User.
Register LDAP User Profiles Automatically: Select this option to automatically add LDAP users to the Teaming site. However, workspaces are not created until users log into the Teaming site for the first time.
Delete Users That Are Not in LDAP: Select this option to delete users that exist on the Teaming site but do not exist in your LDAP directory. Use this option under the following conditions:
You have deleted users from your LDAP directory and you want the LDAP synchronization process to delete them from Teaming as well.
In addition to the users synchronized from LDAP, you create some Teaming users manually, as described in Section 5.2, Creating a User, and you want the LDAP synchronization process to delete the manually created users.
In addition to the users synchronized from LDAP, you allow Guest users to self-register, as described in Allowing Guest Access to Your Teaming Site
in Site Setup
in the Novell Teaming 2.0 Administration Guide, and you want the LDAP synchronization process to delete the self-registered users.
When Deleting Users, Delete Associated User Workspaces and Content: Select this option to remove obsolete information along with the user accounts.
Time Zone for New Users Select this option to set the time zone for user accounts that are synchronized from the LDAP directory into your Teaming site. The time zone list is grouped first by continent or region, optionally by country or state, and lastly by city. Some common selections for United States time zones are:
The following options are available for enabling and configuring user and group synchronization from your LDAP directory to your Novell Teaming site:
Synchronize Group Profiles: Select this option to synchronize group information, such as the group description, to the Teaming site whenever this information changes in LDAP.
Register LDAP Group Profiles Automatically: Select this option to automatically add LDAP groups to the Teaming site.
Synchronize Group Membership: Select this option so that the Teaming group includes the same users (and possibly groups) as the group in your LDAP directory. If you do not select this option, when you make changes to group membership in the LDAP directory, the changes are not reflected on your Teaming site.
Delete Local Groups That Are Not in LDAP: Select this option to delete groups that exist on the Teaming site but do not exist in your LDAP directory. Use this option under the following conditions:
You have deleted groups from your LDAP directory and you want the LDAP synchronization process to delete them from Teaming as well.
In addition to the groups synchronized from LDAP, you create some Teaming groups manually, as described in Creating Groups of Users
in Site Setup
, in the Novell Teaming 2.0 Administration Guide, and you want the LDAP synchronization process to delete the manually created groups.