Configuration Guide for Postini Directory Sync - Webservio Support

Configuration Guide for Postini Directory Sync

Postini, Inc. 959 Skyway Road, Suite 200 San Carlos, CA 94070 www.postini.com Part number: DSCON_6.10_08 5 June 2007

© Copyright 2007 Postini, Inc. All rights reserved. Postini, the Postini Logo, Perimeter Manager, Security Manager, Network Edition, AirPostini, and Postini Message Platform are either registered trademarks or trademarks of Postini Inc. Postini is a registered trademark of Postini, Inc. All other trademarks are the property of their respective holders. Use of any Postini solution is governed by the license agreement included in your original contract. Any source code is a confidential trade secret of Postini Corporation. You may not attempt to decipher, decompile, or develop source code for any Postini product or service offering, or knowingly allow others to do so. Postini documentation may not be sublicensed and may not be transferred without the prior written consent of Postini Corporation. Your right to copy this manual is limited by copyright law. Making copies, adaptations, or compilation works, without prior written authorization of Postini Corporation is prohibited by law and constitutes a punishable violation of the law. No part of this manual may be reproduced in whole or in part without the express written consent of Postini Inc. Postini Corporation provides this publication “as is” without warranty of any either express or implied, including but not limited to the implied warranties of merchantability or fitness for a particular purpose. Postini Corporation may revise this publication from time to time without notice. Some states or jurisdictions do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

2

Configuration Guide for Directory Sync

Contents

Chapter 1: Introduction to Directory Sync About Directory Synchronization 5 Installation Introduction 5 System Requirements 6

5

Chapter 2: Architecture 7 About Directory Sync Architecture 7 Technologies Used 7 Directory Servers 7 DSML 8 SSL with Basic Authentication 8 xmlns:SOAP-ENV="http://www.ibm.com/websphere/ appserver/schemas/5.0/soap-env.xmi":

This should be as the second to last entry, immediately before the following line: xmlns:pmiservice="http://www.ibm.com/websphere/appserver/ schemas/5.0/pmiservice.xmi" >

6. Create a new directory: C:\IBM\LDAP\V6.0\appsrv\lib\app

Search for the following files and copy them into the directory you created: activation.jar (Modified 3/30/2005 11:33AM, 54,368 bytes) auibase.jar (Modified 1/31/2005 05:56 AM, 346,819 bytes) dsml.jar (Modified 04/05/2005 01:28PM, 197,952 bytes) ibmjsseprovider.jar (Modified 03/30/2005 12:33AM, 320,513 bytes) IBMLDAPJavaBer.jar (Modified 04/05/2005 01:05PM, 41,398 bytes) mail.jar (Modified 03/30/2005 11:33AM, 280,984 bytes) regex4j.jar (Modified 04/05/2005 12:42PM, 79,466 bytes) soap.jar (Modified 06/10/2002 03:00AM, 232,498 bytes) xerces.jar (Modified 11/15/2001 03:51PM, 1,812,019 bytes) xercesImpl.jar (Modified 07/26/2005 05:10PM, 1,203,860 bytes) xmlParserAPIs.jar (Modified 7/26/2005 05:10PM, 194,205 bytes)

7. Restart WebSphere Application Server (WAS) by using the following commands from a command prompt. stopserver server1 startserver server1

If you are using a server than other than server1, enter that server name instead.

Install SOAP into WebSphere Application Server Using DSML on WebSphere Application Server requires that SOAP is installed and enabled. Copy the appropriate .jar and .war files, then run a batch command to install the SOAP. 1. Copy the file soap.jar from the Apache SOAP v2.3.1 package into C:\IBM\LDAP\V6.0\appsrv\lib\soap.jar.

