Chapter 5 - Using LDAP for StreetTalk with LDAP Applications
This chapter explains how to configure and use LADP for StreetTalk with selected LDAP applications. We include details about two new features in LDAP for StreetTalk-n-level names and directory synchronization that let LDAP for StreetTalk and other LDAP directory servers share directory data and maintain matching directory information and entries.
When you add LDAP for StreetTalk to your StreetTalk for Windows NT servers, selected LDAP directory servers can access the entries in your StreetTalk database. To provide LDAP directory servers greater and more flexible access to your StreetTalk database, LDAP for StreetTalk includes two new features: N-level Names and Directory Synchronization. This chapter focuses on describing how to configure and use n-level names to let LDAP applications read your StreetTalk directory entries and add entries to your LDAP for StreetTalk directory. It also discusses configuring directory synchronization to maintain consistent data between an LDAP directory server's directory and the StreetTalk for LDAP directory.
This chapter discusses:
Supporting LDAP Applications N-Level Names Directory Synchronization
LDAP for StreetTalk lets you use your StreetTalk directory with a variety of LDAP-enabled applications, such as Web browsers from Netscape and Microsoft, or enterprise management tools that use LDAP directories.
To support a range of LDAP-based applications, Banyan provides two features in LDAP for StreetTalk that enable operations with LDAP applications:
N-level names Directory Synchronization
N-level names in LDAP for StreetTalk let LDAP applications access your existing LDAP for StreetTalk directory. By enabling n-level names on an LDAP for StreetTalk service, applications that use LDAP directories can search and retrieve StreetTalk information, such as users, nicknames, or lists, in the StreetTalk directory on the LDAP for StreetTalk server, as well as add LDAP formatted entries to the LDAP for StreetTalk directory.
You can choose to synchronize your LDAP for StreetTalk directory with the LDAP directory provided on another LDAP server, such as Netscape Directory Server. By using directory synchronization, you ensure that the entries in your LDAP for StreetTalk directory match the entries in the LDAP directory on your LDAP enabled application.
StreetTalk names are three levels-item@group@organization. LDAP directories work with names that can comprise many more than three levels. To utilize LDAP applications and directories with your StreetTalk directory, LDAP for StreetTalk includes the ability to create n-level names from StreetTalk names.
Unlike electronic mail software and its address books, many LDAP applications need to read and write data to the LDAP directory on an LDAP for StreetTalk server. Without n-level names configured on the service, LDAP applications cannot write data to the LDAP directory in the format or directory structure required by the application, and cannot be used with LDAP for StreetTalk.
Note
Contact your Banyan sales representative for information about LDAP applications that work effectively with LDAP for StreetTalk.
To create and use an n-level name from a StreetTalk name, complete the following tasks:
1. Create a table, called a map file, that maps StreetTalk group@organization names to corresponding LDAP distinguished name. Refer to "To Create the N-Level Name Mapping File" later in this chapter.
2. Store the table in attribute <5:36> of the STDA service on the StreetTalk for Windows NT server. Refer to "To Set STDA Attribute <5:36> On the LDAP for StreetTalk Server" later in this chapter for directions to create the attribute, or refer to Managing Users and StreetTalk in your Banyan documentation, or refer to the StreetTalk Explorer online help for information about creating and storing attributes.
3. Rebuild the STDA databases from scratch.
Creating n-level names by adding the n-level name attribute and mapping file on an LDAP for StreetTalk service has no effect on the function of StreetTalk or STDA. on the host server. N-level names are accessed and used only by LDAP applications that rely on LDAP for StreetTalk.
Banyan's n-level naming structure uses mapping entries to convert three-part StreetTalk names to multi-part LDAP for StreetTalk names, without relying solely on the suffix for the LDAP for StreetTalk service. You store the mapping entries as text strings in STDA attribute <5:36> for the STDA service on a StreetTalk for Windows NT server.
