Define General Directory Service Properties
The General page in the Map Object window in a Blueprint includes options for general information, settings for Security, Configuration, and Searching, and a series of check boxes for mapping options.
To define General properties:
- Open the Map Object window.
- Select the General page.
- Define General properties.
- Define Security properties.
- Define Configuration properties.
- Define Use Paged Searching properties.
- Define the Miscellaneous properties.
General Properties
- Name: The name of the service.
- Directory Service: The type of directory service.
- Domain: The domain name of the network.
- Server: The host name of the LDAP directory server.
If you are using Secure LDAP (LDAPS), specify the host name of the SSL/TLS certificate used by your LDAP directory to establish a secure connection. If your certificate is self-signed or from a non-standard Root CA, you may need to install the certificate on the machines that are connecting directly to the LDAP directory. This may include your CSM Application Servers and machines running the CSM Administrator and CSM Trusted Agent Server if they directly connect to the LDAP directory.
Security Properties
- Authentication type: The type of authentication required to access LDAP.
- No Encryption: No login is required and all data is transferred in plain text.
- Basic: User ID and password are required, but no confidentiality is provided. Data is transferred in plain text.
- Secure: User ID and password is authenticated through NTLM or Kerberos, depending on the service selected. The data between LDAP and CSM is not encrypted.
- SSL: User ID and password are required and data between LDAP and CSM is encrypted. This changes the path to LDAP and the default port to 636.
- Search User ID: The User ID used for all LDAP searches. The User ID can be set in a variety of formats:
- Windows Only: domain\user, user@domain, cn=user.dc=company.ddc=com
- Other: cn=user.ou=company.c=US.
Select the question mark to see the list of valid formats. Ask an LDAP administrator which format is used at a specific organization.
- Search Password: The password assigned to the User ID.
Configuration Properties
- Port: The standard LDAP ports are 389 and 636 (secure LDAP). If unsure of the port number, try these two first.
- RootDSE Path: The RootDSE is the root of the LDAP directory server. Some examples are:
- LDAP://192.168.0.123/RootDSE
- LDAP://192.168.0.123:389/RootDSE (when port number is included)
- LDAP://ServerName/RootDSE
If you are using any port besides 389, type the port number in the RootDSE path (example: LDAP://www.mycompany.com:389/RootDSE).
- Schema Path: The schema contains a definition of all of the objects on the LDAP server (User, Group, etc.).
The easiest way to set up the schema path is to select the Locate button. Before doing this, go to the Security section on the General properties page and verify that the encryption type, User ID, and password are set up. When the RootDSE and security information is entered, CSM Administrator should be able to find the schema. If the schema is not found, Users should ask an LDAP administrator for assistance.
Some common schema paths include:
- LDAP:// 192.168.0.123/CN=Schema,CN=Configuration,DC=Cherwell,DC=com
- LDAP://ServerName/CN=Schema,CN=Configuration,DC=Cherwell,DC=com
(these are the formats used by Active Directory)
- LDAP://192.168.0.123/cn=schema
- LDAP://www.mycompany.com/cn=Subschema
- LDAP://www.openldap.com:389/cn=Subschema
- Search Start: This is the location where LDAP searches begin. Using only the server location can slow the data transfer. Enter a path more specific to the location of the data to increases data-transfer efficiency. For example, to search for only Users in Colorado Springs the path might be:
LDAP://Cherwell/DC=ColSpgs,DC=Cherwell,DC=Com
DC stands for domain context (used by Microsoft computers with domains). The LDAP standard also suggests some prefixes that are used by most vendors – OU (Organizational Unit), O (Organization), CN (Common Name), and C (Country). The prefixes are case insensitive.
More examples include:
- LDAP://Cherwell/OU=ColSpgs,DC=Cherwell,DC=com
- LDAP://192.168.0.123/ou=Administrators,ou=TopologyManagement,o=NewspapeRing
- LDAP://ServerName/O=Cherwell,c=US
- LDAP://www.mycompany.com/o=Cherwell
- LDAP://www.mycompany.com /dc=site
- Follow Server Referrals: Data can be stored on multiple LDAP servers. Selecting this check box allows the initial-contact server to continue searching for data beyond the initial server to secondary servers for information. Users should consult an LDAP administrator or IT staff member to verify if this should be selected.
Allowing referral services can cause delays during data transfer.
Page Searching Properties
The Use Paged Searching option is recommended because it allows you to set the maximum page size and server time limit. Using paged searching increases the speed of searching by grouping search results into pages set by the Max page size limit. The time limit is set so that the server stops searching after the entered time if there are no results to the search.
Recommended settings: Max page size - 100; Server Time Limit - 120 seconds.
Some vendors do not support this functionality. Select Test Paged Search to see if the feature is supported.
Miscellaneous Options
- Allow Business Objects to be mapped to objects: Select the check box to map CSM Business Objects to Active Directory Objects.
- Allow Business Objects to be imported from data: Select the check box to import Active Directory data into CSM.
- Client-Side LDAP (for SaaS): When using an application server and a 3-tier connection, select the check box to allow data to be shared from CSM to LDAP without going through the Cherwell Application Server. Do not select this check box unless specifically directed.