Comtarsia Logon Client 2006
Contents
1. vie In this case the LDAP search query to determine the Location Object would appear as follows amp obj ectclass LocationObjectClass LocationObjectCode vie Afterwards the parameter LocationObjectAttribute is going to be read out of the LocationObject If it appears in one of the LocationAllowedAttributes the logon is permitted Additionally the LocationBasedEnvironment variables are exported as environment variables To design this function as flexible as possible one has to configure a lot of parameters 6 3 1 EnableLocation KEY HKEY_LOCAL_MACHINE SOFTWARE PCS GI NA LDAP EnableLocation DWORD 0 With EnableLocation DWORD 1 the Location Mode can be activated 6 3 2 LocationAllowedAttributes KEY HKEY_LOCAL_MACHINE SOFTWARE PCS GI NA LDAP LocationAllowedAttributes Indicates which LDAP attribute of the user object is defined at which location the user can log on Example LocationAllowedAttributes ANPrimaer ANAlternativ ZS LDAP Browser Editor 2 8 2 ldaps lind comtarsia com O COMTARSIA File Edit View LDIF Help ASOD EEE EES EEE CJ O COMTARSIA G cn hwadmin _janprimaer Salzburg e I Salzburg S physicaldeliveryoffiicename 0401 physicaldeliveryofficename 0402 IN cn Usert Juserpassword BINARY 33b Gi lwien ldescription seppi IN cn User2 Jobjectclass top S objectclass inetOrgPerson S objectclass organizational2. CLC Network Application MSWORD comtarsia Object Class CLCNetworkApplication Application Name MSWYORD comtarsia Command msword exe Program Path Woomtw2k1 apps Description Microsoft Word 7 4 5 Configuration of the Logon Client Domino LDAP Server A logon with the Comtarsia Logon client to the Domino LDAP server can be done with a ShortName or with a FullName A LDAP BaseDN can only be used if the user as well as the groups are created hierarchically In this case the user name must be contained full hierarchically in the field FullName for example Test User Test User Comtarsia For a sign on with Domino ShortName there are two opportunities UserDN uid SHORTNAME or UserDN SHORTNAME For further information for configuration of Lotus Domino for support of the ShortName Logon please see the reference list at the end of this manual The password being used is defined in the internet password field in the person s document Logon Client configuration Option AppendBaseDN is deactivated The field UserDNPrefix should be set by a ShortName logon to uid by a FullName logon to cn LDAP Server type is Domino LDAPEnableSSL is set accordingly to the Domino configuration Now the Comtarsia Logon Client can authenticate to the Domino LDAP server 7 5 Configuring an OpenLDAP Server under Linux SuSE 8 0 Professional 7 5 1 The following rpm packages are required openldap2 client 2 0 23
3. E ou Dffice_1 CLCNetworkApplicationN am i ensJohnSmith CLCNetworkApplicationN am f en Benwhite en Office_1Group CLCNetworkApplicationNam nwa_hu2 i cn Peter Brown CLCNetworkApplicationNam maa 0 ou Departement_2 S comtw2k5 homeBsjohnsmith E ou Office_2 DATA_1 uids amp Lang PRNT_App im uid SBell JohnSmith n Shares i John cn DATA_1 j cleperson cn PRNT_App j inetorgperson cn nwa_hul i organizationalPerson en nwa_fr1 i person cn nwa_itl i top cn nwa_hu2 Smith JSmith SSHA YpbzAVEWE GNsHBowe43E SeccSQPiNzWiemAlg H WOMBAT test3 WOMBAT profiles test3 Refers to a user directory WOMBAT test3 residing on H The user profile directory is now on WOMBAT profiles test3 If you like the user and profile directories to reside on different shares you have to separate paths in the field CLCProfilePath with Note If you are using Samba as resource server path separation is strongly recommended 5 4 LDAP Network Applications 5 4 1 What is a network application The Comtarsia Logon Client provides a functionality to make use of LDAP application definitions i e it offers the possibility to create shortcuts automatically for the required applications on the workstation This is also processed during logon This function is supported by the Comtarsia Logon Client beginning with version 3 0 4 22 5 4 2 Create a
4. Logon Mode C LDAP PKI C windows ADS I SignOn Gate Support m Windows Logon Session Ze Local User C Domain User Terminal Server Mode Domain Name JADSDOM2 LDAP Password Mode Cancel Apply Comtarsia Logon Client 2006 User Manual for LDAP Page 9 61 3 3 Second step minimal LDAP global configuration e LDAP Version default is LDAP Version 3 since few years ago most LDAP servers run Version 3 Change it here to 2 if your server runs LDAP Version 2 e Enable Append Base DN Please mind the server specific requirements at this point Most LDAP servers act optimally with this option enabled e Set the LDAP server type e Configure User DN set the path to the user in the LDAP hierarchy v User DN Prefix cn as shown below or uid v User DN Suffix ou Office_1 ou Departement_1 Note entry begins with v Base DN of the LDAP tree e g o Company as shown below or dc companyname dc com The complete UserDN will be composed as follows UserDN UserDN Prefix Username UserDN Suffix BaseDN Example cn Testuser ou Office_1 ou Departement_1 o Company e For testing purposes SSL might be disabled according to server configuration e Enable Advanced LDAP Logon optional Comtarsia Logon Client 2006 User Manual for LDAP Page 10 a f N E d Comtarsia Logon Client Configurator Password Synchro
5. Tab is created named Comtarsia This tab contains the CLC specific attributes These can be added to the tab as shown below Comtarsia Logon Client 2006 User Manual for LDAP Adresse http wombat comtarsia com 9080 IDSWebApp IDSjsp IDSConsoleFrameWerk jsp IBM Directory Server Web Administration Tool b Server administration De m Directory management O ddan entry HComtarsia A manage entries B Frd entries gt Replication management Tabs G Reams and templates Retesh Ada user template Not displayed E E manage user templates Badd ream E Manage realms v users and groups departmentNumber O Aad user description aoe Gears destinationindicator EH displayName Dess employeeNumber Bada group Manage groups B Find groups Daag Attributes Selected attributes New realms will be created based on this new template or as mentioned before formerly created realms can be updated with it In both cases the CLC attributes are immediately available on the tab Comtarsia 7 2 4 Creating Shares and Network Applications Shares are to be created under Directory Management Add an entry Structural object class Select CLCShare structural object class and fill in the Required and optionally the Other attributes Network Applications are to be created under Directory Management Add an entry Structural object class Select CLCNetworkAppli
6. 53 openlidap2 2 0 23 53 openssl 0 9 6c 29 only for ssl support f Comtarsia Logon Client 2006 User Manual for LDAP Page 52 aan Ml a You can check if these packages are installed with the following commands ngc4321 home stefan rpm q a grep openidap openldap2 client 2 0 23 53 openldap2 2 0 23 53 ngc4321 home stefan rpm q a grep openssl openssl 0 9 6c 29 openssl devel 0 9 6c 29 ngc4321 home stefan These packages can be installed with yast or directly with rpm if required The OpenLDAP configuration files are found under etc openldap LDAP client tools reside in usr bin The LDAP server slapd lies in directory usr lib openidap 7 5 2 Adapting the configuration Idap conf BASE dc comtarsia dc com slapd conf Access Control each user may modify his entry read others and read the userPassword anonymous for auth access to by self write by users read by anonymous auth Idfb database definitions suffix dc comtarsia dc com rootdn cn Manager dc comtarsia dc com SSL For using SSL the following lines have to be appended at the end of Slapd conf file Certificates TLSCertificateFile etc openldap server pem TLSCertificateKeyFile etc openidap server pem TLSCACertificateFile etc openldap server pem 7 5 3 Creating an SSL key openssl req new x509 nodes out server pem keyout server pem days 365 In the following dialog Common Name should be the name of
7. Administrator Group WSADMIN Poweruser Group PUSER Add Groupmapping Domain Group Local Group Add Groupmapping Reception PR DJECT_3 X Modify Groupmapping Groupmapping PROJECT_2 PROJECT_2 PROJECT F PROJECT 052GR0UP1 LOCALGROUP1 Delete Groupmapping Cancel Ap The maximum supported number of groups per user is 251 4 2 Few words about getting the BaseDN This is now the suitable time to say more about how the Logon Client discovers the LDAP BaseDN and which settings are important to be considered If LDAP BaseDN is set in the registry it will be used Ifthe LDAP server supports LDAP version 3 and the LDAP version is set to 3 in the registry the Logon Client tries to discover the BaseDN via LDAP query Note Most LDAP servers support more than one single BaseDN The administrator has to make sure that the BaseDN used by the Logon Client gets returned as first entry This can be easily checked for example with an LDAP browser If no BaseDN was found it will be constructed split up out of the local Computere full qualified hostname e g domain company com Comtarsia Logon Client 2006 User Manual for LDAP Page 15 rz BaseDN dc company dc com Comtarsia Logon Client 2006 User Manual f 5 Optional LDAP attributes 5 1 Introduction The Comtarsia LDAP schema extension allows beyond the essential user password authentication and group memberships the
8. Hierarchic objects In order to organize the Domino objects hierarchically in the LDAP directory the domain has to be stated in the fullname attribute In user and group objects the hierarchic name as well as the flat name has to be stated in the fullname attribute IMPORTANT The hierarchic name must be in first place in the fullname attribute Screenshot of a user with DN cn Dom User2 o comtarsia Comtarsia Logon Client 2006 User Manual for LDAP Page 50 Orr ae First name Dom Middle name Last name User2 User name Dom User2 Comtarsia Dom User2 Alternate name Short name UserlD DUser2 Screenshot of a group with DN cn dgroup2 o comtarsia aul purpose group dg 2 comtarsia dgroup2 si Comments Administration Group name dgroup2 comtarsia dgroup2 Group type Multi purpose Category Description At share or network application projects it is only necessary to fill in the hierarchic name in the fullname attribute Screenshots of a CLCShare object with DN cn office o comtarsia tt EX Je A LEN gt N SAS y Optional Operational Comments Mandatory Attributes Object Class CLCShare Share Name office Comtarsia Share Type Directory Server zsvws 1 Description office share Screenshots of a CLCNetworkApplication object with DN cn msword o comtarsia Comtarsia Logon Client 2006 User Manual for LDAP Page ZE A
