Previous PageNext Page

Chapter 2 - Configuring LDAP for StreetTalk Services

This chapter describes how to configure the LDAP for StreetTalk service. To configure LDAP, you:

Use LDAP Configuration Manager to select appropriate configuration settings for your service: service settings, Access Control List (ACL) configuration, logging options, and referrals
Use StreetTalk Explorer to configure and rebuild STDA
Use StreetTalk Explorer to restart the LDAP for StreetTalk service on the host server
Use LDAP command line tools to manage entries in the LDAP database

You install LDAP Configuration Manager when you install the LDAP for StreetTalk software.

Configuration Roadmap

Configuring LDAP for StreetTalk software involves using LDAP Configuration Manager to:

Load the LDAP configuration files.
Specify a suffix, so you can access the StreetTalk for Windows NT LDAP database through LDAP.
Specify additional LDAP options to meet the needs of your site.
Configure the Access Control List.

Use StreetTalk Explorer to configure STDA to support LDAP. Refer to "STDA Configuration Guidelines" in Chapter 1 for more information about configuring STDA to support LDAP for StreetTalk.

Before You Begin

LDAP for StreetTalk Installation Guide details the requirements and prerequisites for installing the LDAP for StreetTalk software. Read the installation guide before you use LDAP Configuration Manager to configure and manage your LDAP for StreetTalk service.

You must have an STDA service installed on the StreetTalk for NT server where you install LDAP for StreetTalk.

You install, create, and start the LDAP for StreetTalk service after you install StreetTalk for Windows NT. Refer to your StreetTalk for Windows NT documentation for information about installing StreetTalk for Windows NT software.

If STDA is running, the installation stops the StreetTalk Name Collector and StreetTalk Directory Assistance services before installing LDAP for StreetTalk software.

LDAP Configuration Manager

LDAP Configuration Manager is a management tool you use to modify LDAP schema. This section describes how to use the LDAP Configuration Manager to configure your LDAP for StreetTalk service. You can create a shortcut for the LDAP Configuration Manager on your desktop.

After you install LDAP for StreetTalk software, you use LDAP Configuration Manager to set the path to your configuration files and select the directory suffix for the service.

Other configuration options are already set to reasonable default values. Modify only those items that define site-specific information. Add additional options only if you need them.

Using LDAP Configuration Manager

This section provides an overview of using LDAP Configuration Manager to configure your LDAP service. Refer to the LDAP Configuration Manager online help files for details about how to perform a particular operation. To access online help, click Help on the menu bar and select Help Topics to start the online help system or right-click the item of interest in the dialog box and select What's This? to get help about the option.

Configuring the Service

When you start LDAP Configuration Manager, the Open LDAP Configuration File dialog box, shown in Figure 2-1, asks you to select the type of configuration you want to do-local or remote.

Figure 2-1. Open LDAP Configuration Files Dialog Box

You first select the configuration type. The Open LDAP Configuration dialog box provides two configuration options:

Local File - Loads LDAP configuration files for the local LDAP for StreetTalk server.

When you load the configuration files for a LDAP for StreetTalk system, you set the path to the local configuration files. LDAP configuration files reside in the DATA\LDAP\CONFIG subdirectory of the StreetTalk for Windows NT installation root directory.

Remote file - Loads LDAP configuration files for a remote LDAP for StreetTalk server on your network.

Remote file, or Network Configuration, lets you configure other LDAP servers on the network by modifying their LDAP configuration files. You must enter your StreetTalk username and password, and be a member of the StreetTalk AdminList for the other server, to access that server`s configuration files and make changes.

1. Select the Local file radio button and click OK.

2. Set the path to the file ldap.cnf. Click the Browse button if needed to locate the file.

3. Select the file ldap.cnf and click Open.

1. Select the Remote file radio button and click OK.

2. From the Servers Providing LDAP Server List, select a server name or IP address.

3. Click Server List.

4. In the LDAP Server List on the Select LDAP Server dialog box shown in Figure 2-2, select an LDAP server to manage and click Select.

