Previous Page

Chapter 2 - Configuring Banyan LDAP for StreetTalk Service

Configuring Directory Synchronization

You must configure both the LDAP for StreetTalk service and the NSDS to support directory synchronization. You can complete the configurations in any order. To learn more about configuring directory synchronization on the Netscape directory server, refer to the section "Overview of Banyan Directory Synchronization" in this guide.

To Configure Directory Synchronization on Banyan LDAP for StreetTalk Services

1. Open LDAP Configuration Manager on the server that will be using directory synchronization.

2. Click the Directory Synchronization tab.

3. Click Netscape.

4. Select the Enable synchronization check box.

5. Enter the Netscape Directory Server configuration information under Netscape Server Configuration.

The Netscape Directory Server must include the Banyan directory synchronization option. Configure the Netscape Directory Server directory synchronization option to synchronize with this LDAP for StreetTalk service. You must configure the Netscape Directory Server as well as the LDAP for StreetTalk server before you can use directory synchronization.

6. Enter the Netscape Directory Server IP address or DNS name to synchronize with the LDAP for StreetTalk directory on this server.

7. Enter the port number. The number you enter must match the port configured on the Netscape Directory Server. Generally, LDAP services use port number 389.

8. Enter the LDAP distinguished name for the root of the LDAP for StreetTalk directory subtree in the Netscape Directory Server directory (the Subtree DN you enter when you configure the NSDS). For more information about distinguished names and LDAP directories, refer to Appendix B, Directory Concepts, in LDAP for StreetTalk Administrator's Guide in your Banyan documentation.

9. Enter the distinguished name (the Authorized DN on NSDS) that is authorized to make changes to the LDAP for StreetTalk directory portion of the Netscape Directory Server.

10. Enter a password to be used in combination with the Authorized DN to allow changes to the LDAP for StreetTalk portion of the LDAP directory on the Netscape Directory Server. Requests to add, modify, or delete entries in the LDAP for StreetTalk portion of the Netscape directory server directory must be accompanied by the authorized DN and the password you enter.

The password can be 1 to 31 alphanumeric characters. Characters must be lower case. Do not use spaces in the password and do not use [ ] * : + | or ".

11. Re-enter the password to verify that you entered the password correctly.

12. Click OK.

13. Close LDAP Configuration Manager.

14. Use StreetTalk Explorer to stop and restart the LDAP for StreetTalk service for the configuration changes to take affect.

To Run Directory Synchronization

When you run directory synchronization, all changes that have been made to the LDAP for StreetTalk database are replicated to the LDAP for StreetTalk subtree of the Netscape Directory Server's database. There are two ways to synchronize the databases on demand:

1. Rebuild STDA on the LDAP for StreetTalk server. Rebuilding STDA writes all directory entries to the LDAP database, and replicates the LDAP database entries to the Netscape Directory Server database.

2. Run the STNSSync application (STNSSYNC.EXE) in the Support\Tools directory on the LDAP for StreetTalk server. STNSSync.exe uses LDAP to read the entries from an LDAP for StreetTalk server, reformats the entries for Netscape Directory Server and writes the entries to the Netscape server.

Subsequent changes to the LDAP for StreetTalk directory, made through STDA builds or LDAP for StreetTalk database modifications, are replicated to the Netscape Directory Server automatically.

To Disable Directory Synchronization

1. Click the Directory Synchronization tab.

2. Click Netscape.

3. Clear the Enable synchronization check box. Your LDAP for StreetTalk and Netscape Directory Server databases will no longer be synchronized by the LDAP for StreetTalk service.

4. Use StreetTalk Explorer to stop and restart the LDAP for StreetTalk service for the configuration change to take affect.

5. Disable directory synchronization on the Netscape Directory Server as well.

Registry Key Configuration Options

There are several registry keys you can add to your LDAP for StreetTalk server to enhance the operation of Banyan Directory Synchronization. The optional registry keys are:

HKLM\SOFTWARE\Banyan Applications\LDAP\Administration\NSSyncUserObjectclass
Determines which object class attributes are allowed in user synchronization requests.
 
HKLM\SOFTWARE\Banyan Applications\LDAP\Administration\NSSyncListObjectclass
Determines which object class attributes are allowed in list synchronization requests.
  
HKLM\SOFTWARE\Banyan Applications\LDAP\Administration\NSSyncTypes
Determines whether directory synchronization sends StreetTalk users, lists, or both to the Netscape server for synchronization.
  
HKLM\SOFTWARE\Banyan Applications\LDAP\Administration\NSSyncDebugFile
Enables logging of the synchronization activity on the server LDAP for StreetTalk server.

Schema Checking and Registry Keys NSSyncUserObjectclass and NSSyncListObjectclass

StreetTalk user entries that you add to Banyan LDAP for StreetTalk are synchronized to Netscape Directory Server as object class inetOrgPerson. New StreetTalk list entries are synchronized as object class groupOfNames. With schema checking enabled on the Netscape server, only attributes allowed in the object classes inetOrgPerson and groupOfNames are allowed in synchronization requests. You can limit STDA attribute collection to these attributes to ensure that synchronization requests are not rejected as an object class violation.