9. a e 2e fen SI hitp wombat comtarsia com 9080 IDSWebApp IDSisp IDSConsoleFrameWork isp IBM Directory Server Web Administration Tool ees wombat Under Other attributes are the CLC attributes now available to be assigned In case many users have to be updated there is a reasonable opportunity of creating a new user template with CLC attributes included In the respective realm where the user belongs the former template can be simply replaced with the new one Comtarsia Logon Client 2006 User Manual for LDAP Page 37 61 DESEN IBM Directory Server Web Administration Tool E troduction OOC wombat Oe gt Gauser properties gt E Server administration Edit realm cn new11_realm o company Logfiles Help ig SS Realm aen 1_realm o company Directory management EES Administrator group A manage entries ST aos Jcn new 1_realm o company gt Replication management 9 Gr ti v B Reaims and templates CHE td user template jen new _realm o company Bee Manage user templates Add realm User container D ims Po a ae jcn new 1_realrn o company _ Browse sess and groups b Gada user User template Manage users Find users jon new2_template ouroffice o company Baga group Ee i cn old_user ou Cems cn new_templat edit Find groups n new2 tel i Diogo cn a_template o area cn lin_template o level1 cn demo_template o levelt en test2 o l
10. cn PRNT_App cn Shares o Company E o Company cn PRNT_App cn Shares o Compary 0 E ou Departement_1 a ousOffice_1 i i en JohnSmith en BenWhite en Office_1Group S i cn Peter Brown E ou Departement_2 J PRNT_App ou 0ffice_2 cleshare i i uids Lang CLCShareDescription Apple Printer CLCShareRemoteDevice Apple Laserwriter 12 640 PS CLCShareServer comtw2k9 cn Shares en DATA1 cn PRNT_App en nwa_hul en nwa_frl en nwa_itl ch nwa_hu2 cnshome6 cn Marketing cn Logistics cn Leaders The printer driver only needs to be installed on the server 5 2 2 2 Assign network printer share to the user In order to assign a network printer share to the user the CLCShareName attribute has to be added to the user object and the name of the printer share but not the full DN of the share has to be entered into the field Comtarsia Logon Client 2006 User Manual for LDAP Page 20 61 v Comtarsia LDAP BrowseriEditor 0 3 fey mpany E ou Departement_1 ou Dffice_1 i en JohnSmith f en Benwhite CLCNetworkApplicationN am CLCNetworkApplicationN am eneDffice_1Group CLCNetworkApplicationNam nwa_hu2 enePeter Brown CLCNetworkApplicationNam nwa_it1 ou Departement_2 il S comtw2k5 home6 johnsmith ouOffice_2 DATA uid ALang PRNT_App im uid SBell JohnSmith n Shares i John cn DATA_1 j cleperson cn PRNT_App j inetorgperson cn nwa_hul j organizationalPerson cn
11. has taken place If the current user is valid for the logon on the current location then the variable contains the value 1 If a location check has not taken place for example because of a local logon then this variable is not set 7 LDAP Server specific configurations 7 1 Netscape Directory Server schema extension 7 1 1 The Comtarsia schema The Comtarsia LDAP schema extension is delivered with the Comtarsia Logon Client 2006 software package It is intended to be included into the directory server s schema files instructions please see below After a successful server start with the extended LDAP schema beyond a simple user authentication the whole range of LDAP logon functionalities of the Logon Client will be available the possibility to assign directory and printer shares network applications home directory profile path etc For this purpose the user needs the CLCPerson object class assigned and the CLCShare CLCNetworkApplication with the corresponding CLC attributes herewith also has to be available With extended schema they can be well managed in the directory server enabling all Comtarsia Logon Client 2006 functions instructions please see below There are two versions of the Comtarsia schema file Comtarsia Logon Client 2006 User Manual for LDAP Page 32 61 d e One version is intended for a completely new server setup creating all the users earliest to this point The user object is created
12. has to be member of the HwAdminGroup Example hwadminattribute workstations hwadmingroup hwadmin If the user now logs on to a workstation which name appears in the LDAP attribute and the user is member of the LDAP group hwadmin the user is going to be local administrator 6 2 2 HwAdminGroup The registry key HKEY LOCAL _MACHINE SOFTWARE PCS GINA hwadmingroup defines which LDAP group the user has to be member off so it is going to be HwAdmin Example nwadmingroup hwadmin If a user logs on the workstation it is checked that the user appears in the group hwadmin If the workstation name appears additionally in the HwAdminAttribute the user is going to be local administrator 6 3 Location dependent permission prohibition of logons The LocationModus enables the user to log on at specific locations only A LDAP user object can contain primary as well as alternative locations on which a logon is permitted Additionally one can export a LDAP attribute of the location object as environment variable which for example in Logon Scripts can be reused on many different purposes Considering the sub domain of the FQDN of the workstation a LocationCode is determined which is used to find the Location Object in LDAP Example Comtarsia Logon Client 2006 User Manual for LDAP Page 28 61 d Mer ws1 vie comtarsia com gt
13. here with a structural object class named CLCPerson This is derived from inetorgperson in the current version but it is freely modifiable if necessary to another even user defined object class as long as object class top will be inherited at the end The CLC attributes can be assigned to the CLC Person on the directory server The other version is for LDAP servers with users already established and in use production it enables them to additionally obtain the possibility to use Comtarsia Logon Client functionalities The users will get assigned an auxiliary object class named CLCPerson consequently the CLC attributes are free to be assigned to them 7 1 2 Including the Comtarsia schema into the server The directory server has to be stopped The schema extension file is to be stored into the servers respective config schema folder The server can be started again 7 1 3 The CLCPerson user object 7 1 3 1 Creating a new CLC Person user using schema extension with structural CLCPerson object class In order to create a new user click on the required container for example People choose New Select Other from the list gt CLCPerson Fill fields with user data Click Advanced Properties gt Add attribute Select the CLC attributes from the list add them and fill the fields with the corresponding values 7 1 3 2 Add CLCPerson to an existing user us
14. inkey cent key keyex CAfile ca pem name client out client pfx 7 6 5 5 Checking a certificate openssl exe x509 text noout shal fingerprint in clien pem 7 6 5 6 Importing a certificate You can import the client certificate the matching private key and the CA certificate if existing into the client key store with import_key USAGE import_key s lt format_option gt v lt options gt s lt format_option gt Switch between PKCS7 and PKCS12 format V Use verbose mode PKCS7 format options sPKCS7 f lt pkcs 7_file gt PKCS 7 certificate file k lt keyfile gt PEM format private key not encrypted C Certificate only A Add certificate to the CA store PKCS12 format options sPKCS12 f lt pkcs 12_file gt PKCS 12 certificate and key file p lt pkcs 12_password gt PKCS 12 password Comtarsia Logon Client 2006 User Manual for LDAP Page 58 Or ae examples to import a pkcs 12 certificate and key into the user store Import key sPKCS12 v fclient pfx psecret to import a pkcs 7 certificate and a PEM encoded key into the user store Import key SPKCS7 v fclient p7b kclient key to import a pkcs 7 certificate without a key into the user store Import key SPKCS7 v C fserver p7b to import a pkcs 7 certificate without a key into the system store CA import_key SPKCS7 v A fca pem Supported formats Formats PKCS 12 for certificate and key and PKCS 7 for certificate and PEM only for key wi
15. secret and import the following LDIF file dn dc comtarsia dc com dc comtarsia objectClass organization objectClass dcObject o comtarsia dn cn Manager dc comtarsia dc com objectClass person sn Manager cn Manager dn cn userl1 dc comtarsia dc com objectClass person sn userl cn userl userPassword test You can also import the LDIF file from the command prompt see man Idapadd To add additional users import an LDIF file looking like this dn cn userl dc comtarsia dc com objectClass person sn userl s A Comtarsia Logon Client 2006 User Manual for LDAP Page 54 61 f nail cn userl userPassword test Now login with user accounts is also possible which should have permission to modify their own attributes e g userPassword if this is not the case the ACL in sldapd conf is not set correctly If the result is as expected nothing prevents you from logging on with the Comtarsia Logon Client 2006 for more information see Optional LDAP attributes 7 6 Cookbook SSL Certificate Installation 7 6 1 Introduction Comtarsia Logon Client supports LDAP beginning with release 3 0 To insure confidentiality of the transmitted data user passwords user permission data etc between Logon Client and LDAP server it is possible to make use of SSL encryption SSL Secure Socket Layer was originally developed by Netscape In the meantime many notable software vendors began to supp
16. the user s object classes To take it into account that users were created before Comtarsia schema was added to the LDAP server respectively there will be new users created after setting up the additional schema the solution can be different EXISTING user can be directly edited under Manage Entries gt Add auxiliary class F IBM Directory Server Web Administration Tool Microsoft Internet Explorer IBM Directory Server Web Administration Tool Bi introduction OOT wombat 0o User properti na Manage entries Logfiles Help Server administration gt G Schema management Directory management e Den Current location E Menage entries cn old_realm ou office1 a company E Find entries a bgp RES gt G Renlication management gt Reams and templates Kee Ron E Ascensing E Sal Dog D SS Select RDN Object class Created Last modified Last modified by nage users 5 E find users C en franzi groupOfNames 6 24 03 6 24 03 CN ROOT _Expand E Aud group cn marketing groupOfNames 4 23 03 4 23 03 CN ROOT Find B manage groups cn olduser top 6 4 03 6 4 03 CN ROOT aa Pasen c 1 groupOfNames 6 21 03 6 21 03 CN ROOT Bue EA alae i mes Le sn templar top 4 23 03 4 23 03 CN ROOT PS E Paget ott E RH q S E Comtarsia Logon Client 2006 User Manual for LDAP Page 36 61 J IBM Directory Server Web Administration Tool Microsoft Internet Explorer G gt B Bi
