Directory Configuration Guide

Transcription

1 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0 Date of Issue: June 2006

2 Copyright 2006 Entrust. All rights reserved. Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries. This information is subject to change as Entrust reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant. Export and/or import of cryptographic products may be restricted by various regulations in various countries. Export and/or import permits may be required. 2 Entrust IdentityGuard 8.1 Directory Configuration Guide

3 Table of contents About this guide About Entrust IdentityGuard Repository considerations Estimating repository size LDAP attributes and classes Gathering your configuration data Documentation conventions Note and Attention text Related documentation Obtaining documentation Documentation feedback Obtaining technical assistance Technical support Professional Services CHAPTER 1 Configuring Active Directory and Active Directory Application Mode Preparing Active Directory Choosing your configuration method Setting users and privileges Configuring Active Directory with LDIF files Configuring Active Directory manually Configuring the index attributes Creating a custom administrator Creating a user to store policies

4 CHAPTER 2 Configuring Critical Path Directory Preparing the Critical Path Directory Choosing your configuration method Configuring the Critical Path Directory with LDIF files Configuring the Critical Path Directory manually Synchronizing the indexes after an upgrade Creating a user to store policies Configure the directory size limit CHAPTER 3 Configuring IBM Tivoli Directory Server Preparing the Tivoli Directory Choosing your configuration method Configuring the Tivoli Directory with LDIF files Configuring the Tivoli Directory manually Creating a user to store policies CHAPTER 4 Configuring Novell edirectory Preparing the Novell edirectory Choosing your configuration method Configuring the Novell edirectory with LDIF files Configuring the Novell edirectory manually Creating a user to store policies CHAPTER 5 Configuring Sun ONE Directory Preparing the Sun ONE Directory Choosing your configuration method Configuring the Sun ONE Directory with LDIF files Configuring the Sun ONE Directory manually Creating a user to store policies Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

5 Index

6 6 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

7 About this guide This guide provides instructions on how to configure Entrust IdentityGuard 8.1 to operate with Active Directory, Active Directory Application Mode (ADAM), Critical Path Directory, IBM Tivoli Directory Server, Novell edirectory, and Sun ONE Directory. This chapter includes the following sections: About Entrust IdentityGuard on page 8 Repository considerations on page 9 Gathering your configuration data on page 18 Documentation conventions on page 20 Related documentation on page 21 Obtaining documentation on page 22 Obtaining technical assistance on page 23 7

8 About Entrust IdentityGuard Installing Entrust IdentityGuard 8.1 allows you to add the benefits of multifactor authentication to your primary authentication method. Entrust IdentityGuard 8.1 provides multifactor authentication to help organizations counter identity theft by making it more difficult for attackers to steal users online identities. It addresses the real-world demands for strong authentication, making it easier to use while helping to reduce deployment and management costs. Note: You must follow and complete the instructions in this configuration guide dedicated to your specific directory before you install Entrust IdentityGuard. For information about installing and configuring Entrust IdentityGuard 8.1, refer to the refer to the Entrust IdentityGuard Installation Guide. 8 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

9 Repository considerations This section provides information that applies to all repositories supported by Entrust IdentityGuard. Entrust IdentityGuard uses data stored in your LDAP directory. Each time an Entrust IdentityGuard operation requires a user s information, Entrust IdentityGuard searches the LDAP directory. The directory must exist and you should populate it with users before you install Entrust IdentityGuard, though you can add users later. (Entrust IdentityGuard does not create directory entries for users.) Ensure your users exist under a single base DN in the directory tree, unless you plan to take advantage of the multiple search bases feature in Entrust IdentityGuard. Ensure the LDAP User DN used by Entrust IdentityGuard to connect to the repository has sufficient privileges to make changes to the user objects. Before you install Entrust IdentityGuard, you must prepare the LDAP directory. Each chapter in this guide gives details specific to a directory type. Attention: Back up your repository before you load or update the Entrust IdentityGuard schema. Restoring your directory from backup files enables you to undo changes made by any errors, as well as recover from system failures. Estimating repository size No two repositories will be the same. The number of policies, groups, administrators and users will vary as will the attributes assigned to each and the authentication methods used. You can calculate the approximate disk space requirements using the statistics below. Note: Information for all policies, groups, grouplists, and roles is stored in a single entry in the LDAP repository. In contrast, each user and administrator has a separate entry in the LDAP repository. Table 1: LDAP repository size Information type Attribute names Data requirement Global policy entrustigglobalpolicy 0.5 KB. About this guide 9

