Unless you are planning a very small Novell Vibe site, the most efficient way to create Vibe users is to synchronize initial user information from your network directory service (Novell eDirectory, Microsoft Active Directory, or other LDAP directory service) after you have installed the Vibe software. Over time, you can continue to synchronize user information from the LDAP directory to your Vibe site.
IMPORTANT:The following limitations apply when synchronizing user information to Vibe from an LDAP directory service:
Vibe performs one-way synchronization from the LDAP directory to your Vibe site. If you change user information on the Vibe site, the changes are not synchronized back to your LDAP directory.
Vibe does not support multi-value attributes. If your LDAP directory contains multi-value attributes, Vibe recognizes only the first attribute. For example, if your LDAP directory contains multiple e-mail addresses for a given user, only the first e-mail address is synchronized to Vibe.
You can synchronize initial Vibe user information from any LDAP directory. This guide provides instructions for synchronizing user information from eDirectory and Active Directory. If you are using another LDAP directory, use the instructions as guidelines for the tasks you need to perform.
BASIC VIBE INSTALLATION SUMMARY SHEET |
---|
Under , mark the LDAP directory service from which you want to synchronize Vibe user information. |
You can configure one or more LDAP connections. Each connection requires the following configuration information:
In order to synchronize initial user information, Vibe needs to access an LDAP server where your directory service is running. You need to provide the hostname of the server, using a URL with the following format:
ldap://hostname
If the LDAP server requires a secure SSL connection, use the following format:
ldaps://hostname
If the LDAP server is configured with a default port number (389 for non-secure connections or 636 for secure SSL connections), you do not need to include the port number in the URL. If the LDAP server uses a different port number, use the following format for the LDAP URL:
ldap://hostname:port_number ldaps://hostname:port_number
In addition, Vibe needs the username and password of a user on the LDAP server who has sufficient rights to access the user information stored there. You need to provide the username, along with its context in your LDAP directory tree, in the format expected by your directory service.
Directory Service |
Format for the Username |
---|---|
eDirectory |
cn=username,ou=organizational_unit,o=organization |
Active Directory |
cn=username,ou=organizational_unit,dc=domain_component |
BASIC VIBE INSTALLATION SUMMARY SHEET |
---|
Under , specify the LDAP URL of the server, a fully qualified username with sufficient rights to read the user information, and the password for that user. |
If the LDAP server requires a secure SSL connection, additional setup is required. You must complete the steps in Securing LDAP Synchronization
in Site Security
in the Novell Vibe 3.3 Administration Guide to import the root certificate for your LDAP directory into the Java keystore on the Vibe server before you configure Vibe for LDAP synchronization.
The LDAP attribute that uniquely identifies a user or group helps facilitate renaming and moving Vibe users and groups in the LDAP directory. If this attribute is not set, and you rename or move a user in the LDAP directory, Vibe assumes that the new name (or the new location of the same name) represents a new user, not a modified user, and creates a new Vibe user.
For example, suppose you have a Vibe user with a given name of William Jones. If William changes his name to Bill, and you make that change in the LDAP directory, Vibe creates a new user named Bill Jones.
To ensure that Vibe modifies the existing user instead of creating a new user when the user is renamed or moved in the LDAP directory, you must specify the name of the LDAP attribute that uniquely identifies the user. For eDirectory, this value is GUID. For Active Directory, this value is objectGUID. This attribute always has a unique value that does not change when you rename or move a user in the LDAP directory. If you want to map users to a different attribute, you must ensure that the attribute that you use is a binary attribute. For example, the cn attribute cannot be used because it is not a binary attribute.
BASIC VIBE INSTALLATION SUMMARY SHEET |
---|
Under GUID or objectGUID, depending on whether your LDAP directory is eDirectory or Active Directory. , mark |
The setting LDAP Attribute Used for Vibe Name is used for two purposes:
The value is used as the Vibe username when the user is first provisioned from LDAP. The value of this attribute must be unique.
During Vibe login, Vibe uses this attribute to locate the user in the LDAP directory, then tries to authenticate as that user.
LDAP directories differ in the LDAP attribute used to identify a User object. Both eDirectory and Active Directory might use the cn (common name) attribute. A more sure alternative for Active Directory is to use the sAMAccountName attribute. Other LDAP directories might use the uid (unique ID) attribute, depending on the structure and configuration of the directory tree.
You might need to consult with your directory administrator in order to determine which attribute is best to use.
As needed, other LDAP attributes can be used, as long as the attribute is unique for each User object. For example, the mail LDAP attribute on User objects could be used to enable Vibe users to log in to the Vibe site by using their e-mail addresses.
NOTE:Because the login name becomes part of the user’s workspace URL, the at sign (@) in the e-mail address is replaced with an underscore (_) in the workspace URL because @ is not a valid character in a URL.
BASIC VIBE INSTALLATION SUMMARY SHEET |
---|
Under LDAP attribute used for Vibe name, mark the attribute that you are going to use (for example, cn, sAMAccountName, or uid), based on the convention used by your LDAP directory service for User objects. Ensure that users have a value for the attribute that you mark. |
Vibe can find and synchronize initial user information from User objects located in one or more containers in the LDAP directory tree. A container under which User objects are located is called a base DN (distinguished name). The format you use to specify a base DN depends on your directory service.
Directory Service |
Format for the User Container |
---|---|
eDirectory |
ou=organizational_unit,o=organization |
Active Directory |
ou=organizational_unit,dc=domain_component |
To identify potential Vibe users, Vibe by default filters on the following LDAP directory object attributes:
Person
orgPerson
inetOrgPerson
If you want to create Vibe groups based on information in your LDAP directory, Vibe filters on the following LDAP directory object attributes:
group
groupOfNames
groupOfUniqueNames
You can add attributes to the user or group filter list if necessary. You can use the following operators in the filter:
| OR (the default)
& AND
! NOT
You can choose whether you want Vibe to search for users (and optionally, groups) in containers underneath the base DN (that is, in subtrees).
