Novell Doc: Novell Vibe OnPrem 3 Installation Guide - Gathering Directory Services Information

3.10 Gathering Directory Services Information

Unless you are planning a very small Novell Vibe site, the most efficient way to create Vibe users is to synchronize initial user information from your network directory service (Novell eDirectory, Microsoft Active Directory, or other LDAP directory service) after you have installed the Vibe software. Over time, you can continue to synchronize user information from the LDAP directory to your Vibe site.

IMPORTANT:Vibe performs one-way synchronization from the LDAP directory to your Vibe site. If you change user information on the Vibe site, the changes are not synchronized back to your LDAP directory.

3.10.1 LDAP Directory Service

You can synchronize initial Vibe user information from any LDAP directory. This guide provides instructions for synchronizing user information from eDirectory and Active Directory. If you are using another LDAP directory, use the instructions as guidelines for the tasks you need to perform.

BASIC VIBE INSTALLATION SUMMARY SHEET
Under LDAP Directory Service, mark the LDAP directory service from which you want to synchronize Vibe user information.

3.10.2 LDAP Connections

You can configure one or more LDAP connections. Each connection requires the following configuration information:

LDAP Server

In order to synchronize initial user information, Vibe needs to access an LDAP server where your directory service is running. You need to provide the hostname of the server, using a URL with the following format:

ldap://hostname

If the LDAP server requires a secure SSL connection, use the following format:

ldaps://hostname

If the LDAP server is configured with a default port number (389 for non-secure connections or 636 for secure SSL connections), you do not need to include the port number in the URL. If the LDAP server uses a different port number, use the following format for the LDAP URL:

ldap://hostname:port_number
ldaps://hostname:port_number

In addition, Vibe needs the username and password of a user on the LDAP server who has sufficient rights to access the user information stored there. You need to provide the username, along with its context in your LDAP directory tree, in the format expected by your directory service.

Directory Service	Format for the Username
eDirectory	cn=username,ou=organizational_unit,o=organization
Active Directory	cn=username,ou=organizational_unit,dc=domain_component

BASIC VIBE INSTALLATION SUMMARY SHEET
Under LDAP Server URL, specify the LDAP URL of the server, a fully qualified username with sufficient rights to read the user information, and the password for that user.

If the LDAP server requires a secure SSL connection, additional setup is required. You must complete the steps in Securing LDAP Synchronization in Site Security in the Novell Vibe OnPrem 3 Administration Guide to import the root certificate for your LDAP directory into the Java keystore on the Vibe server before you configure Vibe for LDAP synchronization.

LDAP Attribute to Identify a User

The LDAP attribute that uniquely identifies a user helps facilitate renaming and moving Vibe users and groups in the LDAP directory. If this attribute is not set, and you rename or move a user in the LDAP directory, Vibe assumes that the new name (or the new location of the same name) represents a new user, not a modified user, and creates a new Vibe user.

For example, suppose you have a Vibe user with a given name of William Jones. If William changes his name to Bill, and you make that change in the LDAP directory, Vibe creates a new user named Bill Jones.

To ensure that Vibe modifies the existing user instead of creating a new user when the user is renamed or moved in the LDAP directory, map each user to a binary attribute, such as the GUID or objectGUID attribute in the LDAP directory. This attribute always has a unique value that does not change when you rename or move a user in the LDAP directory. If you want to map users to a different attribute, you must ensure that the attribute that you use is a binary attribute. For example, the cn attribute cannot be used because it is not a binary attribute.

BASIC VIBE INSTALLATION SUMMARY SHEET
Under LDAP that uniquely identifies a user or group, mark GUID or objectGUID, depending on whether your LDAP directory is eDirectory or Active Directory.

LDAP Attribute for Vibe Name

LDAP directories differ in the LDAP attribute used to identify a User object. eDirectory and Active Directory both use the cn (common name) attribute. Other LDAP directories might use the uid (unique ID) attribute. Vibe needs to know which attribute to look for in order to find User objects.

BASIC VIBE INSTALLATION SUMMARY SHEET
Under LDAP attribute used for Vibe name, mark cn or uid, based on the convention used by your LDAP directory service for User objects. Ensure that users have a value for the attribute that you mark.

Vibe calls the User object attribute screenName, so when you configure LDAP synchronization, you map screenName to either cn or uid.

As needed, other LDAP attributes can be used for logging in to the Vibe site, as long as the attribute is unique for each User object. For example, the mail LDAP attribute on User objects could be used to enable Vibe users to log in to the Vibe site by using their e-mail addresses.

NOTE:Because the login name becomes part of the user’s workspace URL, the at sign (@) in the e-mail address is replaced with an underscore (_) in the workspace URL because @ is not a valid character in a URL.

User and Group Object Locations

Vibe can find and synchronize initial user information from User objects located in one or more containers in the LDAP directory tree. A container under which User objects are located is called a base DN (distinguished name). The format you use to specify a base DN depends on your directory service.

Directory Service	Format for the User Container
eDirectory	ou=organizational_unit,o=organization
Active Directory	ou=organizational_unit,dc=domain_component

To identify potential Vibe users, Vibe by default filters on the following LDAP directory object attributes:

Person
orgPerson
inetOrgPerson

If you want to create Vibe groups based on information in your LDAP directory, Vibe filters on the following LDAP directory object attributes:

group
groupOfNames
groupOfUniqueNames

You can add attributes to the user or group filter list if necessary. You can use the following operators in the filter:

| OR (the default)
& AND
! NOT

You can choose whether you want Vibe to search for users (and optionally, groups) in containers underneath the base DN (that is, in subtrees).