If LDAP Configuration Manager is already running, select Network Services from the Configure menu, and continue from step 2 above.

Figure 2-2. Select LDAP Server Dialog Box

The first time you select Network configuration, you must select a default server that can provide a list of available LDAP servers. You see a message telling you to select a default server and then the dialog box in Figure 2-2.

To designate a server to provide a list of LDAP servers on your network, click Edit and you see Figure 2-3.

Figure 2-3. LDAP Server Providing List of Known LDAP Servers Dialog Box

Note: By default, LDAP uses port number 389. Banyan does not recommend changing the port number. Most LDAP clients expect the service to listen on port number 389 and cannot connect if you change the port.

Enter the Windows NT Server DNS name or IP address, and the LDAP suffix of the LDAP service that can provide a list of known LDAP servers. You can enter your current server or any LDAP server on the network whose STDA collects the labeledURI information. Click Add and the server information appears in the lower window. Click OK to close the dialog box, or repeat the preceding steps to add more servers.

The buttons on the LDAP Server Providing List of Known LDAP Servers dialog box (Figure 2-3) do the following:

Add - Adds information from the LDAP Server text windows to the lower window for selection.
Modify - Lets you change selected information in the lower window by editing the information in LDAP Server options. You click Modify after making the edits.
Delete - Deletes a selected server from the lower window. You cannot delete the last server but you can modify the server's information.
Clear - Clears the information from the LDAP Server options: the DNS name or IP address, port number, and LDAP suffix.

Setting Service Control Options

Use entries on the Service Control page, Figure 2-4, to configure LDAP service access parameters.

Figure 2-4. Service Control Page

The Service Control page includes the following configuration options:

Suffix - configures the LDAP for StreetTalk directory suffix string. The suffix string defines the location of this server's LDAP service within the global LDAP directory information tree. The suffix string is a comma-separated list of values beginning with the lowest LDAP entry and ending with the highest.

Set the suffix to suit the needs of your organization. In general, your organization name should appear subordinate to the country (c=) level, for example, o=yourOrg, c=yourCountry. Refer to "LDAP for StreetTalk and StreetTalk Directory Tree Structure" in Chapter 1 for additional information about how the LDAP hierarchy maps to StreetTalk for Windows NT.

Default Database Access - configures user access to the database. LDAP uses the default access setting when the Access Control List does not contain an entry that applies to the request. Access can be:

None - Allows no access.

Compare - Allows the client to perform the LDAP compare operation to determine if an entry has a certain attribute value or values. Return True if found or False if not found.

Read - Allows compare and search operations.

Write - Allows modify operations on entries and attributes in the LDAP directory, including adding and deleting entries.

Higher levels of access, for example, Read, include lower levels, such as Compare.

Search Time Limit - Specifies the maximum time, in seconds, that the LDAP for StreetTalk service spends responding to a search request. The range is 0 to 3600 seconds
(1 hour).By default, the time is left blank, meaning unrestricted, or no time limit on searches. You can enter a value of 0, which is equivalent to a blank, or no time limit.

Maximum Search Entries - Specifies the maximum number of entries returned from a LDAP for StreetTalk search operation. The range is from 0 to 32000 entries. The default number of entries is 90, meaning a maximum of 90 entries is returned by a search. You can enter a value of 0, which is equivalent to a blank, meaning no limit to the number of entries returned.

Maximum Connections - Specifies the maximum number of connections that can be made to an LDAP server at the same time. The range is from 1 to 1000 simultaneous connections. The default is 100 connections.

Note: Clients open a new connection each time they request an LDAP operation such as search or compare. A client that issues three LDAP search requests opens three connections.

Alternate LDAP server - specifies an LDAP server name that clients save and use when the current server is not available.