17. with stronger encryption to foreign countries This restriction has fallen and therefore it is recommended to update by means of Windows Update to Microsoft Enhanced Cryptographic Provider or Microsoft Strong Cryptographic Provider S Logon Client does support all three providers and if multiple CSPs are installed it always chooses the one allowing for the maximum level of data security The following prerequisites are necessary to use SSL encryption SSL must have been activated and a server certificate been installed on the respective LDAP Server This can either be a Self Signed Certificate or a CA Signed Certificate See Introduction a or b Additionally a Self Signed or CA Signed Certificate may be installed on the client see Introduction c or d Certificates and matching private keys for all but the CA certificate must be loaded into the clients or servers so called Certificate Store On the client you can use the provided program import_key exe which is explained below On the server the installation is done as documented by the vendor an example HowTo for OpenLDAP is to be found in the supplied documentation A description of how to create a Certificate Authority follows below 7 6 5 Creating a test environment OpenSSL was chosen as software to create a Test Certificate Authority because it can be seen as standard software for it is protected by GNU Public License and freely available on the Internet Beside thi
18. 06 PA LOGON CLIENT COMTARSIA LDAP PKI sso Comtarsia Logon Client 2006 LDAP manual Installation basic and extended configuration of the Comtarsia Logon Client 2006 for various LDAP directory servers Version 4 1 13 4 04 Jul 2006 1 Introductton ek KREE K EE K EE K ENER ENER ENER ENER ENER ENER ENER ENER ENER KEEN 4 2 Logon Client installation with InstallShield ccscseseeseeeeseeeeeeeees 5 2 1 Start of installation 2 2 0 0 ccc cece eee eee een eee tees 5 2 2 The Logon Client Configurator cece cece cence ee eee eee eee eee een ee naeeaes 5 2 2 1 Minimum configuration ccce cece cece iania aiai 5 2 2 2 LICENSING EE 6 2 2 3 Restar EE 7 3 Quickstart for an LDAP LOGON ee R ENEE KKK EK EE EN 8 3 1 Prerequisites nnrir renetik nnani E eaa eens eee teen teeta 8 3 1 1 El 8 3 1 2 SEELEN eat ue 8 3 2 First step General configuration ccceceee eee cece ee eee eeee eee naeeaes 9 3 3 Second step minimal LDAP global configuration ee 10 3 4 Third step Set LDAP Server name 12 3 5 Fourth step Logon on the LDAP server 13 4 LDAP is taking over NEEN ER KREE E NEEN ENER EN ERR ENE RENE R RENE R RENE R ENER KEEN 13 4 1 User GROUPS E 14 4 1 1 Group allocation by equal name 14 4 1 2 Manual group mapping cece ee eee eee ee eee eee eee eee ee teen neta eed 14 4 1 2 1 Power User Administrator 14 4 1 2 2 Free configurable Group Mapping sees eee e eae es 14 4 2 Few words about gett
19. 5 1 1 Idap serverd 5 1 1 Install the language dependent messages or documents by typing the following at a command prompt rpm ihv Idap msg xxx 5 1 1 1386 rpm rpm ihv Idap html xxx 5 1 1 1386 rpm 7 3 2 Start To start directory server ibmslapd To install the Web Administration Tool with SSL enabled Type the following at a command prompt rpm ihv Idap webadmind 5 1 1 i386 rpm To start stop webserver appsrv bin start stop Server sh serverl1 The GUI for server administration is now available under http Idapsrv comtarsia com 9080 1 DSWebApp DSjsp Login jsp For this manual s SSL configurations was GSKit 5 0 used Install gskbas 5 0 4 rpm To start gsk5ikm Comtarsia Logon Client 2006 User Manual for LDAP Page 48 a a E d 7 4 Lotus Domino Directory server 6 Minimum Requirements Lotus Domino Release 5 Comtarsia Logon Client 2006 Build lt 3 1 27 4 Installation and Configuration of Lotus Domino 6 for use with Comtarsia Logon Client Version 2006 This chapter describes the minimal configuration required for Domino server to work with Comtarsia Logon Client 2006 For further information regarding Lotus Domino please refer to the Notes client online help as well as the references given at the end of this document SSL configuration is not required for a testing scenario with Comtarsia Logon Client However for production it is strongly recommended to make use of it 7 4 1 Domino access writing autho
20. App IDSiep DSConsoleFrameWorkisp Type Inheritance Required attributes Optional attributes Ei eile ej le fo KE E E E ER o oO cimPrintQueue cimProcessor cimProduct cimSCSIController cimSetting cimStorageExtent cimUserDevice cimVideoController CLCNetworkApplication Structural top a CLCPerson CLCShare connectionPoint container corbaContainer corbaObject corbaObjectReference country cRLDistributionPoint Database_object DB2Database Abstract cimLogicaDevce 21 H Abstract cimManagedEemen E I Abstract cimControler Soa C Abstract skirt 8 Abstract cimLogicalDewee I Abstract cimController l J Structural top Abstract flea en Stal fop E ona Structural top nE Abstract top E Auxiliary corbaObject E Structural top a Structural top Structural top DB_Authentication Steal emsa E Comtarsia Logon Client 2006 User Manual for LDAP CLCNetworkApplicationCommand a ELCNetworkApplicationCommandParameters CLCShareDescription J db2databaseName a CLCNetworkApplicationName E CLC5hareRemoteDevice E keywords a corbaRepositoryld a description E authorityRevocationList z DB_Comment itionalParameters_ Page 35 61 7 2 2 Assigning CLC attributes to existing or new user In order to be able to assign CLC attributes to users the CLCPerson auxiliary object class has to be added to
21. Comtarsia Logon Client 2006 User Manual for LDAP pages ola d Mer 4 lt Comtarsia Logon Client Configurator Password Synchronisation SignOn Gate Disabled Network Applications Licensing Debug Info General General 2 LDAP Global LDAP Server 0572 Disabled Group Mapping Scripts IT Use DNS Timeout fio LDAP Version I Append Base DN C LDAP Version 2 I Enable Failover and Loadbalancing e LDAP Version 3 Servertype IBM Directory Server 5 x Y Base DN seven User DN Pee ee i i za t S User DN Suffix cn lin_tealm ou level2 Use SSL No SSL D OU Prefix OU Suffix OU Search List V Enable Advanced LDAP Logon Kerberos F Enable Kerberos J Kerberos uses DNS Kerberos Realm The UserDN gets constructed out of multiple parts LDAPUserDNPrefix USERNAME LDAPUserDNSuffix LDAPBaseDN LDAPBaseDN only gets added to the UserDN if LDAPAppendBaseDN is activated You have to set the following for a UserDN cn Userl ou People dc comtarsia dc com LDAPUserDNPrefix cn LDAPUserDNSuffix ou People LDAPBaseDN de comtarsia dc com The next screenshot shows a user in its location in the Directory Management Manage entries according to the previously configured location Comtarsia Logon Client 2006 User Manual for LDAP Page DZ J IBM Directory Server Web Administration Tool Microsoft Internet Explorer OOT wombat gt Ser
22. DAP directory server The chapter Optional LDAP attributes will give more detailed explanation and configuration proposal for the optimal use of the whole range of LDAP functionalities of the Comtarsia Logon Client such as the possibility of assigning home directory profile path and various resources to the user In the chapter Server specific configuration several setup options are described custom tailored to each particular server type though with special attention to the LDAP server schema extension with the Comtarsia LDAP schema file The successful integration of the Comtarsia schema file into the LDAP server is the most significant step to enable LDAP functionalities Here is also to be found a cookbook for SSL configuration as well as certificate maintenance s Se i Comtarsia Logon Client 2006 User Manual for LDAP Page 4 61 7 f ail 2 Logon Client installation with InstallShield 2 1 Start of installation Run Logon Client InstallShield setup file CLC_2006 4 1 x x exe i Comtarsia Logon Client 2006 InstallShield Wizard Welcome to the InstallShield Wizard for Comtarsia Logon Client 2006 y 2006 L O G O N The InstallShield R Wizard will install Comtarsia Logon Client 2006 on your computer To continue click Next CLIENT i COMTARSIA WARNING This program is protected by copyright law and international treaties Aa After the installation process with InstallShield the Comtarsia Logon Cl
23. E SOFTWARE PCS GI NA LDAP LocationObjectAttribute REG_SZ L Indicates in which LDAP attribute of the LocationObject the location name is stated e g Wien ES LDAP Browser Editor 2 8 2 Idaps lind comtarsia com O COMTARSIA File Edit View LDIF Help ASOD IEEE EE CH O COMTARSIA TN cn hwadmin 3 merr er gt E Salzburg lanpdeaddress 192 168 15 1 Dousen Jobjectclass locality C ten Jobjectclass top IN cn User2 Jobjectclass ANSubsidiary Jannetmask 255 255 255 0 Jannetwork 192 168 15 0 Jancode vie 6 3 6 LocationBasedEnvironment KEY HKEY_LOCAL_MACHINE SOFTWARE PCS GINA LDAP Comtarsia Logon Client 2006 User Manual for LDAP Page ZE A LocationBasedEnvironment REG_MULTI GZ With this setting the values of attributes of the the LocationObjects can be exported as environment variables For example LocationBasedEnvironment L At logon of the user the Logon Client tries to read the LDAP attribute L out of the location object and exports the content of the attribute as environment variable L If necessary a mapping can be carried out e g LocationBasedEnvironment L Location In this case the content of the LDAP attribute L is exported as environment variable Location Please see AttributeBasedEnvironment 6 3 7 The variable VALID_LOCATION The variable VALID_LOCATION is always then set if a location check
24. IBM Directory Server 5 1 to work with Comtarsia Logon Client For further information regarding IBM directory server please refer to the IBM online help as well as the references given at the end of this document 1 7 2 1 Including Comtarsia schema file With the tool usr bin Idapxcfg under the section Manage schema files the Comtarsia schema can be attached to the Current schema files in the Directory Server It is advisable to store this file in the server s schema file folder e g when running the server on Linux etc Idapschema comtarsia schema ibmds As next the Directory Server has to be restarted including the Comtarsia schema file as described above The following object classes and its relevant attributes will appear on the Web Administration Tool GUI under Schema Management Manage Object classes e CLCNetworkApplication Structural e CLCPerson Auxiliary e CLCShare Structural Comtarsia Logon Client 2006 User Manual for LDAP Page 34 61 d e J IBM Directory Server Web Administration Tool Microsoft Internet Explorer IBM Directory Server Web Administration Tool Leer properties gt Dizeruer administration Fschema management Add an object class E Manage object classes Add an attribute Manage attributes View matching rules oor Manage object classes Object class E Ascending a Bor wombat Select Object class ei http wombat comtarsia com SO80 IDSWeb
