Secure Global Desktop 4.31 Administration Guide > Applications, documents and hosts > Using Directory Services Integration

Using Directory Services Integration

Overview

Secure Global Desktop Directory Services Integration (DSI) allows you to use an LDAP version 3 directory instead of ENS for holding user information. With DSI, you do not need any ENS person objects. You can still have ENS person objects if you want, for example for Secure Global Desktop Administrators, but using DSI means you don't need to mirror your LDAP organization in ENS.

When you use DSI, you configure application objects (or group objects) instead of person objects, so that it is an application that defines which LDAP users see it on their webtop.

You can only use DSI for users who have their identity established by an LDAP directory server. In other words, the user must have been authenticated using either:

• the LDAP login authority; or
• the Active Directory login authority; or
• web server/third party authentication using one of the LDAP identity mapping search methods.

The login profile used depends on which of these methods was used to authenticate the user. However, if you don't mirror your LDAP organization in ENS the default LDAP Profile object (o=Tarantella System Objects/cn=LDAP Profile) is used.

If you use DSI, webtop content is aggregated, that is a user can receive applications based on:

• the links tab of their login profile; plus
• the application/group objects that specify the user.

Requirements

Currently DSI is only supported on:

• Sun™ ONE (formerly Netscape or iPlanet) version 4.1+ directory servers.
• Microsoft Active Directory servers.

Note It may work on other LDAP directory servers, but it isn't supported.

Enabling Directory Services Integration

To enable DSI:

1. Enable one of the login authorities that gives users an LDAP identity and test that it works.
2. Configure the login profiles in ENS. If you want more control over settings such as security and printing, you may want to configure person objects as well as the o=Tarantella System Objects/cn=LDAP Profile object.
3. Configure the application/document objects and/or group objects to define which LDAP users see each application or group of applications on their webtop.

Configuring applications for Directory Services Integration

In Object Manager all application, document and group objects have a Directory Services Integration panel. You use the attributes on this panel to configure which LDAP users see an application or document. For group objects, the configuration applies to all applications and documents that are members of the group. The attributes on the Directory Services Integration panel are:

• LDAP Users (--ldapusers)
• LDAP Groups (--ldapgroups)
• LDAP Searches (--ldapsearch)

The LDAP Users attribute

The LDAP users attribute is a list of Distinguished Names (DNs) of the individual users in the LDAP directory that should see the application on their webtop.

For example, to give Sid Cerise in the Finance department access to the Cust-o-dat application, you could:

1. Edit the Cust-o-dat application object in Object Manager.
2. Click the Directory Services Integration panel.
3. In the LDAP Users box, type:
   uid=Sid Cerise,ou=Finance,o=indigo-insurance.com

Note If you assign several individual users to an application or group object, it is more efficient to use the LDAP Search attribute instead.

The LDAP Groups attribute

The LDAP Groups attribute is a list of DNs of the groups in the LDAP directory that should see the application on their webtop. All members of the LDAP group receive the application.

For example, to give a set of applications to managers in the Finance and Marketing departments, you could:

1. Create a group object in Object Manager.
2. Click the Links tab for the group.
3. Drop application and document objects onto the Links tab.
4. Click the Directory Services Integration panel.
5. In the LDAP Groups box, type:
   cn=managers,ou=Finance,o=indigo-insurance.com cn=managers,ou=Marketing,o=indigo-insurance.com

Note If you assign several groups to an application or group object, it is more efficient to use the LDAP Search attribute instead.

The LDAP Searches attribute

The LDAP Searches attribute is a list of RFC 2254 search filters and/or RFC 1959 LDAP URLs for specifying which users that should see the application on their webtop.

For example, to give an application to all managers in the Sales department and anyone who has Violet Carson as their manager, you could:

1. Edit the application object in Object Manager.
2. Click the Directory Services Integration panel.
3. In the LDAP Searches box, type:
   "(&(job=manager)(dept=Sales))" "(manager=Violet Carson)"

Note You can also use an LDAP search URL for the LDAP Search attribute, for example:
"ldap:///ou=Sales,dc=indigo-insurance,dc=com??sub?job=manager".

Performance effects of using Directory Services Integration

Using Directory Services Integration requires many round-trips to an LDAP directory server. This can generate a lot of network traffic and degrade performance.

We recommend you use the LDAP Search attribute wherever possible as this is more efficient and flexible. Use the LDAP Users and LDAP Groups attributes very sparingly.

Refining LDAP Group searches

Group membership

When Secure Global Desktop searches for members of LDAP groups it searches for users in the uniquemember, member, and uniqueMember attributes on group objects.

If these attributes do not provide enough information to allow Secure Global Desktop to uniquely identify users, for example because the attribute contains only the user's relative distinguished name (RDN), then the group search will fail.

Secure Global Desktop allows you to specify one or more short name attributes which can be used to identify users. Secure Global Desktop considers a user to be a member of a group if the value of their short name attribute also appears in one of the group membership attributes (uniquemember, member, and uniqueMember) for the group. For short name attributes to work, they must contain unique values.

To specify one or more short name attributes:

1. Stop the Secure Global Desktop server: tarantella stop.
2. Run the following command:
   tarantella config edit \
--com.sco.jndi.toolkit.utils.LDAPUserCollection.properties-userShortAttributes-append attribute
   You can list more than one attribute. Each attribute must be separated by a space.
3. Start the Secure Global Desktop server: tarantella start.
4. Repeat these steps on each member of the array.

To specify additional attributes as group membership attributes:

1. Stop the Secure Global Desktop server: tarantella stop.
2. Run the following command:
   tarantella config edit \
--com.sco.jndi.toolkit.utils.LDAPUserCollection.properties-directAttributes-append attribute
   You can list more than one attribute. Each attribute must be separated by a space.
3. Start the Secure Global Desktop server: tarantella start.
4. Repeat these steps on each member of the array.

Nested groups (sub-groups)

By default the LDAP group search searches a single depth of LDAP groups. If your organization uses nested groups (sub-groups), you can increase the depth of the search. To do this:

1. Stop the Secure Global Desktop server: tarantella stop.
2. Run the following command:
   tarantella config edit \
--com.sco.jndi.toolkit.utils.LDAPUserCollection.properties-maximumGroupDepth depth
3. Start the Secure Global Desktop server: tarantella start.
4. Repeat these steps on each member of the array.

The default depth is "0" and you should increase the value to match the depth of the nested groups. Increasing the depth will have a negative effect on performance.

LDAP cache

Secure Global Desktop caches the data it collects from an LDAP directory server. If you find that Secure Global Desktop is not detecting changes, you can manually flush the cached data with the tarantella cache command.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.