Without n-level names, LDAP for StreetTalk derives the distinguished name of a StreetTalk object by adding the LDAP service suffix to an RDN built from the item@group@organization StreetTalk name. For example, the StreetTalk object adminlist@sales@wctus becomes RDN cn=adminlist, ou=sales, o=wctus. The DN is the RDN plus the suffix-c=us-for the service.
After adding the mapping table for n-level names, StreetTalk objects whose groups are mapped to LDAP relative distinguished names no longer use the default cn=item, ou=group, o=organization structure of LDAP for StreetTalk. Instead, StreetTalk objects whose group@organization portion is mapped to an n-level name, use the DN structure cn=item, n-level name mapping, LDAP service suffix. Notice that the difference in the DN without and with n-level naming is that the default LDAP for StreetTalk mapping ou=StreetTalk group, o= StreetTalk organization is replaced by the n-level name mapping, which can have many more than the two levels provided by StreetTalk.
The following examples present a few of the possible ways to create n-level mapping entries in the mapping table. In all examples, the LDAP for StreetTalk server suffix is part of the resulting n-level name. Assume the server suffix is c=us. The item name remains unchanged during n-level name mapping. Figure 5-1 presents the examples in the StreetTalk directory tree before you use the n-level name mappings in the examples.
This set of four examples uses n-level naming to create a sales organization (ou=Sales) that has separate locations to represent sales regions (l=westboro, l=california). Mapping StreetTalk group@organization names to n-level names lets users search for sales-related LDAP entries by region.
Example 1
StreetTalk group@org name - nesales@WCTUS
Corresponding mapping - l=westboro, ou=sales, o=WCTUS
Resulting n-level name - cn=item, l=westboro, ou=sales, o=WCTUS,
c=us
Example 2
StreetTalk group@org name - corporate sales@WCTUS
Corresponding mapping - ou=sales, o=WCTUS
Resulting n-level name - cn=item, ou=sales, o=WCTUS, c=us
Example 3
StreetTalk group@org name - doc@WCTUS
Corresponding mapping - l=westboro, ou=doc, o=WCTUS
Resulting n-level name - cn=item, l=westboro, ou=doc, o=WCTUS,
c=us
Example 4
StreetTalk group@org name - sales@California
Corresponding mapping - l=california, ou=sales, o=WCTUS
Resulting n-level name - cn=item, l=california, ou=sales, o=WCTUS,
c=us
Map File Using Examples 1-4
nesales@WCTUS
l=westboro, ou=sales, o=WCTUScorporate sales@WCTUS
ou=sales, o=WCTUSdoc@WCTUS
l=westboro, ou=doc, o=wctussales@California
l=California, ou=sales, o=wct
If you create a map file from examples 1-4 above, and import the file into attribute <5:36> on an LDAP for StreetTalk server, you end up with an LDAP Directory Information Tree (DIT) similar to the tree in Figure 5-2.
By using n-level names, the new LDAP DIT lets users search for sales staff for the California region or the New England region (represented by Westboro). With Sales@WCTUS as a group, StreetTalk cannot distinguish between the sales information from California and the information from New England.
Set STDA Attribute <5:36> to Support N-Level Names
You must set STDA attribute <5:36> to provide the LDAP-specific n-level names support.
Attribute <5:36>
Attribute <5:36> has these characteristics:
Vendor No. = 5 Attribute No. = 36 AVD Name = LDAP Mapping Table Type = String
If you do not set attribute <5:36> on the STDA service, the STDA service does not provide the new n-level names support.