25. Person S objectclass person lobjectclass ANPerson Janalternativ Wien Janalternativ Graz S User User Comtarsia Logon Client 2006 User Manual for LDAP 6 3 3 LocationObjectClass KEY HKEY_LOCAL_MACHINE SOFTWARE PCS GI NA LDAP LocationObjectClass REG_SZ Indicates the object class of the LDAP Location object Example LocationObjectClass ANSubsiddiary ES LDAP Browser Editor 2 8 2 ldaps lind comtarsia com O COMTARSIA Edit View LDIF Help SEELEN CJ O COMTARSIA f nis y TN cn hwadmin gl Wien janpde viel Ta danpdcaddress 192 168 15 1 cn User lobjectclass locality e Caen Jobjectclass top IN cn User2 Jobjectclass ANSubsidiary jannetmask 255 255 255 0 Jannetwork 192 168 15 0 Jancode vie 6 3 4 LocationObjectCode KEY HKEY_LOCAL_MACHINE SOFTWARE PCS GINA LDAP LocationObjectCode REG_SZ ANCode Indicates the LDAP attribute of the LocationObject which contains the location code i g vien Comtarsia Logon Client 2006 User Manual for LDAP Page E File Edit View LDIF Help Beje eaea O COMTARSIA TN cn hwadmin We E Salzburg Janpdeaddress 192 168 15 1 O cn usert Jobjectclass locality C lwien Jobjectclass top B cn User2 Jobjectclass ANSubsidiary Jannetmask 255 255 255 0 Jannetwork 192 168 15 0 fancode vie Ready U 6 3 5 LocationObjectAttribute KEY HKEY_LOCAL_MACHIN
26. SEA EN 28 6 3 Location dependent permission prohibition of Jogons 28 6 3 1 EmablebOCation gees cise cocina does EE yew ine Se nel hada Ale Re EN 29 6 3 2 LocationAllowedAttribUtes ccc ccc ee teeta ene ened 29 6 3 3 LocationOb ectClass isc 2 4ssenv NENNEN a Ee dE EN dee ened 30 6 3 4 LocationObjectCode 0 ccc e eee e ee eee teeta teeta ene ened 30 6 3 5 LocationObjectAttribute eee ee eee ener ne ened 31 6 3 6 LocationbasedEnvironment cece eee eee eee eee teeta ene ened 31 6 3 7 The variable VALID LOCATION cece teeta eee eee e nena eeaeed 32 Comtarsia Logon Client 2006 User Manual for LDAP Page 2 61 al 7 LDAP Server specific configurations ERKENNEN ENEE RENE RENE KEEN 32 7 1 Netscape Directory Server schema extenslon eect eee es 32 7 1 1 The Comtarsia schema cece cece ee eee eee ee eee teeta eee teeta teeta eed 32 7 1 2 Including the Comtarsia schema into the server 33 7 1 3 The CLCPerson user oblect cece cece cece e ee eee eee e eee eee ee teeta eed 33 7 1 3 1 Creating a new CLC Person user 33 7 1 3 2 Add CLCPerson to an existing user 33 7 1 3 3 Support of password evpiration cece ee eee eee eae es 34 7 2 IBM Directory Server BI 34 7 2 1 Including Comtarsia schema nie 34 7 2 2 Assigning CLC attributes to existing or new user 36 7 2 3 Create new user template 39 7 2 4 Creating Shares and Network Applications eee e ee eae 41 7 2 5 Password POI CY ue Vue d as ai eat
27. ation home http www 3 ibm com software network directory library index html v51 2 Installation ftp ftp software ibm com software network directory library v51 Idapinst htm HDRLINCLI 3 Password Policy ftp ftp software ibm com software network directory library v51 admin_gd htm Header_ 116 4 SSL configuration ftp ftp software ibm com software network directory library v51 admin_gd htm Header 84 5 Adding an entry ftp ftp software ibm com software network directory library v51 admin_gd htm Header_ 260 6 LDAP Password Policy RFC http www jett org internet drafts draft behera ldap password polic 06 txt 8 3 Open LDAP http www Open DAP oral Comtarsia Logon Client 2006 User Manual for LDAP Page 60 a all as 9 Glossary OID Object identifiers strings of numbers allocated in a hierarchical manner used for a variety of protocols All LDAP object have a unique OID Definition of OIDs comes from ITU T recommendation X 208 RACF Resource Access Control Facility is the IBM security management product for its mainframe operating systems OS 390 MVS and VM RFC Request for Comments is an Internet formal document or standard that is the result of committee drafting and subsequent review by interested parties Some RFCs are informational in nature Of those that are intended to become Internet standards the final version of the RFC becomes the standard and no further commen
28. ator will be automatically deleted This function is only relevant in case the PC has not been shut down properly normally not necessary Shortcuts are then re created according to the filter and the various CLC Configurator settings Please see below Comtarsia Logon Client 2006 User Manual for LDAP Page 24 61 d Mr lt Comtarsia Logon Client Configurator General General 2 LDAP Global LDAP Server 0572 Disabled Group Mapping Scripts Password Synchronisation SignOn Gate Disabled Network Applications Licensing Debug Info Iw Enable support for 05 2 and LDAP network applications Foldernamepath USERPROFILE Z desktop Foldername Network Applications Application Filter Ee Default icon path server2 data icons Default icon defauticg EE 6 Icon Path Timeout sec 0 In this folder the shortcuts for network applications will be created If this parameter is not set all shortcuts will be created in the folder defined by N WAFolderNamePath If a Ink file is present on the resource server just this Ink file will be copied to the client workstation Other present shortcuts stay untouched as long as the name does not collide with the filter Directories defined in NWAFolderNamePath and NWAFolderName are created with administrator privileges and therefore can be located in places which are usually non writable to regular users e g ALLUSERSPROFILE The followin
29. b as permanent Comtarsia Logon Client 2006 User Manual for LDAP Page 55 61 d AN storage for certificates and PKI keys in the file system key and or certificate store For asymmetric encryption the RSA method is supported Available tools certutil signtool OpenSSL supports these formats PKCS 7 PKCS 12 X509 RSA as well as Diffie Hellman DH are used as asymmetric methods For signing DSA Digital Signature Algorithm is supported As encoding type for certificates in OpenSSL are available the DER format the PEM format base64 encoded version of DER and the NET format Available Tools openssl x509 openssl pkcs7 openssl crl2pkcs7 openssl pkcs12 openssl genrsa Sun Java Secure Socket Extensions JSSE supports PKCS 7 PEM encoded for the import of signed certificates into the Java Key Store Available Tools keytools java signer a program for signing of Java Archives jar Microsoft Cryptographic Service Provider does not support PKCS 11 Uses a proprietary method for accessing key and certificate stores Creation of client certificates is done by Microsoft Certificate Services A Certificate Request has to be submitted on a specific web page of the Internet Information Server IIS of the certification provider This page also triggers the generation of private public key pairs in the key store The signed CSR can be loaded as PKCS 7 Microsoft also supports the PKCS 12 format for import export of cl
30. cation structural object class and fill in the Required and optionally the Other attributes Comtarsia Logon Client 2006 User Manual for LDAP Page 41 61 J IBM Directory Server Web Administration Tool Microsoft Internet Explorer G Slide 2e Few E http wombat comtarsia com 9080 IDSWeb4pp IDSisp IDSConsoleFrameWork isp gt E wombat beta oucoficet company Required attributes CLCShareDescription Data share for office CLCShareServer server company com CLCShareType IMPORTANT To assign users the relevant Shares Network Applications the user s corresponding CLC attributes have to be filled in For existent user select under Users and Groups Manage users the intended user At Edit user fill in attributes on the recently created tab named Comtarsia Presuming that the new template with tab Comtarsia is the assigned template at this particular realm For new user assign attributes directly when creating it For more information please see 4 Comtarsia Logon Client 2006 User Manual for F IBM Directory Server Web Administration Tool Microsoft Internet Explorer wombat Edit user tina Realm newl1_realm cn be Busers and groups Add user ES X Manage users Find users Comtarsia CLCNetworkApplicationName Dass a bah o gess Ee nwa_hut manage groups User groups Ge EX Find groups CLCProfilePath B Logout CLCShareNa
31. cece cece e ee eee eee e ee eee eet 57 7 6 5 1 Creating a root certificate authority cceceee eee eee 58 7 6 5 2 Creating a server certificate key Patri 58 7 6 5 3 Creating a client certificate key pair 58 7 6 5 4 Converting a certificate to format DKCGAII 58 7 6 5 5 Checking a Certificate 58 7 6 5 6 Importing a Certificate 58 7 6 5 7 Supported security modes in Logon Client 59 8 REFERENCE LISTS cccccsceeeeeeeeeceeeeeeeeeeeeeaeeeuaseeuaseouseeauaseauseeansseass 59 8 1 Domino Directory Server Reference Ust eee e eee eae ed 59 8 2 IBM Directory Server bh LReterenceUst cece eee eee eae es 60 8 3 Open LDAP 3 secieas c ANERER NEEN armen dig Se ANNER ove heey tee EE NEE ye ANNE d ANEN 60 9 EI TT Il TTT 61 Comtarsia Logon Client 2006 User Manual for LDAP Page 3 61 al 1 Introduction This manual will lead through the installation of the Comtarsia Logon Client 2006 and subsequently will describe a configuration in few simple steps for a relaxed basic LDAP implementation An extended configuration guide for more optional LDAP functions is included in the second part of the manual server specific configuration for server specific settings short glossary and finally a reference list follows The Quickstart is intended to give the instructions for setting up the Comtarsia Logon Client 2006 for minimum LDAP functionalities such as a user password authentication in a user management of an L
32. directory share to a user Comtarsia Logon Client 2006 User Manual for LDAP Page 18 61 v Comtarsia LDAP Browser Editor 0 3 E ou Departement_1 Coffee i en JohnSmith en BenWhite en Office_1Group i i on Peter Brown E ou Departement_2 ourOffice_2 i i uids Lang cn Shares en DATA1 cn PRNT_App ch nwa_hul cn nwa_frl ch nwa_itl cn nwa_hu2 cnshome6 cn Marketing cn Logistics cn Leaders 5 2 2 Printer shares CLCNetworkApplicationN am CLCNetworkApplicationN am CLCNetworkApplicationN am nwa_hu2 CLCNetworkApplicationN am maa II S comtw2k5 home6 johnsmith DATA1 PRNT_App JohnSmith John cleperson inetorgperson organizationalPerson person SSHA YpbzRVEWE GNsHBowe43E SeccSQPiNzWiemAlg 5 2 2 1 Create a Windows network printer share LDAP object class CLCShare In order to create a network printer share create a new object and assign following attributes the printers s share name e g Printer13 printer description 2 stands for printer share either the share name of the printer Printer13 or the printer s complete object name Apple LaserWriter 16 640 PS CLCShareName or cn CLCShareDescription CLCShareType CLCShareRemoteDevice Comtarsia Logon Client 2006 User Manual for LDAP Page 19 61 v Comtarsia LDAP Browser Editor 0 3 Gi E