BASIC VIBE INSTALLATION SUMMARY SHEET |
---|
Under , specify a base DN, along with object attributes if any, and mark whether you want subtrees searched for Vibe users.Under , specify a base DN, along with object attributes if any, and mark whether you want subtrees searched for Vibe groups. |
You might find it convenient to create a group that consists of all the users that you want to set up in Vibe, regardless of where they are located in your LDAP directory. After you create the group, you can use the following filter to search for User objects that have the specified group membership attribute:
(groupMembership=cn=group_name,ou=organizational_unit,o=organization)
IMPORTANT:Be sure to include the parentheses in your filter.
The following synchronization options apply to all LDAP configurations within the same Vibe zone:
NOTE:Because the synchronization options apply to all LDAP configurations within the same zone, you cannot have customized synchronization settings for each LDAP configuration. However, the Novell Vibe site can have multiple zones. For more information about zones, see Setting Up Zones (Virtual Vibe Sites)
in Site Setup
in the Novell Vibe 3.3 Administration Guide.
When you enable LDAP synchronization, you can set up a schedule for when it is convenient for synchronization to occur. In planning the schedule, take into account how often your LDAP directory user (and, optionally, group) information changes and the server resources required to perform the synchronization for the number of users (and, optionally, groups) that you have.
You can choose to have LDAP synchronization performed every day, or you can select specific days of the week when you want it performed (for example, on Monday, Wednesday, and Friday). You can choose to have it performed once a day at a specified time (for example, at 2:00 a.m.), or you can set a time interval, so that it is performed multiple times each day (for example, every four hours). The smallest time interval you can set is .25 hours (every 15 minutes).
BASIC VIBE INSTALLATION SUMMARY SHEET |
---|
Under , record the schedule for when you want LDAP synchronization to take place. |
The following options are available for enabling and configuring user synchronization from your LDAP directory to your Vibe site:
Synchronize User Profiles: Select this option to synchronize user information whenever the LDAP directory information changes after initial Vibe site setup. The attributes that are synchronized are the attributes that are found in the map box in the
section on the Configure LDAP Synchronization page.By default, Vibe synchronizes the following attributes from the LDAP directory:
First name
Last name
Phone number
E-mail address
Description
For information about how to add additional attributes to be automatically synchronized, see Synchronizing Additional LDAP Attributes
in the Novell Vibe 3.3 Administration Guide.
Register LDAP User Profiles Automatically: Select this option to automatically add LDAP users to the Vibe site. However, workspaces are not created until users log in to the Vibe site for the first time.
Delete Users That Are Not in LDAP: Select this option to delete users that exist on the Vibe site but do not exist in your LDAP directory.
IMPORTANT:A deleted user cannot be undeleted; deleting a user is permanent and is not reversible.
Novell recommends that you leave this option unselected. Leaving this option unselected automatically disables any users in Vibe who have been deleted in your LDAP directory.
For more information about disabled users in Vibe, see Disabling Vibe User Accounts
in the Novell Vibe 3.3 Administration Guide.
If you are sure that you want to automatically delete users that are not in LDAP, this option is designed to use under the following conditions:
You have deleted users from your LDAP directory and you want the LDAP synchronization process to delete them from Vibe as well.
In addition to the users synchronized from LDAP, you create some Vibe users manually, as described in Section 5.2, Creating a User, and you want the LDAP synchronization process to delete the manually created users.
When Deleting Users, Delete Associated User Workspaces and Content: Select this option to remove obsolete information along with the user accounts.
Time Zone for New Users Select this option to set the time zone for user accounts that are synchronized from the LDAP directory into your Vibe site. The time zone list is grouped first by continent or region, optionally by country or state, and lastly by city. Some common selections for United States time zones are:
Time Zone |
Continent/City |
---|---|
Pacific Time |
America/Los Angeles |
Mountain Time |
America/Denver |
Central Time |
America/Chicago |
Eastern Time |
America/New York |
Locale for New Users: Select this option to set the locale for user accounts that are synchronized from the LDAP directory into your Vibe site. The locale list is sorted alphabetically by language.
BASIC VIBE INSTALLATION SUMMARY SHEET |
---|
Under , mark the synchronization options you want to use. |
The following options are available for enabling and configuring user and group synchronization from your LDAP directory to your Vibe site:
Synchronize Group Profiles: Select this option to synchronize group information, such as the group description, to the Vibe site whenever this information changes in LDAP.
Register LDAP Group Profiles Automatically: Select this option to automatically add LDAP groups to the Vibe site.
Synchronize Group Membership: Select this option so that the Vibe group includes the same users (and possibly groups) as the group in your LDAP directory. If you do not select this option, and you make changes to group membership in the LDAP directory, the changes are not reflected on your Vibe site.
Delete Local Groups That Are Not in LDAP: Select this option to delete groups that exist on the Vibe site but do not exist in your LDAP directory. Use this option under the following conditions:
You have deleted groups from your LDAP directory and you want the LDAP synchronization process to delete them from Vibe as well.
In addition to the groups synchronized from LDAP, you create some Vibe groups manually, as described in Creating Groups of Users
in Site Setup
in the Novell Vibe 3.3 Administration Guide, and you want the LDAP synchronization process to delete the manually created groups.
BASIC VIBE INSTALLATION SUMMARY SHEET |
---|
Under , mark the synchronization options you want to use. |