46


2. Copy the file soap.war from the Apache SOAP v2.3.1 package into C:\IBM\LDAP\V6.0\appsrv\installableApps\soap.war. 3. To install SOAP into WebSphere, enter the following in a command line in the appsrv\bin directory: C:\IBM\LDAP\V6.0\appsrv\bin\wsadmin.bat -conntype NONE -c "$AdminApp install {C:\IBM\LDAP\V6.0\appsrv\installableApps\soap.war} {-configroot \"C:\IBM\LDAP\V6.0\appsrv\config\" -node DefaultNode usedefaultbindings -nodeployejb -appname soap.war -contextroot \"soap\"}" Note: Because this is a long command, and exact syntax is important, you

may wish to copy it into a batch file and run that batch file. 4. Restart WebSphere Application Server (WAS) by using the following commands from a command prompt. stopserver server1 startserver server1

If you are using a server than other than server1, enter that server name instead.

Confirm WebSphere and SOAP installation Confirm that your installation of WebSphere Application Server and SOAP was successful.

Read the SystemOut.log file The SystemOut.log file contains information about your WebSphere installation. You can find it in the C:\IBM\LDAP\V6.0\appsrv\lib\app directory. Search the log for the word SOAP. You should see a line with the following format: [3/13/06 15:17:40:288 PST] 731e794c JMXSoapAdapte A ADMC0013I: SOAP connector available at port 12103

If you cannot find a line indicating that a SOAP connector is available, there is a problem with your SOAP installation. For troubleshooting steps, see “Troubleshooting” on page 55. Also, check the port number for HttpTransport. You should see a line with the following format: [3/13/06 15:17:45:928 PST] 731e794c HttpTransport A SRVE0171I: Transport http is listening on port 12,100.

This indicates that the SOAP HTTP server is running at port 12100. You will use the port number for the browser verification page.

IBM Lotus Domino Directory Server

47

Use the browser verification page You can also use a web browser to test the WebSphere application. 1. Find the port number of the SOAP connector in the SystemOut.log file. 2. In a web browser, navigate to: http://localhost:[port number]/soap/servlet/rpcrouter

Where [port number] is the port number from the SystemOut.log file. 3. You should see a page showing the SOAP RPC router. You should see a page titled “SOAP RPC Router.” If this page is not available, check your SOAP and WebSphere settings.

This indicates a successful SOAP installation. Ignore the “Sorry, I don’t speak via HTTP GET” error message. If there is a problem with SOAP which requires you to uninstall and start over, or if you need to uninstall the SOAP component, use the following command from a command prompt: C:\IBM\LDAP\V6.0\appsrv\bin\wsadmin.bat -conntype NONE -c "$AdminApp uninstall soap.war"

Install DSML To install DSML, unpack DSML.zip, modify the deployment descriptor, configure your CLASSPATH, install IBM DSML into SOAP, and verify the installation. Details are found below

48


Unpack DSML.zip 1. Find the DSML.zip file in C:\IBM\LDAP\V6.0\idstools. 2. Unzip the DSML.zip into C:\DSML.

Modify IBM DSML Deployment Descriptor 1. Modify the file C:\DSML\deployDSMLSoap.xml. The original deployDSMLSoap.xml file in C:\DSML looks like this: org.apache.soap.server.DOMFaultListener

2. Cut and paste the following text into the file to replace the existing file: org.apache.soap.server.DOMFaultListener

3. Save your changes.

Configure CLASSPATH WARNING: These Java name spaces need to be before other Java instances in the CLASSPATH, or the wrong version will be used. CLASSPATH is used in many Java programs, and problems with an incorrect CLASSPATH can be very difficult to debug. The exact settings for your CLASSPATH will depend on what other Java programs you are using.

