How to filter eDirectory search results for Teaming LDAP Authentication and Synchronization.

  • 7003082
  • 22-Apr-2009
  • 27-Apr-2012

Environment

 Products:
Novell Teaming 1.0
Novell Teaming 1.0 Support Pack 1
Novell Teaming 1.0 Support Pack 2
Novell Teaming 1.0 Support Pack 3

Configuration:
Novell Teaming is installed correctly.
Novell Teaming is working on both HTTP and HTTPS ports.
Novell Teaming LDAP Authentication and Synchronization is configured and working correctly.

Situation

 Purpose:
The purpose of this document is to provide a method by which to limit the search results when using LDAP authentication and synchronization with Teaming against eDirectory. This is a common request when users are scattered throughout the eDirectory tree but it is desired to limit Teaming to a specific sub set of users. Also, is used to remove unwanted Teaming Groups that are synchronized from eDirectory organizations (O) and organizational units (OU).
 
Symptoms:
Search shows all users in the eDirectory tree.
Don't want all users to have access to Teaming.
Extra objects found on search for users.
Extra object found on search for groups.
eDirectory organizational units being defined as groups.

Resolution

1.  Teaming LDAP authentication and synchronization needs to be configured correctly and it is recommended to have it searching from the top organization down. Teaming cannot go above the organization level to the Tree level, so it can only work against one organization (example: o=iranet).
 
2.  Create an eDirectory group object and add only those users who will be allowed to authenticate and synchronize Teaming (example: cn=Teaming,o=iranet).
 
3.  On the Teaming server create the zone-ext.cfg.xml file in the “<portal directory>/webapps/ssf/WEB-INF/classes/config” directory.
The <portal directory> on linux is the /opt/icecore/liferay-portal-tomcat-5.5-jdk5-4.3.0 directory.
The <portal directory> on windows is the c:\icecore\liferay-portal-tomcat-5.5-jdk5-4.3.0 directory.
 
4.  Insert the following text into the “zone-ext.cfg.xml” file:
 
<?xml version="1.0" encoding="UTF-8" ?>
<zoneConfiguration>
     <ldapConfiguration>
     <!-- This "property name" definition adds an LDAP filter for
          eDirectory Groups and excludes eDirectory Organizations(O)
          and Organizational Units (OU) from being created as groups
          in Teaming.
          -->
          <property name="com.sitescape.ldap.group.search">(|(objectClass=group)(objectClass=groupOfUniqueNames)(objectClass=groupOfNames))
          </property>
 
          <!-- This "property name" definition adds an LDAP filter for
          eDirectory Users who have an objectClass of inetOrgPerson
          and who belong to an specific eDirectory group.
          In this example, the group is named "Teaming" and is located
          in the "iranet" Organization or (O).
          This option would have be to changed for each Teaming system.
          -->
          <property name="com.sitescape.ldap.user.search">(&(objectClass=inetOrgPerson)(groupMembership=cn=Teaming,o=iranet))
          </property>
     </ldapConfiguration>
</zoneConfiguration>
 
5.  Modify the file to restrict the search results as desired.
To remove unwanted eDirectory O and OU groups, leave the first property name as is. If the O and OU groups are desired, then remove the line that reads:
<property name="com.sitescape.ldap.group.search">(|(objectClass=group)(objectClass=groupOfUniqueNames)(objectClass=groupOfNames))
</property>
To filter the user search results for synchronization, modify the line that reads:
<property name="com.sitescape.ldap.user.search">(&(objectClass=inetOrgPerson)(groupMembership=cn=Teaming,o=iranet))
</property>
Change the (groupMembership=cn=Teaming,o=iranet)) to whatever eDirectory group and context created previously.
 
NOTE:  It should be noted that sometime it is needed to insert the ampersand.  This is done by changing the "&" listed above with "&amp;".
 
6.  Restart the Teaming server or service.
 
7.  In the liferay Enterprise Admin portlet, under the Settings | Authentication | LDAP tabs the search filter needs to be changed from:(uid=@screen_name@)
to:
Replace <group> with the full context name of the eDirectory group created previously.
NOTE: "cn" maybe used rather than "uid".
 
8.  Resynchronize the Teaming users and groups under the Novel Teaming Administration portlet in the Configure LDAP section. Just check the Run immediately box and click the Apply button.
However, if the system has been previously synchronized, creating unwanted users and groups, then checking the “Delete users that are not in LDAP” and “Delete local groups that are not in LDAP” will be required to remove the unwanted users and groups.
BEWARE: this will also delete any manually created users or groups from Teaming, but not the admin user.