BASIC VIBE INSTALLATION SUMMARY SHEET
Under LDAP User Context, specify a base DN, along with object attributes if any, and mark whether you want subtrees searched for Vibe users. Under LDAP Group Context, specify a base DN, along with object attributes if any, and mark whether you want subtrees searched for Vibe groups.

BASIC VIBE INSTALLATION SUMMARY SHEET

Under LDAP User Context, specify a base DN, along with object attributes if any, and mark whether you want subtrees searched for Vibe users.

Under LDAP Group Context, specify a base DN, along with object attributes if any, and mark whether you want subtrees searched for Vibe groups.

You might find it convenient to create a group that consists of all the users that you want to set up in Vibe, regardless of where they are located in your LDAP directory. After you create the group, you can use the following filter to search for User objects that have the specified group membership attribute:

(groupMembership=cn=group_name,ou=organizational_unit,o=organization)

IMPORTANT:Be sure to include the parentheses in your filter.

3.10.3 LDAP Synchronization Options

The following synchronization options apply to all LDAP configurations within the same Vibe zone:

NOTE:Because the synchronization options apply to all LDAP configurations within the same zone, you cannot have customized synchronization settings for each LDAP configuration. However, Novell Vibe site can have multiple zones. For more information about zones, see Setting Up Zones (Virtual Vibe Sites) in Site Setup in the Novell Vibe OnPrem 3 Administration Guide.

Synchronization Schedule

When you enable LDAP synchronization, you can set up a schedule for when it is convenient for synchronization to occur. In planning the schedule, take into account how often your LDAP directory user (and, optionally, group) information changes and the server resources required to perform the synchronization for the number of users (and, optionally, groups) that you have.

You can choose to have LDAP synchronization performed every day (for example, on Saturday), or you can select specific days of the week when you want it performed (for example, on Monday, Wednesday, and Friday). You can choose to have it performed once a day at a specified time (for example, at 2:00 a.m.), or you can set a time interval, so that it is performed multiple times each day (for example, every four hours). The smallest time interval you can set is .25 hours (every 15 minutes).

BASIC VIBE INSTALLATION SUMMARY SHEET
Under Synchronization Schedule, record the schedule for when you want LDAP synchronization to take place.

User Synchronization Options

The following options are available for enabling and configuring user synchronization from your LDAP directory to your Vibe site:

Synchronize User Profiles: Select this option to synchronize user information whenever the LDAP directory information changes after initial Vibe site setup. The attributes that are synchronized are the attributes that are found in the map box in the Users section on the Configure LDAP Synchronization page.

By default, Vibe synchronizes the following attributes from the LDAP directory:
- First name
- Last name
- Phone number
- E-mail address
- Description
For information about how to add additional attributes to be automatically synchronized, see Synchronizing Additional LDAP Attributes in the Novell Vibe OnPrem 3 Administration Guide.
Register LDAP User Profiles Automatically: Select this option to automatically add LDAP users to the Vibe site. However, workspaces are not created until users log into the Vibe site for the first time.
Delete Users That Are Not in LDAP: Select this option to delete users that exist on the Vibe site but do not exist in your LDAP directory. Use this option under the following conditions:
- You have deleted users from your LDAP directory and you want the LDAP synchronization process to delete them from Vibe as well.
- In addition to the users synchronized from LDAP, you create some Vibe users manually, as described in Section 5.2, Creating a User, and you want the LDAP synchronization process to delete the manually created users.
When Deleting Users, Delete Associated User Workspaces and Content: Select this option to remove obsolete information along with the user accounts.

Time Zone for New Users Select this option to set the time zone for user accounts that are synchronized from the LDAP directory into your Vibe site. The time zone list is grouped first by continent or region, optionally by country or state, and lastly by city. Some common selections for United States time zones are:

Time Zone	Continent/City
Pacific Time	America/Los Angeles
Mountain Time	America/Denver
Central Time	America/Chicago
Eastern Time	America/New_York

BASIC VIBE INSTALLATION SUMMARY SHEET
Under LDAP User Options, mark the synchronization options you want to use.

Group Synchronization Options

The following options are available for enabling and configuring user and group synchronization from your LDAP directory to your Vibe site:

Synchronize Group Profiles: Select this option to synchronize group information, such as the group description, to the Vibe site whenever this information changes in LDAP.
Register LDAP Group Profiles Automatically: Select this option to automatically add LDAP groups to the Vibe site.
Synchronize Group Membership: Select this option so that the Vibe group includes the same users (and possibly groups) as the group in your LDAP directory. If you do not select this option, and you make changes to group membership in the LDAP directory, the changes are not reflected on your Vibe site.
Delete Local Groups That Are Not in LDAP: Select this option to delete groups that exist on the Vibe site but do not exist in your LDAP directory. Use this option under the following conditions:
- You have deleted groups from your LDAP directory and you want the LDAP synchronization process to delete them from Vibe as well.
- In addition to the groups synchronized from LDAP, you create some Vibe groups manually, as described in Creating Groups of Users in Site Setup, in the Novell Vibe OnPrem 3 Administration Guide, and you want the LDAP synchronization process to delete the manually created groups.

BASIC VIBE INSTALLATION SUMMARY SHEET
Under LDAP Group Options, mark the synchronization options you want to use.