FirstClass Directory Services 10 (Build 11)

Transcription

1 FirstClass Directory Services 10 (Build 11) Description FCDS only runs on Windows machines. The FirstClass server can be running on any operating system. If your organization uses an LDAP server to maintain users, you can take advantage of FirstClass Directory Services (FCDS) to share Directory maintenance with FirstClass. FCDS is an optional component of FirstClass that allows you to: administer the FirstClass Directory from an external LDAP V.3 server (LDAP server).tks use an LDAP V.3-enabled client (LDAP client) to see a structured, hierarchical (tree) view of the FirstClass Directory. use an LDAP server to authenticate users when they try to log into FirstClass. Note We assume that you are familiar with LDAP concepts such as hierarchies and naming conventions. If you aren't, you can find comprehensive information about LDAP on the Internet, or you can contact your organization's LDAP server administrator for help. You will need to work closely with this administrator anyway, to ensure that the FirstClass environment is set up to work properly with the LDAP server. FCDS sits between the FirstClass server and the LDAP server. It can be installed on the same machine as the FirstClass server or a separate machine. FCDS can replicate information between the two servers, as in this diagram: Both replication and authentication are controlled by the mode in which you run FCDS. You can run in standalone, slave, or master-slave mode. If the machine on which FCDS is running stops, FCDS will simply pick up where it left off, after you restart the machine. Note If this happens, we recommend that you do a full directory synchronization. Some external LDAP servers only replicate changes as they happen, so any updates to the FirstClass Directory attempted during the outage will be lost. Restrictions on duplicate names We don't recommend duplicate public mail list names. FCDS treats public mail lists differently from users, because public mail lists aren't located in the Directory, but rather in the Mail Lists folder. Duplicate public mail list names will only work in certain circumstances in FCDS' standalone mode. There are no restrictions for duplicate user names. If these names appear in different OUs, they will appear in different parts of the LDAP tree view, making them more distinguishable than in the traditional FirstClass Directory view. Because FCDS maintains the tree view by user ID as well as by name, there can also be duplicate user names in the same OU. In addition, there can be duplicate OUs in the LDAP tree view. For example, Husky Planes can have an Administration OU in both its Toronto and New York branches.

2 Who can run FCDS FCDS can be configured and run by the FirstClass administrator or, for example when clustering, by a subadministrator. Requirements for the subadministrator account are: the Desktop must contain aliases of the Groups, Mail Lists, and Gateways folders. the password is the same as the FirstClass scripting password. New in FCDS Version 10.0 Removed dependency on FPP. Operation modes are: LDAP - works like the old master-slave mode User replication - creates users without a tree structure Authentication only - unchanged. Any groups assigned to users in FirstClass will be preserved after replication. You can replicate users in mail lists as members of groups. DS Basic Functionality DS will provide FirstClass with the ability to organize and view the Directory in a hierarchical manner and access it with LDAP enabled clients and/or servers. Depending on the selected mode, DS will provide for the administration and maintenance of the FirstClass Directory through an external LDAP server. It will also provide the FirstClass server with the ability to authenticate FirstClass users against an external LDAP server. Currently supported external LDAP servers are: Sun Microsystems iplanet DS Microsoft Active Directory OpenLDAP DS currently supports FirstClass regular users, remote users, remote names, global mail lists and organizational unit groups. For more information on LDAP refer to " An LDAP Roadmap & FAQ -- Directory Services Information ". Authentication and the FCDS mode About LDAP mode If you want to do Directory administration from both FirstClass and an external LDAP server, set FCDS to run in LDAP mode. Note This mode is useful if you have an existing FirstClass installation, and want to gradually move Directory administration to an external LDAP server.