Guidelines for Configuring N-Level Names
When you define the n-level name mappings for your LDAP for StreetTalk directory, remember the following guidelines:
N-Level names exist only on the LDAP for StreetTalk server to which you added the map table attribute. N-level names do not appear in StreetTalk, STDA, or on other LDAP for StreetTalk servers. N-level names are not distributed across the network the way StreetTalk names are-StreetTalk directories on other Banyan servers will not contain the n-level name entries. To take advantage of n-level names, LDAP applications must access the server on which the n-level names are stored. Take care to create n-level name mappings that result in a coherent LDAP directory structure within the existing StreetTalk portion of the DIT, and in the n-level name portion of the tree. LDAP for StreetTalk does not check that the n-level name mappings result in a coherent directory structure. You must ensure that your n-level names create branches and leaf nodes that connect together. Each entry created from an n-level name mapping must have a parent entry. Each entry must be unique as well. Also, your n-level names should not violate the LDAP rules for the order of attributes in a distinguished name, such as common name (cn) is subordinate to all other attributes, or location (l=) is subordinate to organizational unit (ou=). LDAP for StreetTalk does not enforce attribute order rules, but other LDAP applications may. Refer to Appendix B for more information about attribute order in LDAP. Map only StreetTalk group@organizations that users are likely to want to find or use. You can map as many groups as you wish, but the mapping file gets unwieldy as it gets very large. The suggested size limit is 8 MB. You can map and use n-level names for StreetTalk users, nicknames, and lists. You cannot map services or other StreetTalk objects such as print services or organizations.
Restrictions
Certain restrictions apply to StreetTalk names when you use n-level names. The following restrictions affect the n-level names and the mapping file you use to create them.
StreetTalk item names are limited to the Latin 1 character set. StreetTalk item names are limited to no more than 32 characters. To add a StreetTalk group to an LDAP database that uses n-level names, the n-level name mapping for the group must exist before you add the group. You cannot add new StreetTalk groups dynamically. You cannot rename groups or organizations. LDAP for StreetTalk does not check the consistency of the LDAP directory that you create when you use n-level name mappings. You must ensure that the directory structure is consistent. The complete n-level name, including the item, mapping, and suffix portions, cannot exceed 512 bytes (0.5 MB) in size.
N-level names must be configured on each LDAP for StreetTalk service that requires the feature.
To Set STDA Attribute <5:36> On the LDAP for StreetTalk Server
To configure LDAP for StreetTalk to use n-level names, add the attribute <5:36> to the STDA service on the StreetTalk for Windows NT server that hosts the LDAP for StreetTalk service.
1. Open StreetTalk Explorer.
2. Locate and Select the StreetTalk for Windows NT server that runs LDAP for StreetTalk software.
3. Right-click the STDA service in the right pane and select attributes.
4. Under Vendor/Attribute, type 5 in the Vendor field and 36 in the Attribute field.
5. In Open Attribute As, select String Attribute from the list.
6. Click Open. The attribute editor opens with the attribute ready for text entry.
7. Do one of the following:
— If you plan to use only a few mapping entries, type the mapping entries into the attribute editor and continue to step 8. Enter your n-level name mappings as described in the section "How N-Level Names Work."
— If your mapping entries list is quite large, use a text file to add the entries to the attribute. Use the procedures in "To Create the N-Level Name Mapping File" and "To Import the Mapping File into Attribute <5:36>" to add the mapping file to the attribute.
8. Click OK to save the attribute.
To Create the N-Level Name Mapping File
After you create the n-level name attribute on the STDA service, you can create a text file that contains your mapping information, and import the file into the attribute.
1. Open a text editor, such as Notepad, or MultiEdit, or Vi. Do not use a word processing program such as Microsoft Word, WordPad, or Corel WordPerfect.
2. Enter your n-level name mappings as described in the section "How N-Level Names Work."
Enter as many mapping entries as you need. It is recommended that the mapping file not exceed 8 MB. Notepad has a limit of 32 KB.
3. Save the file and close the text editor.
To Import the Mapping File into Attribute <5:36>
Once you create the mapping file, use StreetTalk Explorer to import the file in to attribute <5:36>.