33. evell cn tl o test2 cn comtarsia_users_template o comtarsia cn ibrn_users_template o ibm BR EB S E A CLC Person auxiliary object class will be in this case added to the new template See Create new user template and is now available to assign the existing users NEW USER When creating a new system new realms will be created based on new templates New users will be created immediately with CLC attributes in the new realm Comtarsia Logon Client 2006 User Manual for LDAP Page 38 61 7 2 3 Create new user template J IBM Directory Server Web Administration Tool Microsoft Internet Explorer D 1 12 2S 2 http wombat comtarsia com 3080 IDSWebApp IDSisp IDSConsoleFrameWork isp LE wombat E 4 INEW2_template ou officet o company i Add CLC Person auxiliary class to the template Comtarsia Logon Client 2006 User Manual fo y Server Web Administration Tool Microsoft Internet Explorer a a D1 12 SS e SE 2 http wombat comtarsia com 3080 IDSWeb4pp IDSjsp IDSConsoleFrameWork isp IBM Directory Server Web Administration Tool Lee wombat inetOrgPerson i certificationAuthority v2 Ad Persor corbaObjectReference dcObject deltaCRL z The next steps are following the Naming attribute has to be changed to cn to follow this example e inthe Required tab the userPassword has to be included a new
34. g figure shows a configured network application on the LDAP server Comtarsia Logon Client 2006 User Manual for LDAP v Comtarsia LDAP BrowseriEditor 0 3 E o Company E ou Departement_1 B ou Dffice_1 i ensJohnSmith on Benwhite i cn Office_1Group CLCNetworkApplicationCom nwa_hul exe CLCNetworkApplicationCom CLCNetworkApplicationDes mua hui i enePeter Brown CLCNetworkApplicationProg Scpd31c00 shares hungary progs E ou Departement_2 d pplicationWor cpd31 c00 shares hungary wdir Coste 3 nwa_hul i uids amp Lang j clenetworkapplication i uid SBell a on Shares i en DATA_1 cn PRNT_App cn nwa_hul en homeb en Marketing en Logistics cn Leaders 5 4 3 Assign icons to the network applications There are two basic solutions of storing the icons for the network applications either the program folder contains the application AND the icon named as the application itself e g application exe and applicationname ico then this icon will be used for the application shortcut or all icons have an common folder for all applications the folder has to be defined by NWADefaulti conPath when configuring the Logon Client The Logon Client will look up for the applicationname ico here as next if in the program folder was not found In case the applicationname ico does not exist the icon defined by NWADefaultI con w
35. gurations the Comtarsia Logon Client is ready for a successful logon on an LDAP server Comtarsia Logon Client 2006 User Manual for LDAP Page 46 61 4 Comtarsia Logon Client Configurator Password Synchronisation SignOn Gate Disabled Network Applications Licensing Debug Info General General 2 LDAPGlobal LDAP Server 0S 2 Disabled Group Mapping Scripts Select a server idapservert company com Add Server Modify Server Delete Server Use this server settings Server settings Priority D Base DN Weight I User DN Prefix Port 383 User DN Suffix Secure Port 536 OU Prefix DU Suffix LDAP Version Servertyp Timeout C LDAP Version 3 Enable SSL E Append Base DN SSL configuration SSL configuration of IBM Directory Server 5 1 please see 6 SSL configuration is not required for a testing scenario with Comtarsia Logon Client However for production it is highly recommended to make use of it 7 3 Comtarsia Logon Client 2006 User Manual for LDAP Page 47 61 Installing I BM Directory Server 5 1 under Red Hat 7 3 Installation of Linux Red Hat 7 3 is assumed to be completed 7 3 1 Installation Install all Directory Server relevant rpm s 2 Install the client rpm ihv Idap clientd 5 1 1 i386 rpm Install the server rpm ihv Idap serverd 5 1 1 i386 rpm If the product has been successfully installed the following is displayed Idap clientd
36. ical user interface which allows to directly access key and certificate stores of other vendors e g Netscapes certX db and keyX db in order to be able to exchange certificates and keys with the Microsoft Certificate Store and for example to make preperations for automatic software distribution easier Comtarsia Logon Client 2006 User Manual for LDAP Page 56 6 a S ll 7 6 4 Technical Implementation Above documentation only mentions usage of asymmetric keys To keep things simple we did not mention that asymmetric encryption only is used for the exchange of symmetric keys so called session keys which are the ones really used to encrypt transmitted data The reason for the usage of asymmetric keys is it is much more processing intensive for encryption and decryption As mentioned before Logon Client uses the Microsoft SSL stack Microsoft s architectural model implements this functionality by means of the so called CryptAPI which similar to PKCS 11 consists of an abstract definition of interfaces and functions Function calls to the CryptAPI are forwarded to a Cryptographic Service Provider CSP which performs encrypting and decrypting as well as all SSL relevant functions This is a module by itself By default Windows 2000 comes with Microsoft Base Cryptographic Provider installed This only supports symmetric key lenghts of 40 or 56 Bits DES because US export restrictions forbade sale of US products
37. ient 2006 Configurator will be started 2 2 The Logon Client Configurator 2 2 1 Minimum configuration The last step will be to make a minimum LDAP setup on the Configurator Please see Quickstart for an LDAP Logon Comtarsia Logon Client 2006 User Manual for LDAP 2 2 2 Licensing In case of a purchased copy of Comtarsia Logon Client 2006 for production purposes the own specific License Key can be loaded in order to replace the demo key for testing purposes Under Licensing Load other licensekey Look in e comtarsia downloads e EI eg ES File name key031 Files of type Comtarsia Key File x Cancel Comtarsia Logon Client 2006 User Manual for LDAP Page 6 DA lt Comtarsia Logon Client Configurator General General 2 LDAP Global Disabled LDAP Server Disabled 05 2 Group Mapping Scripts Password Synchronisation SignOn Gate Disabled Network Applications Licensing Debug Info Properties of your licensekey KEY Granted Mon Dec 01 10 04 58 2003 Comtarsia Logon Client Lic Key ersion Comtarsia Logon Client 2003 Clients 1 052 Support LDAP Support Enabled SIGNONCLIENT Support Enabled Order a new licensekey Load other licensekey OK Cancel Apply The Logon Client for testing purposes will be operative until the end of the demo License Key validity 2 2 3 Restart After completing the installation please restart your machi
38. ient and server certificates from and to the Microsoft Key Store RSA and Diffie Hellman are both supported for use as PKI encryption method The used encoding type of the MS CSP is the PKCS 7 DER format Microsoft is maintaining a certificate store by the name of MY for each user in the user profile Additionally there are system wide certificate stores for each workstation and service Certificates and keys are saved as files in the file system as well as in the registry Available tools certutil certificate snap in for Management Console mmc certificate management in IE MS Certificate Services for Windows 2000 Server The list above does not claim to be complete 7 6 3 SSL and Comtarsia Logon Client For a maximum of conformity and compatibility with the target operating system for Comtarsia Logon Client Windows to enable potential synergy effects reuse of client certificates of other applications and to be able to employ smart cards the decision was made to use the Microsoft Cryptographic Service Provider for the Comtarsia Logon Client However to reduce vendor dependance it is planned to provide automatic functions for importing exporting and interchanging of common certificate and key formats in the Logon Client The goal is to use formats PKCS 7 and PKCS 11 which are supported by RSA Netscape OpenSSL Sun JSSE as well as Microsoft as mentioned above Thought has been given to develop a add on product with graph
39. ill be used instead for example default ico which is to be stored in the folder defined by NWADefaultI conPath All required icons are copied from the resource server into a directory on the local computer defined by NWAI conPath If a shortcut by the name of applicationname Ink is present in the program directory it will be used and all other application specific parameters will be ignored 5 4 4 Assign the network application to the user In order to assign the network application to the user the CLCNetworkApplication attribute has to be added to the user object and Comtarsia Logon Client 2006 User Manual for LDAP Page 26 61 the name of the network application but not the full DN of the network application has to be entered into the field v Comtarsia LDAP BrowseriEditor 0 3 Ke a e El o Company ou Departement_1 E ou 0ffice_1 i ensJohnS mith on Benlwhite eneDifice_1Group CLCNetworkApplicationCom nwa_hul exe CLCNetworkApplicationCom cf CLCNetworkApplicationDes nwa_hul i on Peter Brown CLCNetworkApplicationProg Scpd31c00 shares hungary progs E ou Departement_2 CLCNetworkApplicationwor Scpd31c00 sharesShungary wdir E ou Office_2 ms hut i uidsALang j clenetworkapplication i uid SBell j top E cn Shares becn DATA_1 cn PRNT_App en nwa_hul cn nwa_fri cn nwa_itl cn nwa_hu2 en homeB cn Marketing cnsLogistics on Leade
40. in ean tae ad sna eee ened 44 7 2 6 IBM DS specific settings on the Logon Client 44 7 3 Installing IBM Directory Server 5 1 under Red Hat 7 3 esceeee ee 48 7 3 1 IMStA NACION eresien eg geet AE d EE noe EEN ENNER RER 48 7 3 2 el EE 48 7 4 Lotus Domino Directory Server pe 49 7 4 1 Domino access writing authorisation via LDAPR ee 49 7 4 2 SSL config ratiO EE 49 7 4 3 Installation of Comtarsia templates c cee eeee cece eee eee eae ed 49 6 4 3 1 Signing of the Comtarsia templates ceceeeeee eee ee ees 50 6 4 3 2 Copying of the Comtarsia elements ccceseeeseeeeeeeeeees 50 7 4 4 Hierarchie Objects dei 2 ceeedgeieesiide hd one AED EE eee ce 50 7 4 5 Configuration of the Logon Client Domino LDAP Server 52 7 5 Configuring an OpenLDAP Server under Linux SUSE 8 0 Professional 52 7 5 1 The following rpm packages are required ccceceee eee cetera eee 52 7 5 2 Adapting the configuration ccc ceeee eee ee ee eee eect ee teeta teeta aed 53 7 5 3 Creating an SSL key 53 7 5 4 Starting the OpenLDAP server 54 7 6 Cookbook SSL Certificate installation 55 7 6 1 lotro GAUCHO NN EE 55 7 6 2 Vendor Standards for X 509 Certificates cceeeeee eee eee eee 55 7 6 3 SSL and Comtarsia Logon Client 56 7 6 4 Technical Implementation ccc cece cece e ee eee eee eee teen ee teen eed 57 7 6 5 Creating a test environment cece