3 In LDAP mode, FCDS: builds an initial in-memory tree view based on the information stored in the FirstClass Directory FirstClass is considered the owner of these entries. This means administration of these entries must be done using FirstClass. replicates the directory from the LDAP server to the FirstClass Directory. The LDAP server is considered the owner of entries added as a result of this replication. If FCDS finds a blank password, it substitutes a temporary password that duplicates the client ID. About user replication mode If you want to do Directory administration from both FirstClass and an external LDAP server, but just want all users added in one flat space under the Directory root DN instead of in an LDAP tree, set FCDS to run in user replication mode. In user replication mode, FCDS replicates the directory from the LDAP server to the FirstClass Directory. The LDAP server is considered the owner of entries added as a result of this replication. If FCDS finds a blank password, it substitutes a temporary password that duplicates the client ID. User replication mode also allows you to use the LDAP server to authenticate logins. Authentication Only Mode If you only want FCDS to process authentication requests, set FCDS to run in authentication only mode. In authentication only mode, FCDS doesn't build the in-memory tree view that is built in LDAP mode. There is also no replication in authentication only mode. Active Directory considerations Microsoft Active Directory (Active Directory) must do all password maintenance, encryption, storage, and authentication for users administered on it, because Active Directory doesn't replicate passwords to the FirstClass Directory. Note Subadministrator accounts can't be authenticated by Active Directory. Authenticating using user ID and password only You can enable authentication by Active Directory where only user ID and password are required. The FCDS component which supports this isn't LDAP based, and therefore: the FirstClass Directory need not be replicated/synchronized with Active Directory Note If you don't perform a full directory synchronization, FCDS won't know whether a user is local to the FirstClass server or is owned by Active Directory. If remote authentication fails in this case, the FirstClass server will look for local credentials. the root DNs on the FirstClass server and Active Directory needn't be the same. The one requirement is that the user IDs and passwords on the FirstClass server match credentials on Active Directory. To enable this type of remote authentication, choose Microsoft Active Directory Login at "Authentication mechanism" on the Authentication tab of the Directory Setup form. Top

4 Please make sure that you have read and understood the warnings regarding use of this software, and have read all the information in this release note prior to download and installation of this software. Warning: FirstClass Directory Services V 10 and DS Install & Clustering scripts should only be used with FirstClass Server version 10. Some features may not work properly if used with earlier versions of FirstClass Server. - Requires FirstClass client 10. ( Remember to utilize the new forms, the c lient's cache has to be flushed.). - Please refer to online doc section for all the changes applicable to this version. Requirements FCDS sits between the FirstClass server and the LDAP server. It can be installed on the same machine as the FirstClass server but is recommended that be installed on a separate machine. FCDS can work with these LDAP V.3 servers: Sun Microsystems iplanet Directory Server. Microsoft Active Directory. OpenLDAP (SLAPD) Directory Serve. LDAP V.3-enabled clients. The following FirstClass Directory content: regular users remote users remote names public mail lists organizational units LDAP Data Interchange Format (LDIF) files. Installation 1) Download the attached installer file to a temporary folder on your PC. 2) Backup all necessary files/settings. 3) Run the installer file(s), and follow the prompts. Execute the batch admin files under FCNS/Server/Batch folder. 4) Apply the FC Update Service scripts in order to create the Directory Services & Clustering objects IF NONE already exist. Full instruction details available at the bottom of this message under `Creating Directory Services & Clustering`. 5) Refer to the installed documentation for further configuration instructions. Additional Information Refer to Additional configuration for Sun Microsystems iplanet Directory Server and OpenLDAP (SLAPD) Directory Server. The LDAP tree view When you connect to FCDS with an LDAP client, you'll see a tree like this:

5 FCDS automatically creates these branches: Contacts Lists all members of your personal address book. Subscription_Lists Lists all member lists. Members' DNs are listed for each. Account_Lists Lists all posixgroups. These are replicated as member lists. Members' user IDs are listed for each. Who sees what If you log in as administrator a regular user anonymous You'll see everything the whole tree, but not the content of Account_Lists the whole tree, but not list contents or user details The following objects are replicated: Supported objects FCDS can work with LDAP V.3 servers LDAP V.3-enabled clients FirstClass Directory content Servers/content supported Sun Microsystems iplanet Directory Server Microsoft Active Directory (Active Directory) OpenLDAP (SLAPD) Directory Server Mac OS X Open Directory regular users remote users

6 remote names public mail lists organizational units (OUs) LDAP Data Interchange Format (LDIF) files The following objects are replicated: LDAP object class organizationalperson person organizationalunit groupofnames groupofuniquenames FirstClass Directory entry type regular/remote user remote name OU public mail list public mail list The following information is replicated: LDAP attribute surname commonname givenname initials telephonenumber facsimiletelephonenumber postaladdress userpassword organizationalunitname mail userid member uniqueidentifier uniquemember associateddomain FirstClass Directory entry information last name first initials last first name initials telephone fax address password group (org. unit) name alias user ID mail list entry client ID mail list entry group (org. unit) domain name Major features and fixes in this release: Added posixgroup (account lists) objectclass which are replicated always as member lists. User replication mode broken in clustered DS when clustered OU is directly under a domain. FIXED User replication mode did not work in clustered and filtered configurations. FIXED Disable replication if FCDS looses connection to FCS. Make OU level 600 groups backward compatible with DS 9.1. Enable memory dump on crash.