1. Open StreetTalk Explorer.
2. Locate and select the StreetTalk server that hosts the LDAP service that will use n-level names.
3. Right-click the LDAP for StreetTalk service in the right pane and select attribute from the context menu.
4. Open attribute <5:36>.
5. From the Attribute menu, select Import.
6. Locate the mapping file you created and click Open. The contents of the mapping file are copied into the attribute.
To Disable N-Level Names on the LDAP for StreetTalk Server
1. Use StreetTalk Explorer to delete attribute <5:36> from the STDA service on the LDAP for StreetTalk server.
2. Rebuild STDA. After the rebuild, n-level names are no longer created, stored, or accessible on the server.
LDAP Directory Synchronization
You can choose to synchronize your LDAP for StreetTalk directory with the LDAP directory provided or with another LDAP application, such as Netscape Directory Server. By using directory synchronization, you ensure that the entries in your LDAP for StreetTalk directory match the entries in the LDAP directory of your LDAP enabled application.
The LDAP for StreetTalk directory is the master directory. Changes to the StreetTalk directory are written to the LDAP application's directory. Changes to the LDAP application's directory are redirected to LDAP for StreetTalk, which makes the changes to the StreetTalk directory. LDAP for StreetTalk then writes the changes to the LDAP application's directory. To use directory synchronization, your LDAP directory server must have the appropriate Banyan directory synchronization option installed. Banyan designs its directory synchronization option for each LDAP directory server. Be sure to install the option that matches your LDAP directory server.
How Directory Synchronization Works
To ensure that users see the same entries in their LDAP for StreetTalk directories and in the StreetTalk-based entries in the LDAP application's directory, configure your LDAP for StreetTalk server and the LDAP directory server to support directory synchronization.
With directory synchronization enabled, each time someone changes the STDA database on the LDAP for StreetTalk server, the LDAP for StreetTalk service writes the changes to the selected LDAP application's directory. Also, each time someone tries to change an entry in the LDAP application's directory, the Banyan directory synchronization software intercepts and reviews the requested change. If the request is to change an entry in the LDAP directory that is not also an LDAP for StreetTalk entry, the directory synchronization software passes the change to the LDAP application without acting on the request.
If the user is changing an entry in the LDAP for StreetTalk subtree of the LDAP directory server's database, the directory synchronization software redirects the request to the LDAP for StreetTalk server. LDAP for StreetTalk receives the request, changes the corresponding LDAP for StreetTalk directory entry, and returns the changed entry to the LDAP application, accompanied by the authorized DN and password. Once again, the directory synchronization software reviews the request and checks the authorized DN and password. If the DN and password match the configured entries, the new entry is passed to the LDAP application's directory to change the appropriate directory entry.
For information about configuring your LDAP application to support directory synchronization, refer to the documentation for the Banyan directory synchronization option for your LDAP application.
Guidelines for Configuring Directory Synchronization
When you are deciding whether to use directory synchronization between your LDAP for StreetTalk directory and an LDAP directory for another application or server, consider the following guidelines:
Directory Synchronization works only with LDAP applications that have Banyan directory synchronization options available. You can synchronize directories between one LDAP for StreetTalk service and one LDAP directory residing on one server. To use directory synchronization between a second LDAP for StreetTalk service and another LDAP directory, you configure directory synchronization on the second LDAP for StreetTalk service and the second LDAP application as a pair LDAP for StreetTalk and the LDAP directory server do not share data about services on the LDAP for StreetTalk server. Only user names, lists, and nicknames are shared between the directories. LDAP for StreetTalk does not support Secure Sockets Layer (SSL).
Configuring Directory Synchronization
You must configure both the LDAP for StreetTalk server and the LDAP directory server to support directory synchronization. You can complete the configurations in any order.
To Install the Banyan Directory Synchronization Option on an LDAP Directory Server
Contact your Banyan sales representative for information about getting the Banyan synchronization option for your LDAP directory server. Banyan designs its directory synchronization option for each LDAP directory server. Be sure to install the option that matches your LDAP application.