41. ing the Base 15 5 Optional LDAP attributes c ccsceeesceeeeeeeeeeeeeeeeeeeeeueeeeeeeeeueeeneeeees 17 5 1 Lal ele e Te EE 17 5 2 LDAP Directory and Printer Ghares eee eee eee teen ee teeta eed 17 5 2 1 Directory Shares c cece eect eee eee nett eee need 17 5 2 1 1 Create directory share 17 5 2 1 2 Assign directory share to the user 18 5 2 2 Printer States eege gu r hen EEN NEES due eke duh tava aAA E 19 5 2 2 1 Create a Windows network printer share 19 5 2 2 2 Assign network printer share to fbeuser ees 20 5 2 2 3 Create a printer share assigned on LPT port 21 5 2 2 4 Assign printer share on LPT port to the user eee 21 5 3 Home Directory and Profile Path 22 5 4 LDAP Network Applicattons cece eee eee eee eee teeta ened 23 5 4 1 What is a network application c cece cece eee eee eee teen ee ees 23 5 4 2 Create and configure network appltcations eee eee eae 23 5 4 3 Assign icons to the network applications cece eran ee 26 5 4 4 Assign the network application to the user 26 5 5 Further Comtarsia Attributes c cece cece ee ee eee eee eee teeta eee ened 27 6 Extended LDAP FUN CtiOns ccccsceeeseeeuseeeuseeeueeeeuseeeuseeauseeuseeansgeans 27 6 1 uge te ge EE 27 6 2 Assigning hardware specific administrator rights ceeeeee 27 6 2 1 HWACmMINAttribUte eee eee teen ene e eee ene ened 28 6 2 2 HWACMINGIOUP e SEN nc eeedeseeda tees deni dies ONS SEENEN RE NEEN SEN bea
42. ing the schema extension with auxiliary CLCPerson object class If there are users already in regular use production on the LDAP server the schema extension offers the possibility to add an auxiliary object class to the user in order to be able to grant him CLC attributes Auxiliary object class name CLCPerson Attributes CLCShareName CLCProfilePath CLCNetworkApplication Select the user gt Advanced Properties in the Directory Comtarsia Logon Client 2006 User Manual for LDAP Page 33 61 d AN Click on the Object class gt Add value Select CLCPerson from the list and add Now all attributes are enabled to be assigned to the user Select Add Attribute add CLCShareName CLCProfilePath and CLCNetworkApplication fill attributes fields with corresponding values Assuming that the CLC LDAP objects directory and printer shares network applications etc are already created all users configured as described above are fully able to get those assigned and able to use them after logon with Comtarsia Logon Client 7 1 3 3 Support of password expiration The warning from the Netscape directory server that the user password is expired becomes available during logon The Comtarsia Logon Client is able to act accordingly and prompts the user in order to change his password before it actually expires 7 2 IBM Directory Server 5 1 This chapter describes the minimal configuration required for
43. l Marketing group if it exists No further configuration is necessary 4 1 2 Manual group mapping By enabling Group Mapping Use manual Groupmapping in the CLC Configurator there are further options to transfer memberships from LDAP to local system groups Please see them below 4 1 2 1 Power User Administrators LDAP groups WSADMIN and PUSERS are mapped depending on the local operating system language to the equivalent local groups in English version Power User Administrators see Individual Groupmapping Example If the LDAP user is member of group WSADMIN on the LDAP server he becomes member of the local administrators group NOTE these groups can be freely named 4 1 2 2 Free configurable Group Mapping Under Add Groupmapping it is possible to map any LDAP group to local groups the membership of the respective user will be taken over from the LDAP server group to the local group To keep the setup procedure simple if the requested local group is not yet set up the Logon Client will ask whether to create it Comtarsia Logon Client 2006 User Manual for LDAP Page 14 61 d Mr W Comtarsia Logon Client Configurator Password Synchronisation SignOn Gate Disabled Network Applications Licensing Debug Info General General 2 LDAP Global Disabled LDAP Server Disabled 0 2 Group Mapping Scripts Iw Use manual Groupmapping Individual Groupmapping
44. me fay D e Comtarsia Logon Client 2006 User Manual for LDAP Page 43 61 7 2 5 Password policy Comtarsia Logon Client supports fully the password policy configuration of the IBM Directory Server All relevant notifications from the LDAP server user password has to be changed password is expired user account is locked etc become available during logon Logon Client is able to analyse these and to act accordingly e g prompts the user in order to change his password Password validation is also supported the user is notified about wrong password syntaxes at password change according to the server configuration Additional information about LDAP Password Policy please see IETF Internet draft at 5 7 2 6 IBM DS specific settings on the Logon Client The main specific settings on the Logon Client Configurator for IBM 5 1 Directory Server are as follows LDAP Global e Enable Append BaseDN for more information about BaseDN please see also chapter 4 2 e Server type IBM Directory Server 5 1 e User DN has to be constructed by setting o Base DN to the correct organisation name in this example o levell o User DN Prefix is cn User DN Suffix is the remaining path between the name and the top of the hierarchy beginning with a in this example cn lin_realm ou level2 Hence this full User DN is created cn username cn lin_realm ou level2 o levell
45. n Client 2006 User Manual for LDAP Pagel ol d Mer CLCShareServer the resource server name CLCShareRemotePath the path on the remote server CLCShareType 1 stands for directory share 5 2 1 2 Assign directory share to the user In order to assign a directory share to the user the CLCShareName attribute has to be added to the user object and the name of the directory share but not the full DN of the share has to be entered into the field Drive letters if the share for example Datas1 should be assigned to the next available drive letter only the name of the share has to be entered into the CLCShareName field but not the full DN of the share object ifa certain drive letter is requested append the drive letter to the share name Datas1 G as for the drive letter G This screenshot shows the definition of a directory share on the LDAP server v Comtarsia LDAP Browser Editor 0 3 Ei i ES E cn DATA_1 cn Shares o Company E o Company cn DATA_1 cn Shares o Compary 0 E ou Departement_1 Attributes Males o H aan Smith CLCShareDescription Directory_share_1 i aed CLCShareServer comtw2k9 i cn BenWhite en Dffice_1Group CLCShareT ype 1 i on Peter Brown DATA 1 E ou Departement_2 l cleshare E ou Office_2 top i uidsALang i uid SBell E cn Shares cn DATA_1 cn PRNT_App ensLagistics ensLeaders Below the assignment of a
46. nd configure network applications LDAP object class CLCNetworkApplication Comtarsia Logon Client 2006 User Manual for LDAP Page 23 61 In order to create a network application create a new object and assign following attributes CLCNetworkApplicationDescription network application description CLCNetworkApplicationCommand the application command CLCNetworkApplicationProgramPosition program file location CLCNetworkApplicationCommandParameters optional parameters CLCNetworkApplicationWorkingDirectory working directory Please see below an overview of the used LDAP attributes and their relevance to build a shortcut on a Windows desktop LDAP attributes Windows Shortcut Obligatory cn only LDAP relevance CLCNetworkApplicationDescription Description of shortcut Name of shortcut Ink CLCNetworkApplicationCommand Target the executable file applikation may be an absolute path with drive letter or UNC path CLCNetworkApplicationProgramPosition Location may be an absolute path with drive letter or UNC path Optional can remain unassigned CLCNetworkApplicationCommandParameters Target CLCNetworkApplicationWorkingDirectory Start in This function is modelled after the OS 2 Workspace on demand feature but it is fully functional on other server types as well During logon all available applications are queried off the server and previous shortcuts matching the filter defined in the CLC Configur
47. ne After restart Logon Client will be available and ready for use Comtarsia Logon Client 2006 User Manual for LDAP Page 7 ETA 3 Quickstart for an LDAP Logon This chapter describes the Comtarsia Logon Client minimum configuration steps in order to successfully log onto an LDAP server and enable a simple user password authentication Also minimum SSL configuration is described Further configuration options of above please see in the respective chapter for the particular server type in the Server specific configuration 3 1 Prerequisites 3 1 1 Client e Microsoft Windows 2000 XP workstation e Comtarsia Logon Client installed Installation guide please see under Installation with InstallShield 3 1 2 Server Following servers LDAP Version 2 and 3 are currently supported v Sun One Directory Server iPlanet Netscape Directory Server OpenLDAP IBM RACF Directory Server Lotus Domino Novell eDirectory IBM Directory Server 3 x 4 x IBM Directory Server 5 1 SS SS SS A Comtarsia Logon Client 2006 User Manual for LDAP Page 8 61 I d a 3 2 First step General configuration Set Logon Client run mode to LDAP Comtarsia Logon Client Configurator Scripts SianOn Gate Disabled Network Applications Licensing Debug Info General General 2 LDAPGlobal LDAPServer PKI Disabled Group Mapping 2006 X LOGON CLIENT COMTARSIA Select language Sprache w hlen English v
48. nisation SignOn Gate Disabled Network Applications Licensing Debug Info General General 2 LDAP Global LDAP Server 0572 Disabled Group Mapping Scripts M Use DNS Voss fio LDAP Version IW Append Base DN C LDAP Version 2 I Enable Failover and Loadbalancing e LDAP Version 3 Servertype Netscape X Base DN E User DN Prefix Jen User DN Suffix ou 0 ffice_1 0u Departement_1 Use SSL No SSL DI OU Pretix DU Suffix Kerberos F Enable Kerberos Kerberos uses DNS Kerberos Realm The UserDN gets constructed out of multiple parts LDAPUserDNPrefix USERNAME LDAPUserDNSuffix LDAPBaseDN LDAPBaseDN only gets added to the UserDN if LDAPAppendBaseDN is activated You have to set the following for a UserDN cn Userl ou People dc comtarsia dc com LDAPUserDNPrefix cn LDAPUserDNSuffix ou People LDAPBaseDN de comtarsia dc com Iw Enable Advanced LDAP Logon Comtarsia Logon Client 2006 User Manual for LDAP Page 11 61 3 4 Third step Set LDAP server name W Comtarsia Logon Client Configurator Password Synchronisation SignOn Gate Disabled Network Applications Licensing Debug Info General General 2 LDAP Global LDAP Server 05 2 Disabled Group Mapping Scripts Select a sever idapservert company con Add Server Modify Server P Use this server settings r Server settings Priority I Base DN Weight C User DN Prefix Port 389 U