The StreetTalk vendor/attribute pairs for allowed attributes in object class inetOrgPerson are listed in Table 1.

The vendor/attribute pairs for allowed attributes in object class groupOfNames are listed in Table 2.

Some attributes are collected regardless of STDA configuration; these attributes are listed in Table 3.

If you cannot change the STDA attribute collection settings, assign object classes as values to the registry keys NSSyncUserObjectclass and NSSyncListObjectclass. On startup, Banyan Directory Synchronization reads the attributes for the assigned object classes from the Netscape Directory Server registry and sends only modifications with attributes from these object classes. For example, if the registry key NSSyncUserObjectclass is set to "inetOrgPerson", collected attributes are checked against the attributes allowed in "inetOrgPerson" before being added to modification requests.

Table 1: Allowed Attributes for Object Class inetOrgPerson

Attribute V:A # Attribute V:A # Attribute V:A #
audio 0:4097 labeledURI 0:4220 secretary 0:4076
businessCategory 0:4007 mail 0:4062 seeAlso 0:4019
carLicense 0:4216 manager 0:4069 sn 0:4002
cn 0:4001 mobile 0:4084 st 0:108
departmentNumber 0:4217 objectClass 0:4000 street 0:106
description 0:1 ou 0:4005 telephoneNumber 0:111
destinationIndicator 0:4013 pager 0:4085 telexNumber 0:115
employeeNumber 0:4218 photo 0:4066 telexTerminalIdentifier 0:116
employeeType 0:4219 physicalDeliveryOfficeName 0:4009 title 0:101
facsimileTelephoneNumber 0:113 postalAddress 0:4008 uid 0:4060
givenName 0:4109 postalCode 0:110 userCertificate 0:4104
homePhone 0:4075 postOfficeBox 0:105 userMimeCertificate 0:4232
homePostalAddress 0:4082 preferredDeliveryMethod 0:4014 userPassword 0:4103
initials 0:4110 preferredLanguage 0:4231 userPKCS12 0:4272
internationaliSDNumber 0:4011 registeredAddress 0:4012 x121Address 0:4010
jpegPhoto 0:4099 roomNumber 0:4065 x500uniqueIdentifier 0:4112
l 0:4003        

Table 2: Allowed Attributes for Object Class groupOfNames

Attribute V:A #
businessCategory 0:4007
cn 0:4001
description 0:1
objectClass 0:4000
ou 0:4005
seeAlso 0:4019

Table 3: Attributes Collected for Banyan LDAP for StreetTalk Classes

LDAP Attribute

StreetTalk Class
  User List
cn
description
givenName  
mail  
objectClass
sn  

Banyan Directory Synchronization adds user entries as objectClass = {top,person,organizationalPerson,inetOrgPerson}. Banyan Directory Synchronization ensures that each user entry contains the object class inetOrgPerson, a cn attribute, and an sn attribute. If the user entry does not have a cn attribute, the cn from the entry's DN is added to the modification request. If the user entry does not have an sn attribute, Banyan Directory Synchronization creates one from the cn of the entry's DN. If the cn includes one or more spaces, the sn is the string that follows the first space. Otherwise the sn and cn are the same.

Banyan Directory Synchronization adds list entries as objectclass = {top,groupOfNames}. Banyan Directory Synchronization ensures that each entry contains the object class groupOfNames and a cn attribute. If the list does not have a cn attribute, the cn from the entry's DN is added to the modification request.

Limiting Synchronization Types and Registry Key NSSyncTypes

By default, synchronization sends StreetTalk user and list entries to Netscape. Customize the types to send with the registry key NSSyncTypes. Enter a string value of u to synchronize users, l to synchronize lists. If the registry key exists, but does not contain a u or l, no entries are synchronized. If the registry key contains both letters, synchronization sends users and lists.

Logging Activity and Registry Key NSSyncDebugFile

Simple logging of synchronization activity is available by entering a full path and file name in the registry key NSSyncDebugFile. Use the debug file only when it is necessary to monitor closely the activity of Banyan Directory Synchronization on the Banyan LDAP for StreetTalk server. Information is also available in the STDA and Banyan LDAP for StreetTalk log files, and on the Netscape Directory Server access and error logs. Debug output is turned on when the registry key NSSyncDebugFile contains a valid file name and path. The log file is created if it does not exist. As a precaution, debug logging is turned off if the log file grows to 10MB.

Initial Synchronization of the Databases

Once Banyan Directory Synchronization is enabled on the Banyan LDAP and Netscape servers, future database modifications will be synchronized. Rebuilding the STDA database or running the STNSSync.exe application can do the initial synchronization of the entire Banyan LDAP database. When you rebuild STDA, StreetTalk entries are written to the Banyan LDAP for StreetTalk database, and the entries are replicated to the Netscape Directory Server.

To synchronize the directories immediately without rebuilding STDA, use the STNSSync.exe application in the LDAP\Support directory on the Netscape server. STNSSync.exe uses LDAP to read the entries from an LDAP for StreetTalk server, reformats the entries for Netscape Directory Server and writes the entries to the Netscape server. STNSSync.exe reads the local configuration of the Banyan LDAP for StreetTalk Server.