10 Table 1: LDAP repository size Information type Policy Attribute names entrustigpolicylist, entrustigpasswordpolicy, entrustigtemppinspec, entrustigcardspec, entrustiguserspec Data requirement 2.5 KB per policy spread across the attributes. Roles entrustigroledata 1.5 KB per role. Groups entrustiggroupdata 0.5 KB per group. Group List entrustiggrouplistdata 0.5 KB per group list. User Administrator entrustigcontents, entrustigtemporarypin, entrustiguserinfomac, entrustigauthsecrets, entrustigcreatedate, entrustigexpirydate, entrustiggroup, entrustigserialnumber, entrustigstate, entrustigusernumber, entrustiglockoutcount, entrustiglockoutexpirydate, entrustigaliases, entrustigchallenge, entrustigchallengecount, entrustigleastusedcellusagecount, entrustigcardusagethresholdindicator entrustigtokenserialnumber entrustigtokens entrustigtokenstate entrustigtokenloaddate entrustigtokenlastuseddate entrustigadmindata, entrustiggroup, entrustiggrouplist, entrustigrole 1.5 KB minimum per user with one card, one temporary PIN and one alias. Most data is in the first four attributes listed. Others contain values used for searching. 0.5 KB per user for each additional 5 by 10 card. 0.5 KB per user for each token the user has. More space is needed for comment attributes, extra aliases, card usage tracking (when enabled), and knowledge-based authentication. Up to 1 MB per user (controlled by policy) when authentication secrets are included. 0.5 KB per administrator. Most data is in the entrustigadmindata attribute. Others contain values used for searching. 10 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

11 For information on creating policies, groups, administrators and users, refer to the Entrust IdentityGuard Administration Guide. LDAP attributes and classes Entrust IdentityGuard uses specific directory attributes to store information in LDAP repositories. They are identified by their OID, as listed in Table 2. The Entrust IdentityGuard OID is (represented by IG, below). To determine an attribute s full OID, use the Entrust IdentityGuard OID plus the attribute number given in the table. For example, for entrustigcontents (IG.2.2), the full OID of the attribute is: When run, the LDIF files create the following attributes. If you do not use an LDIF file, you must create and configure them manually. Table 2: LDAP directory attributes Attribute Syntax OID Description entrustigserialnumber Multivalued IA5 string IG.2.1 Serial numbers of all cards belonging to the user. entrustigcontents Multivalued octet string IG.2.2 List of encrypted cards. entrustigstate Single-valued octet string IG.2.3 State of all cards belonging to the user. Multivalued IA5 string for IBM Tivoli entrustigcreatedate Multivalued generalized time IG.2.4 Creation dates of all cards belonging to the user. entrustigexpirydate Multivalued generalized time IG.2.5 Expiry dates of all cards belonging to the user. entrustigtemporarypin Single-valued octet string IG.2.6 Temporary PIN assigned to the user. entrustigusernumber Single-valued integer IG.2.7 Number assigned to the user by the Entrust IdentityGuard system. About this guide 11

12 Table 2: LDAP directory attributes Attribute Syntax OID Description entrustiguserinfomac Single-valued octet string IG.2.8 Information about the user required by the Entrust IdentityGuard system. entrustigchallenge Single-valued octet string IG.2.9 Challenge currently assigned to the user. entrustigcardspec Single-valued octet string IG.2.10 Entrust IdentityGuard system card specification. entrustigtemppinspec Single-valued octet string IG.2.11 Entrust IdentityGuard system temporary PIN specification. entrustigpasswordpolicy Single-valued octet string IG.2.12 Entrust IdentityGuard system password policy. entrustigadmindata Single-valued octet string IG.2.13 Information about an Entrust IdentityGuard administrator. entrustiglockoutcount Single-valued integer IG.2.14 Current lockout count for the user. entrustiglockoutexpirydata Single-valued generalized time IG.2.15 Date at which the user's lockout expires. entrustigglobalpolicy Single-valued octet string IG.2.16 Global policy information. entrustigpolicylist Single-valued octet string IG.2.17 Definition of all system policies. entrustiguserspec Single-valued octet string IG.2.18 User specification policy objects. entrustigrole Single-valued integer IG.2.19 Role of the administrator. entrustigroledata Single-valued octet string IG.2.20 Definition of all roles. 12 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

13 Table 2: LDAP directory attributes Attribute Syntax OID Description entrustiggroup Single-valued integer IG.2.21 Identifier of the group to which a user or administrator is assigned. entrustiggroupdata Single-valued octet string IG.2.22 Definition of all groups. entrustiggrouplist Single-valued integer IG.2.23 Identifier of the group list assigned to an administrator. entrustiggrouplistdata Single-valued octet string IG.2.24 Definition of all group lists. entrustigaliases Multivalued string IG.2.25 Aliases identified with the user. entrustigchallengecount Single-valued integer IG.2.26 Number of challenges presented to the user during authentication. entrustigleastusedcellusageco unt Single-valued integer IG.2.27 Count of how often each card cell is used. entrustigcardusagethresholdin dicator Multivalued IA5 string IG.2.28 Number of times the user can use the card before Entrust IdentityGuard recommends a replacement. entrustigauthsecrets Single-valued octet string IG.2.29 Authentication secrets. entrustigtokenserialnumber Multivalued IA5 string IG.2.30 Token serial numbers. entrustigtokens Single-valued octet string IG.2.31 Encrypted token data with MAC checksum applied. entrustigtokenstate Multivalued IA5 string IG.2.32 Token state. About this guide 13