49. nwa_frl j person cn nwa_itl top cn nwa_hu2 Smith JSmith SSHA YpbzAVEWE GNsHBowe43E SeccSQPiNzWiemAlg 5 2 2 3 Create a printer share assigned on LPT port In order to create a printer share assigned on the LPT port create a new object and assign the following attributes CLCShareName or cn the printers s share name e g Printer13 CLCShareDescription printer description CLCShareType 2 stands for printer share CLCShareRemoteDevice the share name of the printer Printer13 5 2 2 4 Assign printer share on LPT port to the user In order to assign a printer share on an LPT port to the user the CLCShareName attribute has to be added to the user object the printer share name but not the full DN of the share entered followed by and the LPT port e g Printer13 LPT3 The printer driver has to be installed on the client workstation The basic difference between the two possibilities is the fact that for Windows applications the network printer will be necessary in case of DOS applications a printer on a LPT port has to be assigned Comtarsia Logon Client 2006 User Manual for LDAP Page 21 61 5 3 Home Directory and Profile Path As further practical feature of the Comtarsia Logon Client 2006 home directory and profile path can be assigned to the user during logon with or without specifying a drive letter for the home directo
50. o your current configuration but these settings will not be saved and are only valid for a single logon 4 LDAP is taking over Already acquired a taste for LDAP The following chapter describes a more advanced configuration and use of the Comtarsia Logon Client 2006 for LDAP logon Please note that following features are not mandatory for a simple LDAP logon and they can be applied without having extended the LDAP server s schema file with the Comtarsia schema extension Comtarsia Logon Client 2006 User Manual for LDAP Page 13 rn 4 1 User Groups Comtarsia Logon Client 2006 supports LDAP user group objects of type e objectClass groupOfNames OID 2 5 6 9 e objectClass groupOfUniqueNames OID 2 5 6 17 Future versions will allow you to freely select object class in order to handle special cases This classes have multi value attribute member or uniqueMember these hold the UserDN s of each group member The user has to be entered into the attribute field with his full User DN 4 1 1 Group allocation by equal name At an LDAP logon with Comtarsia Logon Client 2006 also the LDAP server side group memberships are scanned A user identified as member of the particular LDAP group becomes member of the corresponding local system group i e if LDAP group name local system group name Example If the user is member of group Marketing on the LDAP server he will also become member of the loca
51. ort this protocol for data encryption and digital signatures SSL is based on asymmetric encryption private key public key and usage of X 509 certificates on server and or client Hereby the following combinations are possible a Server uses a so called Self Signed Certificate Clients do not use a certificate b Server uses a CA Certificate Authority Signed Certificate The client has to have at least the CA certificate to be able to validate the authenticity of the server certificate Server Authentication c Server uses a CA Signed Certificate Clients use a Self Signed Certificate and additionally require the CA certificate for validating the server certificate d Client as well as Server has CA Signed Certificates In this case the Client also has to have the CA certificate so that the Server can validate the authenticity of the Client certificate This is called Client Authentication 7 6 2 Vendor Standards for X 509 Certificates The following vendors use proprietary standards and formats for creating and storing certificates and PKI Public Key Infrastructure keys RSA Rhivest Shamir Adelman supports PKCS n standards They developed the asymmetric RSA encryption schema which is named after them Netscape Supports PKCS 11 Cryptographic Token Interface Standard PKCS 7 for saving of certificates and for certificate revocation lists PKCS 12 for interchange of certificates and PKI keys keyX db and certX d
52. plates This step is optional and not essential if the Domino Server is only used for authentication password change group assignment Comtarsia Logon Client 2006 User Manual for LDAP Page 49 61 d Mr Via the Comtarsia templates attributes like network drives assignments and network applications can be easily administrated in a usual Domino manner for all workstations Comtarsia specific design elements are available for web administration starting with Domino Release 6 6 4 3 1 Signing of the Comtarsia templates Open Domino administrator Change in Files View Right mouse button to clcnames ntf gt Sign Active Server s ID sign All design Documents This creates an admin request which can be directly fulfilled with tell adminp process new 6 4 3 2 Copying of the Comtarsia elements In the template file clcnames ntf contains the Comtarsia specific design elements e Open names nsf and clcnames ntf in Domino designer e Copy all design elements from clcnames ntf to names nsf 2 Forms 2 Views 1 Shared Code Agent 3 subforms e In names nsf choose the subform PersonExtensibleSchema and set it to hidden at properties e Create the roles CLCCreator and CLCModifier in the ACL of the names nsf and assign them to the Admin user the Localdomainservers group e At the console execute the command load updall r names nsf 7 4 4
53. risation via LDAP The following configuration steps are required for changing a Domino password via LDAP ATTENTION In Domino Release 6 password changes via LDAP need a few minutes before they get active at Domino Release 6 5 password changes are immediately active e Open Domino Administrator e Configuration gt Directory gt LDAP gt choose settings e Upon first access you will be asked whether you want to create a new document gt choose yes e Now choose gt LDAP e Allow LDAP User write access gt yes and save it e Then restart the Domino server 7 4 2 SSL configuration To be able to access Domino services via SSL a SSL certificate has to be installed on the server The simplest method is generating a Self Signed Certificate 1 Open Server Certificate Admin Database certsrv nsf and choose the option Create key ring with self signed certificate to create a Self Signed Certificate 2 Now open Domino Administrator 3 Now you have to configure the key file name Configuration gt Server gt Current Server Document gt Ports gt Internet Ports gt SSL key file name 4 In the document Server gt Current Server Document gt Ports gt Internet Ports gt Directory you have to set SSL Port Status to enabled and SSL Name and Password to yes Further information on Domino SSL configuration can be found in 3 4 7 4 3 Installation of Comtarsia tem
54. rs 5 5 Further Comtarsia Attributes e CLCForcePasswordChange If this attribute included in the users object is set to 1 the user is forced to change his password at the next logon Afterwards the attribute is reset to 0 by the Logon Client A logon of the user without changing his password is not permitted This action has priority over optional policy messages like a password expire warning The user needs write permissions to this attribute in his LDAP object 6 Extended LDAP Functions 6 1 Introduction The Logon Client takes care of the extended LDAP Functions Importing the scheme file is not necessary for these functions 6 2 Assigning hardware specific administrator rights If a user needs local administrator rights on one or more specific workstations it can be configured via the options HwAdminGroup and HwAdminAttribute Comtarsia Logon Client 2006 User Manual for LDAP Page 27 61 6 2 1 HwAdminAttribute The registry key HKEY_LOCAL_MACHINE SOFTWARE PCS GINA hwadminattribute defines which LDAP attribute of the user object contains a list of workstation names on which the user can be local administrator In the LDAP attribute of the user object which is configured as HwAdminAttribute contains a list of workstation names on which the user needs local administrator rights i g Developer gt Developerworkstation Additionally the user
55. ry or setting up the home directory and the profile path separately The home directory string is to be entered into the CLCProfilePath attribute field of the CLCPerson object This attribute will be read automatically at logon The Comtarsia Logon Client 2006 supports the following interpretations of the home directory string COMTW2K HOME USER1 The next available drive letter is assigned to the UNC Path COMTW2K HOME USER1 The profile path is set to COMTW2K HOME USER1 PROFILE cn BenWhite ou D ffice_1 ou Departement_1 o Company E o Company Be e ou O ffice_1 ou D eparteme o Company 0 E ou Departement_1 CS Fees 2 CLCProfilePath comtw2k5 home6 benwhite deride CLCShareName DATA1 en Diffice_1Group CLCShareN ame home6 i cn Peter Brown CLCShareName PRNT_App E ou Departement_2 cn Beniwhite ousOffice_2 givenName Ben uidsALang objectClass cleperson vide Bell objectClass inetorgperson objectClass organizationalPerson objectClass person objectClass top sn White uid BWhite userPassword SHA mBNFS dVIZVBbKH3g2SCsd74dPyw ensLogistics cn Leaders H COMTW2K HOME USER1 Drive letter H is assigned to UNC path COMTW2K HOME USERI The profile path is set to H COMTW2K HOME USER1 PROFILE Comtarsia Logon Client 2006 User Manual for LDAP Page 22 61 v Comtarsia LDAP BrowseriEditor 0 3 mpany E ou Departement_1
56. s there are lots of documentation available in the Internet and OpenSSL is executable under Unix Linux as well as Windows by means of cygwin see www redhat com cygwin After OpenSSL has been installed the configuration file openssl cnf is located in subdirectory usr ssl Well made documentation for OpenSSL Version 0 9 2b can be found at http www dfn pca de certify ssl handbuch ossl092 ossl092 html The providers mentioned are RSA Full Providers which are used by LDAP Logon Client Comtarsia Logon Client 2006 User Manual for LDAP Page 57 61 d Mr 7 6 5 1 Creating a root certificate authority openssl req out ca Dem new x509 creates CA file ca pem and CA key privkey pem openssl crl2pkcs7 nocrl certfile ca pem out ca p7b inform PEM outform DER 7 6 5 2 Creating a server certificate key Pair openssl genrsa out server key 1024 openssl req key server key new out server req openssl x509 req in server req CA CA pem CAkey privkey pem CAserial file srl out server Dem file file srl contains a 2 digit number e g 00 7 6 5 3 Creating a client certificate key pair openssl genrsa out client key 1024 openssl req key client key new out client req openssl x509 req in client req CA CA pem CAkey privkey pem CAserial file srl out client pem file file srl contains a 2 digit number e g 00 7 6 5 4 Converting a certificate to format PKCS 12 openssl pkcs12 export in client pem