To change the configuration, click "Setup". When ready, click "Synchronize". Each entry read by STNSSync.exe and written to Netscape (successfully or unsuccessfully) appears in the list box. Entries that could not be written to Netscape appear in red in the list. The "Entry" column displays the Netscape DN of each entry. If STNSSync.exe cannot write an entry to NSDS, the "Ret" column in the list displays an LDAP error code in hexadecimal format for the entry.

Synchronization errors are also written to the log files. You can cancel synchronization at any time, but entries synchronized prior to cancellation are retained on the Netscape Directory Server. When STNSSync finishes synchronizing the directories, a message box reports the number of entries read from LDAP for StreetTalk and the number of entries written to Netscape Directory Server. For each entry that was read, but not written to NSDS, review the log files to determine the LDAP error code and the cause of the write error. Correct any error conditions and rerun STNSSync.exe. For a listing of the LDAP error codes, refer to Table 4. For more information, refer to RFC 1777, Lightweight Directory Access Protocol.

Table 4. Error Codes for LDAP Directory Operations

Description Error Code (Hexadecimal) Error Code (Decimal)
LDAP_SUCCESS 0x00 0
LDAP_OPERATIONS_ERROR 0x01 1
LDAP_PROTOCOL_ERROR 0x02 2
LDAP_TIMELIMIT_EXCEEDED 0x03 3
LDAP_SIZELIMIT_EXCEEDED 0x04 4
LDAP_COMPARE_FALSE 0x05 5
LDAP_COMPARE_TRUE 0x06 6
LDAP_AUTH_METHOD_NOT_SUPPORTED 0x07 7
LDAP_STRONG_AUTH_NOT_SUPPORTED 0x07 7
LDAP_STRONG_AUTH_REQUIRED 0x08 8
LDAP_PARTIAL_RESULTS 0x09 9
LDAP_REFERRAL 0x0a 10
LDAP_ADMINLIMIT_EXCEEDED 0x0b 11
LDAP_UNAVAILABLE_CRITICAL_EXTENSION 0x0c 12
LDAP_CONFIDENTIALITY_REQUIRED 0x0d 13
LDAP_SASL_BIND_IN_PROGRESS 0x0e 14
LDAP_NO_SUCH_ATTRIBUTE 0x10 16
LDAP_UNDEFINED_TYPE 0x11 17
LDAP_INAPPROPRIATE_MATCHING 0x12 18
LDAP_CONSTRAINT_VIOLATION 0x13 19
LDAP_TYPE_OR_VALUE_EXISTS 0x14 20
LDAP_INVALID_SYNTAX 0x15 21
LDAP_NO_SUCH_OBJECT 0x20 32
LDAP_ALIAS_PROBLEM 0x21 33
LDAP_INVALID_DN_SYNTAX 0x22 34
LDAP_IS_LEAF 0x23 35
LDAP_ALIAS_DEREF_PROBLEM 0x24 36
LDAP_INAPPROPRIATE_AUTH 0x30 48
LDAP_INVALID_CREDENTIALS 0x31 49
LDAP_INSUFFICIENT_ACCESS 0x32 50
LDAP_BUSY 0x33 51
LDAP_UNAVAILABLE 0x34 52
LDAP_UNWILLING_TO_PERFORM 0x35 53
LDAP_LOOP_DETECT 0x36 54
LDAP_SORT_CONTROL_MISSING 0x3C 60
LDAP_INDEX_RANGE_ERROR 0x3D 61
LDAP_NAMING_VIOLATION 0x40 64
LDAP_OBJECT_CLASS_VIOLATION 0x41 65
LDAP_NOT_ALLOWED_ON_NONLEAF 0x42 66
LDAP_NOT_ALLOWED_ON_RDN 0x43 67
LDAP_ALREADY_EXISTS 0x44 68
LDAP_NO_OBJECT_CLASS_MODS 0x45 69
LDAP_RESULTS_TOO_LARGE 0x46 70
LDAP_AFFECTS_MULTIPLE_DSAS 0x47 71
LDAP_OTHER 0x50 80
LDAP_SERVER_DOWN 0x51 81
LDAP_LOCAL_ERROR 0x52 82
LDAP_ENCODING_ERROR 0x53 83
LDAP_DECODING_ERROR 0x54 84
LDAP_TIMEOUT 0x55 85
LDAP_AUTH_UNKNOWN 0x56 86
LDAP_FILTER_ERROR 0x57 87
LDAP_USER_CANCELLED 0x58 88
LDAP_PARAM_ERROR 0x59 89
LDAP_NO_MEMORY 0x5a 90
LDAP_CONNECT_ERROR 0x5b 91
LDAP_NOT_SUPPORTED 0x5c 92
LDAP_CONTROL_NOT_FOUND 0x5d 93
LDAP_NO_RESULTS_RETURNED 0x5e 94
LDAP_MORE_RESULTS_TO_RETURN 0x5f 95
LDAP_CLIENT_LOOP 0x60 96
LDAP_REFERRAL_LIMIT_EXCEEDED 0x61 97

Previous PageTop Of Page