14 Table 2: LDAP directory attributes Attribute Syntax OID Description entrustigtokenloaddate Multivalued generalized time IG.2.33 Token load date. entrustigtokenlastuseddate Multivalued generalized time IG.2.34 Token last-used date. When run, the LDIF files create the following objects and attributes. If you do not use an LDIF file, you must create and configure them manually. By default, Entrust IdentityGuard adds these three object classes to directory entries as needed. To change the way Entrust IdentityGuard adds object classes, refer to the topic Configuring LDAP properties in the Entrust IdentityGuard Installation Guide. Table 3: LDAP object classes and attributes Name Attribute OID Description entrustiguser entrustigchallenge entrustigcontents entrustigcreatedate entrustigexpirydate entrustiggroup entrustigserialnumber entrustigstate entrustigtemporarypin entrustiguserinfomac entrustigusernumber entrustiglockoutcount entrustiglockoutexpirydate entrustigaliases entrustigchallengecount entrustigleastusedcellusagecount entrustigcardusagethresholdindicator entrustigauthsecrets entrustigtokenserialnumber entrustigtokens entrustigtokenstate entrustigtokenloaddate entrustigtokenlastuseddate IG.1.1 Object class added to an end user's LDAP directory entry to allow addition of the common Entrust IdentityGuard attributes. Entrust IdentityGuard adds these to all user entries in the LDAP directory. 14 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

15 Table 3: LDAP object classes and attributes Name Attribute OID Description entrustigpolicy entrustigcardspec, entrustigglobalpolicy, entrustiggroupdata, entrustiggrouplistdata, entrustigpasswordpolicy, entrustigpolicylist, entrustigroledata, entrustigtemppinspec, entrustiguserspec IG.1.2 Object class that allows the addition of the Entrust IdentityGuard policy to an LDAP directory entry. There is only one such entry. entrustigadmin entrustigadmindata, entrustiggroup, entrustiggrouplist, entrustigrole IG.1.3 Object class that identifies an Entrust IdentityGuard administrator within the system. The following attributes have special requirements for determining their ordering and matching. When run, the LDIF files set the correct ordering. If you do not use an LDIF file, you must create and configure them manually. This does not apply to Active Directory and ADAM. Table 4: LDAP matching and ordering Attribute entrustigserialnumber entrustigcontents entrustigstate entrustigcreatedate entrustigexpirydate Matching and ordering rules Configure for case-ignored IA5 string and substring matching. Configure for octet string matching. Configure for octet string matching for most directories. For IBM Tivoli Directory only, configure for case-ignored IA5 string and substring matching. Configure for generalized time matching and ordering. Configure for generalized time matching and ordering. About this guide 15

16 Table 4: LDAP matching and ordering Attribute entrustigtemporarypin entrustigusernumber entrustiguserinfomac entrustigchallenge entrustigcardspec entrustigtemppinspec entrustigpasswordpolicy entrustigadmindata entrustiglockoutcount entrustiglockoutexpirydate entrustigglobalpolicy entrustigpolicylist entrustiguserspec entrustigrole entrustigroledata entrustiggroup entrustiggroupdata entrustiggrouplist entrustiggrouplistdata entrustigaliases entrustigchallengecount Matching and ordering rules Configure for octet string matching. Configure for integer matching and ordering. Not supported for indexing on IBM Tivoli Directory. Configure for octet string matching. Configure for octet string matching. Configure for octet string matching. Configure for octet string matching. Configure for octet string matching. Configure for octet string matching. Configure for integer matching. Configure for generalized time matching and ordering. Configure for octet string matching. Configure for octet string matching. Configure for octet string matching. Configure for integer matching. Configure for octet string matching. Configure for integer matching. Configure for octet string matching. Configure for integer matching. Configure for octet string matching. Configure for case-ignored string and substring matching. Configure for integer matching and integer ordering 16 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

17 Table 4: LDAP matching and ordering Attribute entrustigleastusedcellusagecount entrustigcardusagethresholdindicator entrustigauthsecrets entrustigtokenserialnumber entrustigtokens entrustigtokenstate entrustigtokenloaddate entrustigtokenlastuseddate Matching and ordering rules Configure for integer matching and integer ordering. Configure for case-ignored IA5 string and substring matching. Configure for octet string matching. Configure for case-ignored IA5 string and substring matching. Not used in ordering and matching Configure for case-ignored IA5 string and substring matching. Configure for generalized time matching and ordering. Configure for generalized time matching and ordering. About this guide 17