Be sure your CLASSPATH includes the following files, in the order given: 1. Current directory 2. Xerces.jar (Apache Xerces 1.4.4) 3. Jar files for IBM DSML 4. activation.jar and mail.jar (can be found in C:\IBM\LDAP\V6.0\appsrv\java\jre\lib\ext) 5. XercesImpl.jar and XMLParserAPIs.jar (Apache Xerces 2.7.1) 6. soap.jar (Apache Soap v2.3.1) 7. Ibmjsseeprovider.jar in C:\IBM\LDAP\V6.0\appsrv\java\jre\lib) For example, here is a sample CLASSPATH for Windows environment: CLASSPATH=.;C:\Xerces-J-bin.1.4.4\xerces1_4_4\xerces.jar;C:\DSML\jars\auibase.jar;C:\DSML\jars\dsml.jar;C: \DSML\jars\regex4j.jar;C:\DSML\jars\IBMLDAPJavaBer.jar;C:\DSML;C:\ IBM\LDAP\V6.0\appsrv\lib\j2ee.jar;C:\IBM\LDAP\V6.0\appsrv\lib\acti vation.jar;C:\IBM\LDAP\V6.0\appsrv\lib\mail.jar;C:\IBM\LDAP\V6.0\a ppsrv\lib\XercesImpl.jar;C:\IBM\LDAP\V6.0\appsrv\lib\XMLParserAPIs .jar;C:\IBM\LDAP\V6.0\config\csa_runtime\swing11spinner_Runtime.ja r;C:\IBM\LDAP\V6.0\appsrv\lib\soap.jar;C:\IBM\LDAP\V6.0\appsrv\ins talledApps\DefaultNode\soap.war.ear\soap.war\WEBINF\classes;C:\IBM\LDAP\V6.0\jre\lib\ibmjsseprovider.jar

Install IBM DSML into SOAP In a command line in the C:\DSML directory, run the following command: install.bat C:\IBM\LDAP\V6.0\appsrv\installedApps\DefaultNode\soap.war.ear\soa p.war http://localhost:12100/soap/servlet/rpcrouter

50


Note: If you are using a different URL for the SOAP server, specify the correct

URL for the SOAP server. The URL can be found in the file C:\IBM\LDAP\V6.0\appsrv\lib\app\SystemOut.log. For information about

reading this file, see “Confirm WebSphere and SOAP installation” on page 47.

Verify DSML installation Run the following command from C:\DSML directory to verify DSML installation: java com.ibm.ldap.dsmlClient.DsmlSoapClient "cn=Bob Level" "rulost2" -i "batchrequest.dsml" -o "result.xml" -l "log.out" -S http://localhost:12100/soap/servlet/messagerouter Note: If you are using a different URL for the SOAP server, specify the correct

URL for the SOAP server. The URL can be found in the file C:\IBM\LDAP\V6.0\appsrv\lib\app\SystemOut.log. For information about

reading this file, see “Confirm WebSphere and SOAP installation” on page 47.

Collect information for Directory Sync setup After you have set up SOAP and DSML, collect DSML information for Directory Sync. This information is used in the DSML files and in Directory Sync configuration. You will also use this information to create the batchrequest.dsml file, which is detailed in the next section.

Verify LDAP Information You will need an LDAP browser to verify the parameters to be used with DSML. One such browser you can use is Softerra LDAP Administrator. You can download Softerra LDAP Administrator from the following URL: http://www.ldapbrowser.com


51

Use the LDAP browser to collect the following information: •

User name and password to connect to your LDAP server

•

The proper spelling of the base DN from which to start the query

You will also need to collect the following information for Directory Sync configuration: •

Authorized user (name only)

•

Password (case-sensitive)

•

Host Name (no http://)

•

Path (including leading forward slash)

•

Port (no colon, just the number)

•

Server Type (IBM Lotus Notes)

•

Base DN (distinguished name)

Create batchrequest.dsml file To complete setup, create a batchrequest.dsml file. The batchrequest.dsml file is used to connect to the LDAP server. Create batchrequest.dsml.