Default group server - Specifies a Banyan server to host new groups. LDAP does not include the concept of associating groups with servers, but StreetTalk does. If Default group server is not specified, new groups are created on the server hosting the LDAP service.

To override the default group server setting when you create a new group, specify the attribute destinationIndicator with value StreetTalk server name.

Setting Access Controls

As shown in Figure 2-4, the Service Control page includes a button for performing Access Control List (ACL) configuration tasks.

Figure 2-5. Access Control List Dialog Box

The Access Control List dialog box includes the following options for setting access rights:

Access To - Lists LDAP entries to which access is being granted for the new ACL entry. Three radio buttons govern the entries that appear in the Access To list: DN (used with the text box to enter a DN), Attribute (used with the Attributes List), and All.

Attributes List - Lists all the attributes configured for the LDAP service. Used in conjunction with the Attribute radio button to grant access to selected attributes.

Access By - Lists the users that are being granted access to the LDAP entries in the Access To list for the new ACL entry. Three radio buttons determine the contents of the list: DN (used with the text box to enter a DN to grant access by), Self, and All. You must also select the database access level from the Database Access list to assign the access setting for each entry in the Access By list.

Database Access - Shows the access type options for the database: None, Compare, Read, and Write. You must select a database access level for each Access By entry before you can add it to the ACL.

Access Control List - Lists the existing entries on the access control list. Entries are listed in the order in which they are searched by LDAP when a client requests an LDAP operation. Any number of entries can appear on the list. If the Access By column is empty, the default database access setting is applied for all users. By default, all users have Write access to the directory as specified by the default database access setting on the Service Control dialog box. Use the Service Control dialog box to change the default database access setting for the service.

Use the => and <= buttons to reorder the ACL by moving entries as desired. Clicking Delete removes the selected entry from the ACL. Clicking Modify replaces the selected entry on the ACL with the access entry specified in the Access To and Access By fields.

Note: Modify overwrites the selected entry-it does not add to it or change parts of it.

Insert Before Selected Item - Selecting this check box results in new ACL entries being inserted before the item selected on the ACL window when you click Insert.

Insert - Inserts the new access control entry defined by the Access To and Access By list entries into the ACL.

1. Click the Service Control tab.

2. Click ACL Configuration.

3. Choose one of the following options to set Access To controls:

To Allow Access to Select Radio Button Enter
DN DN Distinguished Name
Selected Attribute Attribute Select Attributes from list
All Attributes All Not Applicable

4. Click the <= button to add your selection to the Access To list.

Clicking the <= button adds your selection to the list by replacing the current list entry. It does not append your selection to the existing entry.

5. Choose one of the following options to set Access By controls:

To Allow Access by Select Radio Button Enter Select Database Access
DN DN DN None/compare/read/write
Self Self   None/compare/read/write
All Users All   None/compare/read/write

6. Click the <= button to add your selection to the Access By list.

Clicking the <= button adds your selection to the list by replacing the current list entry. It does not append your selection to the existing entry.

7. Click Insert to add the specified access to the Access Control List.

Setting Logging Options

The Logging dialog box, Figure 2-6, lets you specify the kinds of events and messages recorded in the log files. LDAP logging options work in combination with the StreetTalk for Windows NT log levels. For each log option, LDAP records different amounts of information based on the StreetTalk for Windows NT log level setting. LDAP for StreetTalk provides two rolling log files, LDAP0.log and LDAP1.log. Log files reside in the DATA\LDAP subdirectory of the StreetTalk for Windows NT installation root directory. You can choose to record the following LDAP operation information in the LDAP log files:

LDAP Operations - Records the LDAP operation as well as any command arguments.

Configuration And Schema Parsing - Records information about the successful or unsuccessful parsing of LDAP configuration file information.

Search Filter Parsing - Records details about the filters used to conduct a search operation.

Client Connections - Records TCP socket information for all client activity on the server.

