Resolution
How do I configure VPC to use Microsoft Exchange with LDAP as the User Repository?
fact
VigilEnt Policy Center 2.1x
fact
VigilEnt Policy Center 3.x
fix
Before configuring Microsoft Exchange for the User Repository there are some things that you will need to know and take into consideration:
- You will need to know what container object your users are located in so that the context can be specified for the search base. For example:
cn=Recipients,ou=Houston,o=GXA Corporation
This will work fine if all of your users reside in the recipients container. The disadvantage of setting the search base to one specific container is that you are limited to enumerate or search for user accounts from that one container.
It is recommended that you set the search base to the Organization Level. For example:
O=GXA Corporation
In this case, you are setting the search base to the root level and will have the ability to browse and enumerate user accounts from the whole directory structure. - The other thing to have in place is an account to do the binding to the directory structure, with the sufficient privileges to browse the whole directory structure and enumerate Members of the Groups (Distribution Lists). This account should have Read Only Admin privileges on the Exchange side.
From testing, this is the minimal permissions required for the account to browse the whole directory structure and enumerate members. (Since this is a directory structure this may vary for different environments) - There are two types of bindings that can be performed:
- LDAP and Anonymous binding
- Direct binding with a Bind DN
It is recommended that you use a Bind DN because Anonymous Binding is very limited and you may not be able to see all of the objects in the directory structure and you will not be able to enumerate Members from the groups (Distribution Lists).
- The enumeration for the UID is done by the Exchange Alias. For the mail notifications to flow correctly, the Users Mail Alias has to match the NT or AD account.
fix
To setup VPC to point to Microsoft Exchange as the User Repository using LDAP, follow the instructions below:
- Log into the VpcAdmin site as the Admin or an account that has privileges to make configuration changes using http://MachineName:TomcatPort/VpcAdmin.
- Go to Administration | Options | Repository.
- Select My users are in an LDAP server.
- Click Advanced.
- There will be a window that displays the Advanced LDAP Settings. These are the attribute mappings for LDAP. There are 3 templates available for the different directory structures. Choose the Exchange template and click Update. This will pre populate all of the attribute mappings for Exchange.
- For the LDAP URL, point it to your Exchange server in this format:
LDAP://exchangeservername:389 (default LDAP TCP port) - Search Base: This is where you will search for your users. We recommend pointing to the root level. This will allow you to see all of the objects in the directory structure and not limited to one container.
- Optional : Directory Base for New Users and Directory Base for New Groups. You don't have to supply information unless you have default containers for the creation of users and groups (DL's).
- Choose either the Anonymous Bind checkbox orDirect Binding by unchecking the anonymous checkbox and supplying Bind DN format of Distinguished Name. For example:
cn=GXA
cn=GXA, cn=recipients, ou=Houston, o= GXA Corporation
From Exchange, the short name will work: the cn=username and the password.
We recommend doing Direct Binding to the directory structure. This is due to limitations of Anonymous Binding and will vary from one environment to another. In most environments, you will not be able to see the Users or Groups. Supply the NT or AD account.
Once you have supplied the account and password, click Update. You should see a message that states the information has been updated.