1. Using an LDAP browser, find the Base DN you will use for your LDAP server.

52


2. With a text editor, create a file with the following content and name it “batchrequest.dsml” and save it in your C:\DSML directory. Substitute with the base DN you found in the LDAP browser. person


53

3. Run the following command from C:\DSML directory, substitute “cn=Domino Admin” and “secret” with the proper user name and password that you were able to connect with the LDAP browser. Use double-quotes around the user name and password. Make sure you specify the correct URL for the SOAP server (see the steps to verify the SOAP installation). C:\DSML>java com.ibm.ldap.dsmlClient.DsmlSoapClient "cn=Domino Admin" "secret" -i "batchrequest.dsml" -o "result.xml" -l "log.out" -S http://localhost:12100/soap/servlet/messagerouter

If the test was successful, the query result will be created in the “result.xml” file. The file should have the following format: [email protected] [email protected] [email protected]

If you do not see these results, check your DSML and LDAP settings.

Configure Directory Sync in the Administration Console After successfully verified DSML installation, use the parameters that you have entered in the verification step to configure Directory Sync in the Administration Console. Be sure to use fully qualified DNS name for the host name. For more information about setting up Directory Sync in the Administration Console, see the Email Protection Service Administration Guide.

Setup Checklist To confirm your configuration for compatibility with IBM Lotus Domino servers, be sure you have completed the following steps: •

54

Load LDAP and add LDAP to server tasks


•

Create a server configuration document

•

Download Apache Xerces v1.4.4, Apache SOAP v2.3.1, Java J2SE SDK v1.4.2 Update 10

•

Install these libraries on your DSML Server

•

Download Apache Xerces v2.7.1 and rename xml-apis.jar to XMLParserAPIs.jar

•

Install this library on your DSML Server

•

Install WebSphere Application Server on your DSML Server

•

Copy soap.jar and soap.war files into your installation

•

Create DSMLv2.xsd and place the file in your schemas directory

•

Create soap-env.xsd and place the file in your schemas directory

•

Edit the server.xml file

•

Place .jar files in your app directory

•

Install SOAP into WebSphere Application Server

•

Stop and restart WebSphere Application Server

•

Unpack DSML.zip

•

Modify deployDSMLSoap.xml

•

Install DSML into SOAP on WebSphere server

•

Configure CLASSPATH on your DSML Server

•

Collect LDAP information from your directory server

•

Create batchrequest.dsml file

Troubleshooting If an error occurs when you attempt to verify the installation, check the error message against the error messages below to find the source of the problem. Exception in thread “main” java.lang.NoClassDefFoundError: com/ibm/ldap/ dsmlClient/DsmlSoapClient

Cause: .jar files for IBM DSML are not in your CLASSPATH. Refer to section 2.9 for information about setting your CLASSPATH [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.net.ConnectException: Connection refused: connect; targetException=java.lang.IllegalArgumentException: Error opening socket: java.net.ConnectException: Connection refused: connect]

Cause: WebSphere Express is not running. Refer to section 2.4 and section 2.7 to verify the WebSphere is running and SOAP is installed.


55

[SOAPException: faultCode=SOAP-ENV:Server; msg=Exception while handling service request: org/apache/soap/Envelope]

Cause: WebSphere Class Loader can not find the SOAP libraries. Refer to section 2.6 for information about WebSphere Class Loader. [SOAPException: faultCode=SOAP-ENV:Server; msg=service 'urn:oasis:names:tc:DSML:2:0:core' unknown

Cause: IBM DSML was not installed properly. Refer to section 2.10 for information about installing IBM DSML. Error Msg: InvalidRegex: Pattern value '((([0-2](\.[0-9]+)+)|([a-zA-Z]+([a-zA-Z09]|[-])*))(;([a-zA-Z0-9]|[-])+)*)' is not a valid regular expression. The reported error was: ''-' is an invalid character range. Write '\-'.'.

Cause: Xerces.jar (Apache Xerces 1.4.4) is not in your CLASSPATH or the reference to xerces.jar in your CLASSPATH is incorrect. Refer to section 2.9 for information about configuring CLASSPATH.