To Configure the Directory Synchronization Option on an LDAP Directory Server
You must configure directory synchronization on the LDAP for StreetTalk service and on the LDAP directory server. To learn more about configuring directory synchronization on the LDAP directory server, refer to the documentation you received with the LDAP application and to the documentation you received with the Banyan directory synchronization option for the LDAP application.
To Configure the Directory Synchronization Option on an LDAP for StreetTalk Server
1. Open LDAP Configuration Manager on the server that will be using directory synchronization.
Use LDAP Configuration Manager on the StreetTalk for Windows NT server, that is, locally, to configure directory synchronization. You cannot use LDAP Configuration Manager across your network to configure directory synchronization.
2. Click the Directory Synchronization tab.
3. Click Netscape.
4. Select the Enable synchronization check box.
5. Enter the Netscape Directory Server configuration information under Netscape Server Configuration.
The Netscape Directory Server must include the Banyan directory synchronization option. Configure the Netscape Directory Server directory synchronization option to synchronize with this LDAP for StreetTalk service. Refer to the documentation you received with the LDAP directory server application, and to the documentation you received with the Banyan directory synchronization option for the Netscape Directory Server for more information about configuring your Netscape Directory Server. You must configure the Netscape Directory Server as well as the LDAP for StreetTalk server before you can use directory synchronization.
6. Enter the Netscape Directory Server IP address or DNS name to synchronize with the LDAP for StreetTalk directory on this server.
7. Enter the port number. The number you enter must match the port configured on the Netscape Directory Server. Generally, LDAP services use port number 389. Changing the port number may affect the operation of other LDAP applications such as Web browsers.
8. Enter the LDAP distinguished name for the root of the LDAP for StreetTalk directory subtree in the Netscape Directory Server LDAP directory. For more information about distinguished names and LDAP directories, refer to Appendix B, Directory Concepts.
9. Enter the distinguished name (the Authorized DN) that is authorized to make changes to the LDAP for StreetTalk directory portion of the Netscape Directory Server.
10. Enter a password to be used in combination with the Authorized DN to allow changes to the LDAP for StreetTalk portion of the LDAP directory on the Netscape Directory Server. Requests to add, modify, or delete entries in the LDAP for StreetTalk portion of the Netscape LDAP directory must be accompanied by the authorized DN and the password you enter.
The password can be 1 to 31 alphanumeric characters long. Do not use spaces in the password and do not use [ ] * : + | or ".
11. Re-enter the password to verify that you entered the password correctly.
12. Click OK.
13. Close LDAP Configuration Manager.
14. Reboot the Windows NT server.
Note
You must reboot the Windows NT server that hosts the LDAP for StreetTalk service for directory synchronization to take effect.
To Run Directory Synchronization
When you run directory synchronization, all changes that have been made to the LDAP for StreetTalk database are replicated to the LDAP for StreetTalk subtree of the Netscape Directory Server's database. There are two ways to synchronize the databases on demand:
1. Rebuild STDA on the LDAP for StreetTalk server. Rebuilding STDA writes all directory entries to the LDAP database, and replicates the LDAP database entries to the Netscape Directory Server database.
2. Run the STNSSync application (STNSSYNC.EXE) in the Support\Tools directory on the LDAP for StreetTalk server. STNSSync searches the LDAP for StreetTalk directory for new entries and writes the new entries and their attributes to the Netscape Directory Server database. For more information, refer to Banyan Directory Synchronization for Netscape Guide.
Subsequent changes to the LDAP for StreetTalk directory, made through STDA builds or LDAP for StreetTalk database modifications, are replicated to the Netscape Directory Server automatically.
To Disable Directory Synchronization
1. Click the Directory Synchronization tab.
2. Click Netscape.
3. Clear the Enable synchronization check box. Your LDAP for StreetTalk and Netscape Directory Server databases will no longer be synchronized by the LDAP for StreetTalk service.
4. Reboot the Windows NT server.
Note
You must reboot the Windows NT server that hosts the LDAP for StreetTalk service to disable directory synchronization.5. Disable directory synchronization on the Netscape Directory Server as well.
