Using AD / LDAP authentication source to control dynamically access to a GMS server.

  • 7000966
  • 18-Jul-2008
  • 10-Dec-2013

Environment

Novell GroupWise 7
GroupWise Mobile Server 2.x
MS Active Director

Situation

There is a need to control access to a GMS server whilst still needing auto-discovery option for creation of GMS account connected to GroupWise mailbox. Here we describe an example based upon Microsoft AD that is accessed via LDAP. If you need to use Novell eDir or other directory that can be accessed via LDAP, you will need to change a syntax of LDAP configuration.

Resolution

I you enable users auto-discovery, there is no way you can control access to a GMS server. In this example we will use a group on AD site and membership to allow accessing GMS server:
 
1. Let us have AD domain called my-ad.com. Under Users container there are user accounts without any mailbox. Those users accounts for simplicity are equal to GroupWise mailbox IDs. Apart from user accounts, there is a group called GMS.
 
2. On GMS server start AdminConsole.
 
3. Check Properties of Intellisync Mobile Suite.
 
4. Click on Authentication tab (here is a place to enable users auto-discovery) and on Authentication Sources.
 
5. If you want to use auto-discovery option, you can have only 1 authentication source. Thus delete any existing listed. After that click on Create AD / LDAP. Name it and select a directory server type, here MS Active Directory.
 
6. In Server field type IP address of the AD server with LDAP running.
 
7. In Search base type dc=my-ad,dc=com. Make sure you use DCs and CNs here if you want to limit a search base in any "lower" container.
 
8. Leave User name format in default.
 
9. You can use anonymous access or through a specific account. For instance, account Administrator in Users container. Then a syntax will be cn=Administrator,cn=Users,dc=my-ad,dc=com.
Specify in this case also a user password.
 
10. Make sure that both options, "Delete users if they are no longer part of the synchronized groups" and "Synchronize groups from this source during unattended user/group synchronization" are selected.
 
11. Click on Edit Configuration tab to match LDAP properties with AD.
 
12. Here you can use all values like they are suggested in examples aside. Except "All Users Filter" where we specify a filter based upon a group membership that decides who can authenticate. In our example a group GMS in Users container, a corresponding syntax is:
(&(objectClass=user)(objectCategory=person)(memberOf=cn=GMS,cn=Users,dc=my-ad,dc=com))
It is essential to find out a proper syntax for a type of directory you use. AD has memberOf, eDir uses groupmembership ...
 
13. Now you need to specify GroupWise backend connection point. You might have it configured already but in case that you do not, click on Profile Settings in AdminConsole -> Email Accelerator -> Novell GroupWise, edit Default profile. Here specify an IP address of PO with SOAP protocol enabled. Since your users will authenticate against AD and then also in GroupWise, it is handy to have Access settings configured with Trusted Application option. There is a little application coming with GMS, called GWTrustedApp.exe located in PIM directory that is pretty straight forward to use. If having problems, please, consult online documentation.
 
14. Now you can test accessing a GMS via WebPIM interface. Place any AD user in GMS group on AD site and when authenticating to a GMS web site, use a user name and password from AD. If you have configured all without a mistake, you get to a configuration page where you need to verify a time zone, fill in a City ... known page. Once finished, you are in a GMS mailbox and shall see all mails from corresponding GroupWise mailbox.
 
15. There are few steps to complete to automate this process in a way, that you add or remove users from AD GMS group and this will be also reflect on GMS site. In AdminConsole now right-click on Groups container and select Import/Synchronize Groups -> AD / LDAP groups. This starts a little wizard where you select your AD/LDAP authentication source and from listed AD groups pick GMS one. Along a group import, all member users will be imported, too. This was first, manual way of synchronization between AD and GMS.
 
16. Under BIN directory there is an application called UserGroupSync. You can run it from a DOS command line. Now add or remove users from AD GMS group. After that run this utility from command line. You will notice that in Users container there will be user(s) added or removed. Using native Windows scheduler you can configure how many times you want this application to run per day. Each time this utility is run, it will synchronize users on GMS site based upon a group membership of the AD GMS group.