56


Sun ONE Directory Server

Chapter 5

Directory Sync with Sun ONE DS The Sun ONE Directory Server 5.2 product includes a Directory Server, an Administration Server to manage multiple directories, and Sun ONE Server Console to manage both servers through a graphical interface. Because Directory Sync extracts company information over the Internet, it is vital that all connections are secure. Directory Sync always connects to your directory server using SSL. DSML (Directory Services Markup Language) allows an HTTP session to use SOAP to access the directory server. Although not enabled by default, Sun ONE Directory Server 5.2 includes support for DSML interface. Directory Sync Tool acts as a client sending DSML requests to the directory server to query for the users information. You can perform most Directory Server administrative tasks from the Directory Server console. Some require command-line utilities, or editing configuration files manually. You must restart your directory server for the new settings to take effect. Most commands are run through the directory server console. To start the console, locate where your Sun ONE server is installed and run the following command with root privileges: # ./startconsole &

To set up a Sun ONE Directory Server to work with Directory Sync, you’ll need to complete four steps: •

Enable SSL

•

Install DSML

•

Configure DSML Identity Mapping

•

Collect information for Directory Sync setup


57

Enable SSL Secure Sockets Layer (SSL) provides encrypted communications between a client and server. Directory Sync uses SSL encryption and basic authentication to guarantee confidentiality and data integrity. Basic authentication requires a user name and password to connect to a directory server. SSL makes sure that transmitted data is encrypted and protected. To enable SSL in the Sun ONE Directory Server, you will need to obtain and install a certificate, then activate and configure SSL on your directory server. You can obtain a server certificate from a Certificate Authority such as Verisign or Entrust. Sun provides a a tool (certutil tool) to manage certificates in the Sun ONE Directory Server Resource Kit (DSRK). You can download the DSRK at: http://www.sun.com/download/products.xml?id=3f74a0db

To set your Sun ONE Directory Server up to accept connections from Directory Sync, use SSL with simple authentication. This uses a bind DN and password to authenticate a user, and SSL to ensure confidential data transmissions. Enabling SSL in the Sun ONE Directory Server consists of two parts: obtaining and installing the certificate, and activating SSL. These steps are summarized here, and detailed in later sections. Obtain and install a certificate

1. Create a certificate database. 2. Generate a certificate request. 3. Send the certificate request 4. Install your new certificate. 5. Set your directory server to trust your Certificate Authority. Activate SSL

1. Activate SSL in your directory server 2. Configure SSL, including the secure ports for LDAP and DSML operations.

Obtain and Install Server Certificates This section describes the process of creating a certificate database, obtaining and installing a certificate for use with your Directory Server, and configuring Directory Server to trust the Certificate Authority's (CA) certificate. Directory Server will accept any SSL-compliant Certificate Authority, including self-signed certificates.

58


The first time you configure SSL on your server, you must set the password for your security device. Be sure to keep this password, as you will need it later. If you are not using an external hardware security device, the internal security device is a certificate and key database stored in the following files: ServerRoot/alias/slapd-serverID-cert7.db ServerRoot/alias/slapd-serverID-key3.db

ServerRoot is the root directory of your directory server. ServerID is the ID number of your server. Create a certificate database

If you do not already have a certificate request set up, you will need to create one. The directory server will create the certificate database files automatically the first time you invoke the certificate manager dialog. You can also create the certificate database manually. This step uses the command-line interface. 1. On the server host machine, create a certificate database with the following command: certutil -N -d ServerRoot/alias -P slapd-LCserverID-

LCserverID is your server name in all lower-case letters. ServerRoot is your server root. 2. The tool will prompt you for a password to protect the keys of the certificates. Keep track of this password. You will use it in later steps. Generate a certificate request

Generate a PKCS #10 certificate request in PEM format. PEM is the Privacy Enhanced Mail format used to represent a base64-encoded certificate request in US-ASCII characters. 1. Log into the directory server console. Start the console from the directory where your Sun ONE Directory Server is installed. You will need root privileges. # ./startconsole &

2. On the top-level Tasks tab of the Directory Server console, click Manage Certificates. The Manage Certificates dialog is displayed. 3. Go to the Server Certs tab. Click Request. The Certificate Request Wizard is displayed. 4. Click Next to continue. 5. Enter the following Requestor Information in the blank text fields:


59

Text Field

Value

Server Name

Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups, for example, east.example.com.

