ZHM 7 and eDirectory Objects, Attributes and Rights

  • 3326601
  • 18-Apr-2007
  • 16-Mar-2012


Novell ZENworks 7 Handheld Management - ZHM7


How does ZHM7 interact with eDirectory?


Handheld devices never connect directly to eDirectory.

The following components connect to eDirectory:

  • ZHM Server back-end: Connects to eDirectory by logging in as a user whose ID was supplied during installation. The server uses secure LDAP (by default, port 636) to connect to eDirectory.
  • ZHM Access Point: Connects to the eDirectory to verify the users when the user-based ZHM management is turned on. The Access Point serviceuses secure LDAP to connect to eDirectory. The Access Point service acts on the behalf of the handheld device, and tries to log in as the user whose ID is entered on the handheld device in the eDirectory Authentication screen.
  • ConsoleOne: Used for administration.
The ZHM7 server uses the credential of the user that was specified during installation.The following types of objects are read or modified by this user:
  • Containers: O, OU, Country, Locality etc.
  • Objects with objectclass name: zen*
  • Objects with objectclass name: zfh*
  • User
  • User Group
The following rights are required by the user that was specified supplied during ZHM7 installation:
  • Browse rights to all types of objects listed above.
  • Create, Rename, Delete rights to all containers where the ZHM7 Service object is created, and in the containers where the handheld devices will be automatically imported.
  • Supervisor, Compare, Read, Write, "Add Self" rights to the following attributes: zen*, zfh*, ObjectClass, Member.
  • Compare and Read rights to the following attributes: GUID, Revision, GroupMembership, NetworkAddress.
To verify if proper rights have been given to the user, log into ConsoleOne using admin rights and do the following:
Right click on an object, for example: a user. Select "Trustees of this object", NDS Rights, Effective Rights.
Change "For Trustee" to match the user specified during ZHM7 installation.
Verify the rights for [Entry Rights] and for the required attributes, for example: objectclass.
Do this for a number of objects in the tree, in different containers etc. Check the overall health of eDirectory.