18 Gathering your configuration data This section describes how to prepare for installation of Entrust IdentityGuard once you have completed the configuration steps documented in the following chapters. The Entrust IdentityGuard Server installer will ask configuration questions or present options that have a direct relationship to the configuration settings you make. As you go through the configuration steps, gather the data needed to answer those installation questions as listed in the following table. Table 5: Entrust IdentityGuard configuration data Configuration data Will you be using SSL to connect to the LDAP server? LDAP host LDAP port number LDAP base DN LDAP user DN LDAP password LDAP policy RDN Description If you answer yes to this question, you will need to provide information on the SSL certificate (file name, owner, issuer, serial number, valid-from date, and certificate fingerprints). For more information on securing LDAP connections with SSL, refer to the Entrust IdentityGuard Installation Guide. Provide the name of the computer where your LDAP repository resides. Provide the port used by your LDAP repository. The default port is 389 for a non-ssl connection and 636 for an SSL connection Provide the DN under which the Entrust IdentityGuard policy entry is found. Provide the DN or ID of the user that Entrust IdentityGuard will use to connect to the LDAP repository. The DN must have administrator privileges. For most LDAP repositories, enter the DN in the format: cn=directory Manager For Active Directory, enter the user DN in the format: AdminUser@domain.com Provide the password of the user that Entrust IdentityGuard will use to connect to the LDAP repository. Specify the user entry in the LDAP repository used to store Entrust IdentityGuard policy information. See the section entitled Creating a user to store policies in the chapter specific to your directory for more details. 18 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

19 Table 5: Entrust IdentityGuard configuration data Configuration data Generalized Time format LDAP user name attribute Description Does your LDAP repository support subseconds as part of generalized time data? Once you install Entrust IdentityGuard, ensure that you correctly set the identityguard.ldap.generalizedtimewithsubsecs property in the identitygaurd.properties file. For a Novell edirectory repository, set this to false. Set it to true for other repositories. Each user entry in the directory must have an existing attribute that Entrust IdentityGuard can use as a unique user name. Specify the LDAP attribute that identifies Entrust IdentityGuard users. For the primary search base, or in the case of a single search base, the attribute is usually: samaccountname for Active Directory CN (common name) or uid for ADAM and all other supported repositories For additional search bases, use a different attribute that provide a unique ID. Also see Configuring additional search bases in the Entrust IdentityGuard Installation Guide. The Entrust IdentityGuard Server installer will also ask for the type of repository to use. Select Active Directory for an Active Directory or ADAM repository. Select LDAP all other supported repositories. About this guide 19

20 Documentation conventions Following are typographic conventions which appear in this guide: Table 6: Typographic conventions Convention Purpose Example Bold text (other than headings) Italicized text Blue text Underlined blue text Courier type Angle brackets < > Square brackets [courier type] Indicates graphical user interface elements and wizards. Used for book or document titles. Used for hyperlinks to other sections in the document. Used for Web links. Indicates installation paths, file names, Windows registry keys, commands, and text you must enter. Indicates variables (text you must replace with your organization s correct values). Indicates optional parameters. Click Next. Entrust TruePass 7.0 Deployment Guide Entrust TruePass supports the use of many types of digital ID. For more information, visit our Web site at Use the entrust-configuration.xml file to change certain options for Verification Server. By default, the entrust.ini file is located in <install_path>/conf/security/entrust. ini. dsa passwd [-ldap] Note and Attention text Throughout this guide, there are paragraphs set off by ruled lines above and below the text. These paragraphs provide key information with two levels of importance, as shown below. Note: Information to help you maximize the benefits of your Entrust product. Attention: Issues that, if ignored, may seriously affect performance, security, or the operation of your Entrust product. 20 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

21 Related documentation Entrust IdentityGuard is supported by a complete documentation suite: For instructions on installing and configuring Entrust IdentityGuard Server, see the Entrust IdentityGuard Installation Guide. For instructions on administering Entrust IdentityGuard users and groups, see the Entrust IdentityGuard Administration Guide. For information on deploying Entrust IdentityGuard, refer to the Entrust IdentityGuard Deployment Guide. For information on configuring Entrust IdentityGuard to work with a supported LDAP repository Active Directory, Active Directory Application Mode, Critical Path InJoin Directory, IBM Tivoli Directory, Novell edirectory, or Sun ONE Directory see the Entrust IdentityGuard Directory Configuration Guide. For information on configuring Entrust IdentityGuard to work with a supported database IBM DB2 Universal Database, Microsoft SQL Server, or Oracle Database see the Entrust IdentityGuard Database Configuration Guide. For information on Entrust IdentityGuard error messages, see the Entrust IdentityGuard Error Messages. For information on new features, limitations and known issues in the latest release, see the Entrust IdentityGuard Release Notes. For information on integrating the authentication and administration processes of your applications with Entrust IdentityGuard, see the Entrust IdentityGuard Programming Guide that applies to your development platform (either Java Platform or C#). For Entrust IdentityGuard product information and a data sheet, go to For information on identity theft protection seminars, go to About this guide 21