Organization

Enter the legal name of your company or institution. Most CAs require you to verify this information with legal documents such as a copy of a business license.

Organizational Unity

(Optional) Enter a descriptive name for your division or business unit within your company.

Locality

(Optional) Enter your company's city name.

State or Province

Enter the full name of your company's state or province, with no abbreviations.

Country

Select the two-character abbreviation for your country's name in ISO format. The country code for the United States is US.

6. Click Next to continue. 7. Enter the password of your security device, then click Next. This is the password you set when you created the database. 8. Select Save to File to save the certificate request information. You will send this information to the Certificate Authority. 9. Click Done to dismiss the Certificate Request Wizard. Send the certificate request

Contact a Certificate Authority (CA) to process your certificate request and generate a certificate. Because there are many different Certificate Authorities, you’ll need to contact your CA for instructions on how to do this. Transmit the request from the previous section to your Certificate Authority, according to the CA procedures. You may be asked to send the certificate request in an email, or you may be able to enter the request through the CA's website. Once you have sent your request, you must wait for the CA to respond with your certificate. Response time for your request varies. For example, if your CA is internal to your company, it may only take a day or two to respond to your request. If your selected CA is external to your company, it could take several weeks to respond to your request.

60


When the CA sends a response, save the information in a text file. Back up the certificate data in a safe location, so you can reinstall the certificate using your backup file if needed. Install your new certificate

When you receive your server certificate from the CA, you are ready to install it in your server's certificate database. 1. Log into the directory server console. Start the console from the directory where your Sun ONE Directory Server is installed. You will need root privileges. # ./startconsole &

2. On the top-level Tasks tab of the Directory Server console, click the Manage Certificates button. Alternatively, with the Tasks tab showing, select the Manage Certificates item from the Console->Security menu. The Manage Certificates window is displayed. 3. Select the Server Certs tab, and click Install. The Certificate Install Wizard is displayed. 4. Choose one of the following options for the certificate location: In this file. Enter the absolute path to the certificate in this field. In the following encoded text block. Copy the text from the Certificate Authority or from the text file you created and paste it in this field. For example: 5. Click Next to continue. 6. Verify that the certificate information displayed is correct, then click Next. 7. Specify a name for the certificate, then click Next. This is the name that will appear in the table of certificates. 8. Verify the certificate by providing the password you added when creating the certificate database. Your new certificate appears in the list on the Server Certs tab. Your server is now ready for SSL activation. Set your Directory Server to trust the Certificate Authority

Once you have the CA certificate, you can use the Certificate Install Wizard to configure the Directory Server to trust the Certificate Authority. 1. Log into the directory server console. Start the console from the directory where your Sun ONE Directory Server is installed. You will need root privileges. # ./startconsole &


61

2. On the top-level Tasks tab of the Directory Server console, click the Manage Certificates button. The Manage Certificates window is displayed. 3. Select the CA Certs tab, and click Install. The Certificate Install Wizard is displayed. 4. If you saved the CA's certificate to a file, enter the path in the field provided. If you received the CA's certificate via email, copy and paste the certificate including the headers into the text field provided. Click Next. 5. Verify that the certificate information displayed is correct for your Certificate Authority, then click Next. 6. Specify a name for the certificate, then click Next. 7. Set the purpose of trusting this CA to Accepting connections from clients (Client Authentication). 8. Click Done to exit the wizard.

