Novell GROUPWISE 7 - SECURITY ADMINISTRATION Manual

Also see for GROUPWISE 7 - SECURITY POLICIES: Manual Manual Manual Manual Manual

Novell GROUPWISE 7 - SECURITY ADMINISTRATION Manual Manual pdf 20 page image

1128 GroupWise 7 Administration Guidenovdocx (en) 11 December 2007When you understand these LDAP capabilities, you are ready to set up LDAP authentication foryour GroupWise users. See Section 36.3.4, “Providing LDAP Authentication for GroupWiseUsers,” on page 501.72.3.1 Access MethodOn a server-by-server basis (ConsoleOne > GroupWise System Operations > LDAP Servers), youcan specify whether you want each LDAP server to respond to authentication requests using a bindor a compare. Bind: With a bind, the POA essentially logs in to the LDAP server. When responding to a bindrequest, most LDAP servers enforce password policies such as grace logins and intruderlockout, if such policies have been implemented by the LDAP directory. Compare: With a compare, the POA provides the user password to the LDAP server. Whenresponding to a compare request, the LDAP server compares the password provided by thePOA with the user’s password in the LDAP directory, and returns the results of the comparison.Using a compare connection can provide faster access because there is typically less overheadinvolved because password policies are not being enforced.Regardless of whether the POA is submitting bind requests or compare requests to authenticateGroupWise users, the POA can stay connected to the LDAP server as long as authentication requestscontinue to occur before the connection times out. This provides quick response as users areaccessing their mailboxes.72.3.2 LDAP UsernameOn a post office-by-post office basis (ConsoleOne > Post Office object > GroupWise > Security),you can decide what username you want the POA to use when accessing the LDAP server. LDAP Username Login: If you want the POA to access the LDAP server with specific rightsto the LDAP directory, you can provide a username for the POA to use when logging in. Therights of the user determine what information in the LDAP directory will be available duringthe authentication process. Public or Anonymous Login: If you do not provide a specific LDAP username as part of thepost office LDAP configuration information, then the POA accesses the LDAP directory with apublic or anonymous connection. Only public information is available when using such a login.72.4 Accessing S/MIME Certificates in an LDAPDirectoryJust as the POA can access user password information in an LDAP directory, the GroupWiseWindows client can access recipients’ digital certificates in an LDAP directory. See “Searching forRecipient Encryption Certificates Using LDAP” in “Sending S/MIME Secure Message” in theGroupWise 7 Windows Client User Guide.When a certificate is stored on an LDAP server, the GroupWise Windows client searches the LDAPserver every time the certificate is used. Certificates from LDAP servers are not downloaded into thelocal certificate store on the user’s workstation. To facilitate this process, the user must select adefault LDAP directory in the LDAP address book (Windows client > LDAP Address Book >Directories > Set as Default) and enable searching (Windows client > Tools > Options Security >Send > Advanced Options > Search for Recipient Encryption Certificates in the Default LDAP