22 Obtaining documentation Entrust product documentation, white papers, technical notes, and a comprehensive Knowledge Base are available through Entrust TrustedCare Online. If you are registered for our support programs, you can use our Web-based Entrust TrustedCare Online support services at: Documentation feedback You can rate and provide feedback about Entrust product documentation by completing the online feedback form. You can access this form by clicking the link located in the footer of Entrust s PDF documents (see bottom of this page). following this link: Feedback concerning documentation can also be directed to the Customer Support address: support@entrust.com 22 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

23 Obtaining technical assistance Entrust recognizes the importance of providing quick and easy access to our support resources. The following subsections provide details about the technical support and professional services available to you. Technical support Entrust offers a variety of technical support programs to help you keep Entrust products up and running. To learn more about the full range of Entrust technical support services, visit our Web site at: If you are registered for our support programs, you can use our Web-based support services. Entrust TrustedCare Online offers technical resources including Entrust product documentation, white papers and technical notes, and a comprehensive Knowledge Base at: If you contact Entrust Customer Support, please provide as much of the following information as possible: your contact information product name, version, and operating system information your deployment scenario description of the problem copy of log files containing error messages description of conditions under which the error occurred description of troubleshooting activities you have already performed Telephone numbers For support assistance by telephone call one of the numbers below: in North America outside North America address The address for Customer Support is: support@entrust.com About this guide 23

24 Professional Services The Entrust team assists e-businesses around the world to deploy and maintain secure transactions and communications with their partners, customers, suppliers and employees. We offer a full range of professional services to deploy our e-business solutions successfully for wired and wireless networks, including planning and design, installation, system integration, deployment support, and custom software development. Whether you choose to operate your Entrust solution in-house or subscribe to hosted services, Entrust Professional Services will design and implement the right solution for your e-business needs. For more information about Entrust Professional Services please visit our Web site at: 24 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

25 Chapter 1 Configuring Active Directory and Active Directory Application Mode This chapter provides instructions on how to configure Entrust IdentityGuard 8.1 to operate with Microsoft Active Directory and Active Directory Application Mode (ADAM). The Active Directory administrator must be involved in planning and carrying out specific tasks. 25

26 Preparing Active Directory This chapter includes the following sections: Choosing your configuration method on page 26 Setting users and privileges on page 26 Configuring Active Directory with LDIF files on page 27 Configuring Active Directory manually on page 30 Configuring the index attributes on page 31 Creating a custom administrator on page 31 Creating a user to store policies on page 32 Choosing your configuration method Before you install Entrust IdentityGuard, you must prepare your Active Directory or ADAM repository for use with Entrust IdentityGuard. Choose one of the following configuration methods: Use the LDIF files supplied with Entrust IdentityGuard to prepare the LDAP directory automatically. See Configuring Active Directory with LDIF files. Alternatively, you can prepare the LDAP directory manually. See Configuring Active Directory manually on page 30. Whatever configuration method you choose, some manual preparation is required for an upgrade. See Configuring the index attributes on page 31. For a new installation, also see Creating a user to store policies on page 32. Attention: Back up your repository before you load or update the Entrust IdentityGuard schema. Note: Complete the procedures in this guide before you install Entrust IdentityGuard. Setting users and privileges Ensure your users exist under a single base DN in the directory tree, unless you plan to take advantage of the multiple search bases feature. Entrust IdentityGuard will ask you for a base DN during installation. Entrust IdentityGuard requires directory credentials (a DN and password) to connect to the 26 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

27 directory. In the case of multiple search bases, enter the DN of the default search base. Configuring Active Directory or ADAM for use with Entrust IdentityGuard requires careful attention to the selection of the administrator user that Entrust IdentityGuard needs to connect to the repository. If you do not want to grant Entrust IdentityGuard the privileges associated with a standard administrator user, you can create one with lesser privileges. See Create a custom administrator later in this document. Also see Gathering your configuration data on page 18 for details about entering administrator information during configuration. Each user entry in the directory must have an existing attribute that Entrust IdentityGuard can use as a unique user identifier. (During installation, Entrust IdentityGuard will ask you for this attribute name.) For the primary search base, or in the case of a single search base, the attribute is typically samaccountname. For additional search bases, use a different attribute. Configuring Active Directory with LDIF files Entrust IdentityGuard uses several directory attributes to store information specific to Entrust IdentityGuard; so you need to modify your LDAP directory schema to define these attributes. The recommended method is to use one of the LDIF files included with the Entrust IdentityGuard installation package. The LDIF files set up the required attributes and auxiliary object classes automatically. To access LDIF files 1 Extract the applicable archive file for your operating system. Refer to the Entrust IdentityGuard Installation Guide for details. LDIF files for Active Directory and Active Directory Application Mode (ADAM) are available in the /IG_81/ldif directory included with the Entrust IdentityGuard installation package. You can access them without having to install Entrust IdentityGuard. If you are installing a new version of Entrust IdentityGuard, use the file activedirectory_v81_schema.ldif. If you are upgrading from version 8.0 of Entrust IdentityGuard, use the file activedirectory_v80_to_v81_upgrade.ldif. If you are upgrading from version 7.2 of Entrust IdentityGuard, use the file activedirectory_v7x_to_v81_upgrade.ldif. 2 Copy the applicable LDIF file to a folder named LDIF under the root folder on Windows, such as C:\LDIF. Configuring Active Directory and Active Directory Application Mode 27