Activate SSL Once you have installed your server certificate and trusted the CA's certificate, you are ready to activate SSL. 1. Log into the directory server console. Start the console from the directory where your Sun ONE Directory Server is installed. You will need root privileges. # ./startconsole &

2. On the top-level Configuration tab of the Directory Server console, select the root node with the server name, and then select the Encryption tab in the right-hand panel. The tab displays the current server encryption settings. 3. Check Enable SSL for this Server. 4. Check Use this Cipher Family. 5. Select your certificate from the drop-down menu. 6. Click Cipher Settings and select the RC4 128-bit cypher. 7. Allow client authentication. This is the default setting. 8. Click Save. 9. Restart the Directory Server.

62


Install DSML Enable DSML through the Directory Server console. 1. Log into the directory server console. Start the console from the directory where your Sun ONE Directory Server is installed. You will need root privileges. # ./startconsole

2. On the top-level Configuration tab of the Directory Server console, select the root node in the configuration tree, and select the Network tab in the righthand panel.

3. Check Enable DSML. 4. Select Only secure port. If this option is not available, you need to activate and enable SSL. 5. Enter the port number for SSL. The default SSL port is 443. If you decide to use a port other than 443, write the port number down so you can refer to it later. Note that unlike LDAP queries, DSML queries use port 443, and an HTML connection. 6. Enter the full relative URL. Set the path name to “/dsml”. The full relative URL includes the path name, combined with the host and the port number. 7. Click Save. 8. Restart the directory server.


63

Configuring Basic Authentication 1. Log into the directory server console. Start the console from the directory where your Sun ONE Directory Server is installed. You will need root privileges. # ./startconsole

2. On the top-level Configuration tab of the Directory Server console, select the root node in the configuration tree, and select the Encryption tab in the righthand panel.

3. Near the bottom of the right-hand panel, in the DSML Client Authentication drop-down menu, select HTTP Basic (use authentication in HTTP header). 4. Click Save. 5. Restart the directory.

Configure DSML Identity Mapping After you’ve installed DSML, set up Identity Mapping. In DSML, the directory server uses a mechanism called identity mapping to determine the bind DN from the HTTP Authentication header.Rather, you must tell the directory server how to map the user name in the Authentication header (such as “testuser”) to the bind DN (such as “cn=Directory Server”).

64


Note: You can not use cn=Directory Server as the user name in the HTTP

Authentication header. To set up DSML Identity Mapping: 1. Stop the directory server 2. Using a text editor, open the dse.ldif configuration file. This configuration file is found in the same directory as the directory server. 3. Change the following settings in the file: Variable

Value

dsSearchBaseDN

The base DN where the bind DN can be found. Normally, this base DN would be the suffix you defined when installing the directory. For example: ou=people,dc=company,dc=com

dsSearchFilter

(uid=${Authorization})

4. Enter the following new settings: Variable

Value

dsMatching-pattern dsMatching-regexp

${Authorization}

A regular expression for the basic authentication user name. For example: ^username$

dsMappedDN

The base DN for the username. For example: cn=Directory Manager

You will need to add this section to the configuration file. This tells the directory server that, for basic authorization, the username specified will map to the specified DN. 5. Save the configuration file. 6. Restart the directory server.


65

Collect Information for Directory Sync setup Once you’ve enabled all components, you’ll collect information from your directory server. Directory Sync uses this information to contact your server and import settings. You’ll need to collect the following information:

66

•

Authorized user (name only)

•

Password (case-sensitive)

•

Host Name (no http://)

•

Path (including leading forward slash)

•

Port (no colon, just the number)

•

Server Type (Sun ONE Directory Server)

•

Base DN (distinguished name)


Configuration Guide for Postini Directory Sync - Webservio Support

Configuration Guide for Postini Directory Sync - Webservio Support

Suggest Documents

MSP Configuration for Enabling Calendar Sync

SYNC HD Guide

Sync IO Guide [PDF]

Sync IO Guide

AirPort Extreme Guide de configuration - Support - Apple