Attribute/Objectclass Information - Records information about mapping between StreetTalk for Windows NT and LDAP attributes and object classes.

LDAP Operation Tracing - Records the start and finish of LDAP operations. LDAP operations include search, compare, add, and the like.

Client/Server Packet Encoding Parsing - Records detailed information about client connections, as well as lower layer protocol information.

Access Control List Operation - Records information about access control operations as users access the LDAP service.

DSA Error Messages - Records error messages returned by the Directory System Agent (DSA) during LDAP operations. The DSA is an application process defined by OSI that is part of the directory, whose role is to provide access to the DIT.

Select the check box next to a logging option to include the option's information in the logs. Clear the check box to exclude the associated information.

Installing LDAP Configuration Manager sets the first three - LDAP operations, configuration and schema parsing, and search filter parsing - by default. You can change the default by clearing the check box adjacent to an item or by clicking other items.

Note: The above logging options set the types of messages logged by the LDAP for StreetTalk service. Use StreetTalk Explorer to set the LDAP service log message level to determine the detail included in LDAP log messages.

Figure 2-6. Logging Dialog Box

Setting Referrals

The Referrals dialog box, shown in Figure 2-12, lets you define and manage LDAP referrals. Referrals enable LDAP to handle a request for data that is not available in the local database, by returning an address to another LDAP service that has the requested data.

Figure 2-12. Referrals Dialog Box

The Referrals dialog box lets you:

Add the suffix and URL of a new referral server.
Delete a referral. The window displays added referral suffixes and URLs that you can select for deletion.
Specify a default referrals URL.

See "Referrals" in Chapter 1 for a discussion of how referrals work.

1. Click the Referrals tab.

2. To change the referrals for the server, do one of the following:

-To add a referral, enter the suffix and URL for the referral LDAP server in the Suffix and URL fields in the New referrals area and click Add.

-To delete a referral server, select the referral suffix you want to remove from the Referral Suffix list and click Delete.

3. To change the default referral server, type the URL for the desired LDAP server in the Default Referrals URL option.

Saving LDAP Service Configurations

After you make changes to the configuration settings for an LDAP service, save the new settings to the current LDAP service and to other appropriate LDAP services in the network. By saving the modified LDAP configuration settings to services other than the current LDAP service, you assure that all LDAP services on the network maintain a consistent configuration, without logging in to and configuring each service in turn.

Note: You must be on the LDAP server's StreetTalk AdminList (AdminList@servername@servers) to save LDAP configuration settings to the LDAP service.

To Save LDAP Service Configuration to the Local LDAP Server

1. Select Save as from the Configure menu. The Save Files To A Local Directory dialog box appears.

2. Select the Local Files radio button and click OK to save the current configuration to the local LDAP service.

To Save LDAP Service Configuration to Remote LDAP Servers

1. Select Save As from the Configure menu. The Save Files To A Local Directory dialog box appears.

2. Select the Remote Server radio button.

3. On the Server List, select the address or name of the LDAP server where you want to update the LDAP service configuration.

4. Click OK to close the dialog box. The Login dialog box appears.

5. Enter your StreetTalk name and password in the name and password fields, and click OK. The LDAP configuration settings are saved to the selected server.

Restarting LDAP for StreetTalk Services

You must restart LDAP for StreetTalk service to activate your configuration options whenever you change the LDAP for StreetTalk service configuration.

1. Open StreetTalk Explorer.

2. Navigate to the desired LDAP server.

3. Select the LDAP for StreetTalk service you want to restart.

4. Select File, Properties.

5. From the Summary page, if the LDAP for StreetTalk service is currently running, click Stop.

6. Click Start to restart the LDAP for StreetTalk service.

Note: Do not use Windows NT Server Manager to stop or start the LDAP service. Use StreetTalk Explorer to stop and start the LDAP service. Using Window's NT Server Manager leaves the service in an inconsistent state.

Previous PageTop Of PageNext Page