57. ser DN Suffix Secure Port 536 OU Prefix DU Suffix LDAP Version C LDAPY Servertyp z Timeout JAP Version 2 LDAP Version3 EnablessL v E Append Base DN Cancel Apply Enter the hostname or IP of your LDAP server and press Add Server in order to add server to the list IMPORTANT only SERVER NAME is to set and to add here For basic configuration it is NOT necessary to enable Use this server settings checkbox and not necessary to fill any fields below server name Comtarsia Logon Client 2006 User Manual for LDAP Page 12 EZ A 3 5 Fourth step Logon on the LDAP server The computer must reboot after installation If only configuration changes were made reboot is NOT required The Logon Client dialog will appear Enter user name and password Select LDAP LOGON as domain and press OK Login on Computer XPWSO1 2006 LOGON CLIENT COMTARSIA f a UserID U0058753 2 LDAP Mode Product Info Password S Microsoft Logon S Advanced LDAP Logon Domain LDAP LOGON he Password Change Option Advanced LDAP Logon Instead of pressing OK after entering user name password and domain you can also select Advanced LDAP Logon This opens another dialog which allows to temporarily overwrite some of the values of the above mentioned LDAP configuration settings It can make life easy if you would like to test a setup different t
58. the LDAP server ngc4321 etc openldap openssl req new x509 nodes out server pem keyout server pem days 365 Using configuration from usr share ssl openssl cnf Generating a 1024 bit RSA private key eg E writing new private key to privkey pem Ae You are about to be asked to enter information that will be incorporated into your certificate request What you are about to enter is what is called a Distinguished Name or a DN There are quite a few fields but you can leave some blank For some fields there will be a default value If you enter the field will be left blank Country Name 2 letter code AU AT State or Province Name full name Some State Vienna Locality Name eg city Vienna Organization Name eg company Internet Widgits Pty Ltd Comtarsia Organizational Unit Name eg section SD Common Name eg YOUR name ngc4321 comtarsia com Email Address stefan comtarsia com ngc4321 etc openldap 7 5 4 Starting the OpenLDAP server without SSL etc init d ldap start with SSL cd usr lib openssl Slapd h Idap Idaps or slapd d 9 h Idap Idaps for debugging output Now the OpenLDAP server is configured completely and all that is left is to import LDAP data We recommend to use a LDAP GUI for administration e g http www iit edu gawojar Idap index html requires JAVA JRE 1 4 Log in as manager cn Manager dc comtarsia dc com passowrd
59. thout password encryption are supported for import e g import_key sPKCS12 fMyClientCert pfx pSECRET import_key sPKCS7 fMyClientCert p7b kMyPrivateKey pem You have to use PKCS 7 to import Certifcate Authority certificates z B import_key sPKCS7 fMyCACert p7b A 7 6 5 7 Supported security modes in Logon Client Logon Client has the following security options 0 No SSL encryption 1 Self Signed Server certificate accepted no client certificate present 2 CA Signed Server certificate required no client certificate present 3 CA Signed Server certificate required Self Signed or CA Signed client certificate present Logon Client uses to following algorithm to locate certificates in the certificate store The client certificate is being searched for in the respective user s My certificate store First it tries to find a certificate which Subject Name is the same as the current user s user name If this fails the first certificate is used which is in the user certificate store The CA certificate if used has to be located in the Root User Certificate Store only accessible by the current user or in the Root System Certificate Store accessible by all users on this machine CA certificates which are imported with import_key exe using option A are stored in the Root System Certificate Store 8 REFERENCE LISTS 8 1 Domino Directory Server Reference List 1 Domino Short Names h
60. ts or changes are permitted Change can occur however through subsequent RFCs that supercede or elaborate on all or parts of previous RFCs The University of Southern California maintains a searchable index of all Requests for Comments from the Internet Engineering Task Force IETF LDAP Lightweight Directory Access Protocol is a proposed open standard for accessing global or local directory services over a network and or the Internet The word Protocol is the key word in the definition LDAP is NOT hardware or software It is a protocol that defines how a client and server will communicate with one another The Lightweight Directory Access Protocol is defined in a series of Requests For Comments better known as RFC s A very good source for all of the LDAP RFCs can be found in the OpenLDAP http www OpenLDAP org software bundle that can be downloaded free of charge from the Internet Some of the more important RFC numbers are RFC 1777 for LDAPv2 and RFC 2251 for LDAPv3 SSL Secure Sockets Layer is the standard security technology for creating an encrypted link between a client and a server This link ensures that all data passed between the server and client remains private and integral SSL is an industry standard In order to be able to generate an SSL link a server requires an SSL Certificate TLS Transport Layer Security protocol The TLS protocol provides communication privacy over the Internet The protocol allows client ser
61. ttp www 12 lotus com Idd doc domino_notes Rnext help6_admin nsf f4b82fbb75e942a6852566ac0037f284 b6 ebd85402ab04ea85256c1d0039955c OpenDocument http www 12 lotus com Idd doc domino_notes Rnext help6_admin nsf f4b82fbb75e942a6852566ac0037f284 c2 b8e9676cb9d73c85256c1d00393778 0penDocument Comtarsia Logon Client 2006 User Manual for LDAP Page 59 61 d e 2 Default Domain Document http www 12 lotus com Idd doc domino_notes Rnext help6_admin nsf f4b82fbb75e942a6852566ac0037f284 62 b8e37b261352b685256c1d003954b8 OpenDocument 413064780829246853 3 Setting up SSL on a Domino server http www 12 lotus com Idd doc domino_notes Rnext help6_admin nsf f4b82fbb75e942a6852566ac0037f284 0e f603569412411385256c1d00398e86 OpenDocument 4 Setting up Notes and Internet clients for SSL authentication http www 12 lotus com Idd doc domino_notes Rnext help6_admin nsf f4b82fbb75e942a6852566ac0037f284 43 8e83bd82998bfe85256c1d00399165 O0penDocument 5 Customizing the LDAP service configuration http www 12 lotus com Idd doc domino_notes Rnext help6_admin nsf f4b82fbb75e942a6852566ac0037f284 05 5defea478ecc6585256c1d003937eb OpenDocument 6 Domino Directory Services http www 12 lotus com Idd doc domino_notes Rnext help6_admin nsf b3266a3c17f9bb7085256b870069c0a9 a 7be0edb2008082385256c1d0039335a O0penDocument 8 2 IBM Directory Server 5 1 Reference List 1 Product document
62. use of further LDAP features at an LDAP logon For basic configuration please see Quickstart for an LDAP Logon For the currently supported LDAP server types and the according Comtarsia schema extension installation manuals please see under Server specific configuration After a successful schema file extension and completed Comtarsia Logon Client configuration the following values are automatically queried off the LDAP server by the Comtarsia Logon Client 2006 1 Directories and printer shares 2 Profile path and home directory 3 Network applications 5 2 LDAP Directory and Printer Shares The object class CLCShare defines in the Comtarsia schema extension the directory and printer shares on the LDAP server Both share types can be assigned to LDAP users object type CLCPerson by assigning the attribute CLCShareName and filling the name of the respective share into the field Assignments are automatically queried off by Comtarsia Logon Client at LDAP logon time and are connected according to the specifications to the user s workstation A maximum of 25 directory shares as well as 9 printer shares LPT1 LPT9 are supported 5 2 1 Directory shares 5 2 1 1 Create directory share LDAP object class CLCShare In order to create a directory share create new object and assign following attributes CLCShareName the name of the directory share CLCShareDescription share description Comtarsia Logo
63. ver applications to communicate in a way that is designed to prevent eavesdropping tampering or message forgery The protocol is composed of two layers the TLS Record Protocol and the TLS Handshake Protocol CLC Abbreviation of Comtarsia Logon Client 2006 mostly used in combination with the Configurator as CLC Configurator or with Comtarsia Logon Client 2006 specific LDAP object classes e g CLCPerson Comtarsia Logon Client 2006 User Manual for LDAP Page 61 61 d Mr
64. ver administration Current location gt G Schema management 7 Bdirectory management E Aad an entry C Manage entries E find entries gt Renication management Ee Select RDN Object class Created Last modified Last modified by Tadd user C cn andrei top 6 19 03 6 19 03 CN ROOT _Expand E menage users cn bookread groupOfNames 6 19 03 6 19 03 CN ROOT Find enters Lei cn bookwnite groupOfNames 6 19 03 6 19 03 CN ROOT Aad eee C open top 5 26 03 6 21 03 CN ROOT Spam Ee ordeadere groupOfNames 5 12 03 5 12 03 CN ROOT FS Daag O ode top 6 19 03 6 19 03 CN ROOT C onii top 5 12 03 6 21 03 CN ROOT Delete C cnelinda top 5112 03 6130 03 CN ROOT ena Lei cn marketing groupOfNames 6 5 03 6 5 03 CN ROOT Aad aia cass cn Nena top 5126103 5 26 03 CN NENA CN LIN_REALM OU LEVEL 2 O LEVEL1 cnsnothing top 5 26 03 6 5 03 CN ROOT Delete auxiliary class C cn mothing2 top 5126 03 5126 03 CN ROOT Close caeoliver top 6 19 03 6 19 03 CN ROOT cn printer groupOfNames 6 19 03 6 19 03 CN ROOT Help cneronald top 5 26 03 526 03 CN ROOT C cn sarah top 5 26103 5126 03 CN ROOT C cn seppi top 6119 03 6 19 03 CN ROOT C cn seppil top 6 19 03 6 19 03 CN ROOT C cn seppi2 top 6 19 03 6 19 03 CN ROOT cn transition groupOfNames 6 19 03 6 19 03 CN ROOT el Fete E eifreg e ITT LDAP Server The next step is to set the LDAP server name in the Logon Client Configurator as shown below With these confi
Download Pdf Manuals
Related Search