28 Note: In Windows 2000, before you can modify the schema, you must set the following REG_DWORD key to a non-zero value: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Pa rameters\schema Update Allowed Create that registry key if it doesn t exist. In Windows 2003, don t set the key unless you encounter a problem with the schema. Refer to for further information. Loading the LDIF files To load the directory schema changes, log in with the correct privileges and run the Microsoft ldifde utility on the Active Directory server as described below. The procedures for Active Directory and ADAM are almost identical. To load the LDIF files 1 Log in to the Active Directory server as a member of the Schema Administrators group. (Typically the Enterprise Administrator is a member of this group.) 2 Locate and note the DN of the schema entry in your Active Directory. It will be something like this: CN=Schema,CN=Configuration,DC=<YourDomainName>,dc=com, where YourDomainName is the system reference to the schema. In the case of ADAM, the schema entry will be GUID number like this: 20154B22-09DE-41BC-8DEE-E12DFD7A66F3 For instructions on locating the correct DN, see Finding your DN on page For an ADAM installation, find and note the port number assigned to ADAM. It might not be the default Active Directory port 389. If ADAM is running on a domain controller, port 389 is probably assigned to Active Directory, not ADAM. 4 Open a command prompt. 5 Navigate to the correct installation folder. For an ADAM installation, change to the ADAM folder, as in: cd c:\windows\adam For an Active Directory installation, change to the system folder, as in: cd c:\windows\system32 6 Import the applicable LDIF file like this: ldifde -i -s <server> -c "DC=X" "DC=<YourDomainName>,dc=com" -f C:\LDIF\<ldif-file> -t 389 Where: 28 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

29 -i turns on import mode (the default is export). -s <server> names the domain controller used by the import operation. By default, ldifde uses the domain controller on which it is installed; so this option may not be needed. -c specifies the location of the directory schema. Change YourDomainName to the DN information you noted in Step 2. At run time, the DC=X value is replaced by the resolved value entered for YourDomainName. -f specifies the location and name of the new or upgrade LDIF file. -t specifies the LDAP port number. For an Active Directory installation, run the ldifde command without the -t option. For an ADAM installation, use the -t option to specify a port if ADAM is not running on port 389. The default port is 389 for a non-ssl connection and 636 for an SSL connection. If you get the error message 0x202b A referral was returned from the server," it indicates the value you set for YourDomainName on the -c option is not correct. Finding your DN The following section shows to ways to find the DN of the schema entry in your Active Directory. The first example uses the ldp.exe utility available on Windows 2000 and The second example uses the same utility you execute to install the LDIF files. To find a DN using ldp.exe 1 Run the ldp.exe file. 2 Select Connection > Connect. 3 Enter the name of your Active Directory server. 4 Verify that the port setting is correct. 5 Click OK. 6 Look for the line beginning with CN=Schema in the list of information the utility generates. This line gives the complete DN of your Active Directory. For more information on this utility, see the article Using Ldp.exe to Find Data in the Active Directory available at: To find a DN using ldifde 1 Enter the following command: ldifde -d "" -s localhost -p base -l schemanamingcontext -f output.txt Where: Configuring Active Directory and Active Directory Application Mode 29

30 -d is the search base to search. The empty string "" indicates the root entry. -s names the location where ldifde will search. -p base specifies the scope of the search. -l lists of attributes to return. In this case, just schemanamingcontext. 2 Open the output.txt file. It contains the value for schemanamingcontext, which is the DN you need. For more information on this utility, see: Once you successfully load the LDIF file for a new installation, follow the instructions under Creating a user to store policies on page 32. Configuring Active Directory manually The procedure below applies if you did not import an Entrust IdentityGuard LDIF file, as described above in Configuring Active Directory with LDIF files on page 27. Entrust IdentityGuard uses several directory attributes to store information. Modify your LDAP directory schema to define these attributes following the steps in this section. To configure the LDAP directory manually 1 Use your schema configuration tool to add attributes with the names and types listed in Table 2 on page 11. Note: There are five new attributes related to tokens numbers IG.2.30 to 34 in Table 2 on page 11. For an upgrade to 8.1, add these attributes. 2 Modify your LDAP schema so that the Entrust IdentityGuard attributes can be added to existing user entries. Typically, this is done by adding them as optional attributes of an existing object class. Since Active Directory does not allow the object class of user entries to be changed, you must update the Active Directory schema by adding the Entrust IdentityGuard specific object classes as auxiliary classes. When added as auxiliary classes, they are associated with the User class. This allows Entrust IdentityGuard to add the attributes in the Entrust IdentityGuard object classes to the users. Manually add the object classes and their attributes listed in Table 3 on page 14. Specify all attributes as optional (that is, use the MAY CONTAIN option). Note: There are five new attributes related to tokens numbers IG.2.30 to 34 in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustiguser object as optional items. 30 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

