How to use LDAP Groups Plugin functionality in iFolder

  • 7009563
  • 13-Oct-2011
  • 26-Apr-2012

Environment

Novell iFolder 3.8
Novell iFolder 3.9

Situation

FORWARD

This TID aims to explain and walk through how to enable and use the LDAP Groups Plugin functionality in iFolder. It is intended as a guide only, and should be used as such. The steps outlined in this article are not to be used on an existing production server unless a proper back-up of the iFolder server exists, and the administrator accepts any and all risks/responsibility involved with reconfiguring the server.

By deploying the plugin, you will increase the iFolder servers performance (as well as over all LDAP performance).

Resolution

SECTION 1 Prerequisites

You must have the LDAP Groups Plugin enabled. This option is chosen during the manual install of iFolder:

https://www.novell.com/documentation/ifolder3/ifolder38_admin/data/bk60n10.html

If the Groups Plugin was initally installed, proceed to section 3 "How to use the LDAP Groups Plugin".   

If the iFolder server was installed at the same time as the OES product add on, then by default the plugin is not enabled and you should proceed to section 2 to enable it.

If you are unsure of how iFolder was initially installed, do the following to see if the plugin is enabled or not:
1. Go to the iFolder administration console and look at what search context(s) you currently have defined. (click the server tab, and select your server, in the middle right side of the screen is the LDAP contexts the server is searching)
2. In iManager or ConsoleOne, look to see if there are any groups that reside within the context(s) iFolder is searching.(If there are none create one, Then on the same page in the administration console under LDAP Details secion click on Sync Now)
3. In the iFolder administration console, go to the users tab and search for a group name that is in the search context(s) or that you created.
4. If the group shows up in the Users list, the LDAP Groups Plugin is enabled and you can proceed to section 3. If no group shows up in the list, proceed to section 2.

SECTION 2 Enabling the LDAP Groups Plugin

If the LDAP Groups Plugin was not enabled during the initial install of iFolder, it will be necessary to reconfigure the iFolder server via YaST to enable it:
**** *NOTE* If this is a new server install proceed with the following steps. If it is a server that is already in production, run through section 3 first, but skip step 4 as the same configuration will be done in the steps in this section****
1.  Open a terminal
2.  Type the following command: yast2 novell-ifolder3
3.  Select continue on the LDAP Configuration for Open Enterprise Services Already configured popup.
4.  Check the box that says: iFolder server and click Next.
5.  Click Next.
6.  Check the box at the bottom of the page for Configure LDAP Groups Plugin and click Next.
7.  Click Next.
8.  Enter eDir admin password.
9.  Click Next.
10. Enter the LDAP proxy user password in the fields provided. (This password was set during initial install of iFolder. If it was a manual install of iFolder, or a older install prior to SP3 the proxy user password is changeable, so if you do not know it you will need to change it before proceeding. Post SP3 installs of iFolder will have the proxy user defined as the OESCommonProxy user, and the password should automatically be filled.)
11. Verify the LDAP search contexts are correct.
12. Click Next.
13. Restart Apache (rcapache2 restart)
You have now enabled the LDAP Groups Plugin.

SECTION 3 How to use the LDAP Groups Plugin

To use the LDAP Groups Plugin in iFolder, you need to do the following:

1. Create a container in your tree, example: ou=iFolder
2. Create a group within that container, example: cn=iFolderAccess
**** *NOTE* It is very important that this group be the only object to reside in the container you created. No other objects should ever be added to the container.****
3. Add the users who will be (or already are if this is an existing production server) iFolder users as members of the group.
4. Configure the iFolder server to point to the group as the search context.
   a. In the iFolder administration interface, click the servers tab, and select your server.
   b. In the middle right side of the screen is the LDAP contexts the server is searching. Click Edit.
   c. Enter the LDAP admins full DN example: cn=admin,o=novell
   d. Enter LDAP admin password
   e. Enter the proxy users password in the fields provided. (**NOTE**the OESCommonProxy user password be default is the LDAP administrators original password when the server was installed.)
   f. In the LDAP Contexts field, replace all search contexts with the path to the group. Example: cn=iFolderAccess,ou=iFolder,o=novell#
   g. Click OK
5. Restart Apache (rcapache2 restart)
6. In time, approx 5 days be default you will see that the iFolder server will "weed out" the users who are not a member of the iFolder group. To speed this process up do the following:
   a. In iFolder administration console, go to servers tab and select the server.
   b. under the LDAP Details section, change the Identity Sync and Delete Member Grace Interval settings to 5 min each, save, then click Sync Now.
   c. Wait 20-30 min, then check your Users tab. You should start to see only users who are members of the group in the list.
   d. Set the sync intervals back to their defaults: 1440 and 5500 or 7200 depending on the version of iFolder you are running.
  
  
You should now have an iFolder server running the LDAP Groups Plugin. You can manage users access to the iFolder server by adding/removing membership to the LDAP group.