31 3 Create an LDAP user DN that has read, write, and modify access to your directory entries using simple LDAP authentication. Entrust IdentityGuard uses this account to modify user information. (See Creating a custom administrator on page 31.) With an Active Directory domain, these changes will take effect when Active Directory updates its memory cache (within approximately five minutes). Optionally, you can use the Schema Management plug-in to force a reload of the cache or you can restart the server. The schema changes will replicate to other domains in the forest after a time that depends on your Active Directory configuration. Configuring the index attributes Indexes can improve search performance in a large repository. For a new installation or upgrade of Entrust IdentityGuard, configure the attributes entrustiggroup and entrustigaliases for indexing by setting their searchflags attribute to 1. For example, the entrustigaliases attribute configuration would look something like this: dn: CN=entrustIGAliases,CN=Schema,CN=Configuration,DC=X changetype: add objectclass: top objectclass: attributeschema ldapdisplayname: entrustigaliases issinglevalued: FALSE omsyntax: 64 attributeid: attributesyntax: searchflags: 1 Creating a custom administrator The administrator user that Entrust IdentityGuard uses to connect to the repository must have sufficient privileges to make changes to the user and policy objects. Applicable administrator user types are: account operators administrators domain administrators enterprise administrators Configuring Active Directory and Active Directory Application Mode 31

32 If you do not want to grant Entrust IdentityGuard the privileges associated with standard administrator user types, follow the steps below. (This procedure requires the dsacls utility. It is part of the Windows support tools installed from the Windows installation CD.) To create a custom user 1 Log in as domain administrator. 2 Create a user object in the directory. a In the Active Directory Users and Computers administration console, create an ordinary user (for example, igdiradmin). No special group membership is required. b Set the cn and samaccountname attribute to the new user (that is, igdiradmin). c Assign a password to this user. d Close the console. 3 Run the dsacls command: a Open a command prompt. b Navigate to the Windows support tools folder. c Enter the dsacls command using the following syntax: dsacls <search base> /I:T /G <UPN>:GA Where: search base is your primary search base where Entrust IdentityGuard data is stored. The entry should follow this format: ou=igexample,dc=ig4,dc=people,dc=entrust,dc=com. /I:T indicates that all existing and future subobjects will inherit this permission. UPN is the new user principal name that Entrust IdentityGuard will use to connect to the repository. The entry should follow this format: igdiradmin@ig4.people.entrust.com. GA sets the generic-all privilege. 4 Repeat the dsacls command for each search base (ou) or branch that is not inside the primary search base. Creating a user to store policies Once you complete the automatic or manual configuration for a new installation, you must create a directory user, which Entrust IdentityGuard will use to store policies. Create this entry under the same base DN as the default search base used by Entrust IdentityGuard. Give the user a recognizable name, such as IG Policy. 32 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

33 Create the user with the same kind of object class you used for existing users in the directory. A typical Active Directory object class in this case is organizationalperson; though any entry derived from the Person object class will do. Note: Later, during Entrust IdentityGuard installation, you will be asked to supply the LDAP policy RDN. This is the name of the user you just created, relative to the base DN. For example, if all the users exist under the base DN dc=remote,dc=companyone,dc=com and the DN of the policy user is cn=ig Policy,dc=Remote,dc=CompanyOne,dc=com, then provide cn=ig Policy as the LDAP policy RDN during installation. Your LDAP directory is now configured to work with Entrust IdentityGuard. Configuring Active Directory and Active Directory Application Mode 33

34 34 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

35 Chapter 2 Configuring Critical Path Directory This chapter provides instructions on how to configure Entrust IdentityGuard 8.1 to operate with Critical Path Directory. The Critical Path Directory administrator must be involved in planning and carrying out specific tasks. 35

36 Preparing the Critical Path Directory This chapter includes the following sections: Choosing your configuration method on page 36 Configuring the Critical Path Directory with LDIF files on page 36 Configuring the Critical Path Directory manually on page 38 Synchronizing the indexes after an upgrade on page 39 Creating a user to store policies on page 40 Configure the directory size limit on page 40 Choosing your configuration method Before you install Entrust IdentityGuard, you must prepare your LDAP directory for use with Entrust IdentityGuard. Choose one of the following configuration methods: Use the LDIF files supplied with Entrust IdentityGuard to prepare the LDAP directory automatically. See Configuring the Critical Path Directory with LDIF files on page 36. Alternatively, you can prepare the LDAP directory manually. See Configuring the Critical Path Directory manually on page 38. Whatever configuration method you choose, some manual preparation is required for an upgrade. See Synchronizing the indexes after an upgrade on page 39. For a new installation, also see Creating a user to store policies on page 40. Attention: Back up your repository before you load or update the Entrust IdentityGuard schema. Note: Complete the procedures in this guide before you install or upgrade Entrust IdentityGuard. Configuring the Critical Path Directory with LDIF files Entrust IdentityGuard uses several directory attributes to store information specific to Entrust IdentityGuard; so, you need to modify your LDAP directory schema to define these attributes. 36 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

37 The recommended method is to use one of the LDIF files included with the Entrust IdentityGuard installation package. The LDIF files set up the required attributes automatically. To access LDIF files 1 Extract the applicable archive file for your operating system. Refer to the Entrust IdentityGuard Installation Guide for details. LDIF files for Critical Path Directory are available under the /IG_81/ldif directory included with the Entrust IdentityGuard installation package. You can access them without having to install Entrust IdentityGuard. If you are installing a new version of Entrust IdentityGuard, use the file criticalpath_v81_schema.ldif. If you are upgrading from version 8.0 of Entrust IdentityGuard, use the file criticalpath_v80_to_v81_upgrade.ldif. Loading the LDIF files To load the directory schema changes, run ldapmodify on the Critical Path Directory server as described below. The ldapmodify command opens a connection to an LDAP server, and modifies or adds entries. Note: Before you run ldapmodify, ensure that the Critical Path Directory is running. If not, use the odsstart command to start it. To load the LDIF files 1 With the Critical Path Directory running, open a command window. 2 Navigate to the directory where the Critical Path ldapmodify tool is located. The location varies depending on the operating system. In Windows, look in the folder c:\program Files\CriticalPath\CPDS\bin. 3 Import the applicable LDIF file like this: ldapmodify -h cp42.entrust.com -p 389 -D "cn=directory Manager" -w ldappass -f <ldif-file> Where: -h specifies the LDAP host name. -p specifies the LDAP port number. The default port is 389 for a non-ssl connection and 636 for an SSL connection. -D specifies a directory administrator who has authority to update the schema. Configuring Critical Path Directory 37

38 -f specifies the name of the LDIF file. It can be a fully-qualified path name. -w specifies the password used for simple authentication. ldif-file is the name of the new or upgrade LDIF file. Configuring the Critical Path Directory manually All procedures in this section apply only if you did not import an Entrust IdentityGuard LDIF file, as described above in Configuring the Critical Path Directory with LDIF files on page 36. Entrust IdentityGuard uses several directory attributes to store information. If you do not use an LDIF file to modify your directory, you must manually modify your LDAP directory schema to define these attributes following the steps in this section. View the applicable LDIF to see how to set the attributes. If you are upgrading from an earlier version of Entrust IdentityGuard, review these steps and follow those that apply. To configure the LDAP directory manually 1 Use your schema configuration tool to add attributes with the names and types listed in Table 2 on page 11. Note: There are five new attributes related to tokens numbers IG.2.30 to 34 in Table 2 on page 11. For an upgrade to 8.1, add these attributes. 2 Configure those attributes for ordering and matching as shown in Table 4 on page The following attributes must be optimized for indexing so that Entrust IdentityGuard can look them up in the directory. Make sure you configure them as listed below. Table 7: LDAP indexing Attribute entrustigusernumber entrustiguserinfomac entrustigadmindata entrustiggroup entrustigaliases Indexing rules Match on ordering, invert on value. Invert on type. Invert on type. Invert on value. Invert on value. 38 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0

39 4 Manually add the object classes and their attributes listed in Table 3 on page 14. Specify all attributes as optional (that is, use the MAY CONTAIN option). Note: There are five new attributes related to tokens numbers IG.2.30 to 34 in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustiguser object as optional items. 5 Create an LDAP user DN that has read, write, and modify access to your directory entries using simple LDAP authentication. Entrust IdentityGuard uses this account to modify Entrust IdentityGuard user information. Synchronizing the indexes after an upgrade If you are upgrading from a previous version of Entrust IdentityGuard, complete the following procedure. This is required to synchronize and update the search indexes. It applies whether you prepare the LDAP directory manually or use an LDIF file. 1 From the Start menu, select Programs > Critical Path > CP Directory Server > CPDS Icon. 2 At the prompt, enter the icon manager name and password. The icon Session login screen appears. 3 Enter the directory administrator DN and password. Note: As noted in the icon documentation, many special characters are not allowed in passwords, including (but not limited to) quotes, numbers signs, forward and backward slashes, and common currency symbols. 4 On the left-hand menu, click schema. 5 On the upper menu bar, click attributes. 6 In the attribute search field, type entrustiggroup and click the Find attribute button. 7 In the attribute list returned, select the entrustiggroup entry. 8 Scroll down and ensure that the equality option in the inv column is selected. 9 Click the Change attribute button. 10 Repeat steps 5 through 9 for the entrustigaliases attribute. 11 On the upper menu bar, click attributes. 12 In the attribute search field, type entrustigchallengecount and click the Find attribute button. 13 In the attribute list returned, select the entrustigchallengecount entry. Configuring Critical Path Directory 39