7 Unlisted users placed in "DS Deleted" OU were not marked as Remote Users. Allow BIND on same link by doing UNBIND if previous connection existed. Generic repliactor created a full LDAP tree in "User Replication" mode. FIXED FIXED Default correlator attributes are: contacts => mail users => userid mail lists => commonname If custom correlator is set then correlator attributes are set as follows: a) if custom correlator is userid: contacts => mail users => userid mail lists => commonname b) if custom correlator is mail: contacts => mail users => mail mail lists => commonname c) in all other cases: contacts => customcorrelator users => customcorrelator mail lists => customcorrelator When using "Generic LDAP Replicator" and in "User Replication Server" mode, users are not added in one flat space under directory root DN. VERIFIED FIXED Generic repliactor created a full LDAP tree in "User Replication" mode. VERIFIED FIXED Added inbound SSL support. Removed dependency on FPP. All communication with FCS is done via FCP. Subsequently this removed the need for DS to have batch admin privileges. Authentication module enhanced to support multiple live and reusable connections so that authentication requests can be processed faster in peak times. VERIFIED FIXED Support container object class fixed at FC group level 103 (Level 1 Block). Organizational unit is fixed at FC group level 600 (Level 6 Department). Subscriber lists fixed at FC group level 700 (Level 7 Team). All groups and OUs with level less than 600 are preserved in user UIF and global mail list form. Added support for simple "user replication" mode. NOTE: In this mode only AD specific authentication is possible. BIND will not work as there are no correct DNs for users.verified DS always operates in MASTER-Ldap/User Replication. FIXED When no authentication connections exist and user is not found authenticator crashes. FIXED LDIF Import failed to detect end-of-file. FIXED Unlisting a user into DS Deleted group caused the subsequent notification to be treated as a new addition to the LDAP tree. FIXED New in FCDS Version 10.0 Removed dependency on FPP. Operation modes are: LDAP - Works like the old master-slave mode. User replication - Creates users without a tree structure. Authentication only - Unchanged. Any groups assigned to users in FirstClass will be preserved after replication. You can replicate users in mail lists as members of groups.

8 New in Directory Services Form Known Issues Not Directly related to DS: LN is truncated in FirstClass at 32 Characters (FirstClass server limitation). User initials limited to 3 characters, additional letters do not get across. (FirstClass server limitation). Please refer to online doc section of FC10 for all the changes applicable to this version. Creating Directory Services & Clustering if one does not exist Please Note: This script requires a 10 server. Unzip the contents and place in the FCNS/Server/Batch folder. Use the Core Services > Server Control from to run the batch admin. A "Directory Services" script will be placed in FC Update Service. Apply the script. The script performs the following actions: If Directory Services and all required objects exists, no action will be taken but missing objects will be replaced.also the "New DS Cluster" toolbar is added to the "Clustered Services" folder. >>>>>>>>

9 Clicking "New DS Cluster" will add an incremental Directory Services folder inside Clustered Services. Refer to the installed documentation for further configuration instructions. Preparing to use FCDS To set up FCDS, you will need to: install it We recommend that you install FCDS on a separate machine from your FirstClass server. configure it update the shipped settings file for FCDS to use when connecting to your FirstClass server register it as a Windows server. The following are optional configuration steps: set up FCDS to create some of the users on the external LDAP server as remote users on the FirstClass server set up FCDS to support clustered OUs restrict the users to be handled by FCDS run FCDS in a language other than English. Installing FCDS FCDS objects FCDS installation creates the following objects: a DS Deleted group a DS Admin group a Directory Services folder on the administrator's Desktop This folder contains the Directory Setup form, Directory Monitor, and New Directory Services Cluster stationery form, plus a link to the SSL Certificates folder. a FirstClassDS folder located in FCServer. This folder contains the executable, settings file, ReadMe, lang.rez, license, and.fcp files. Configuring FCDS Basic configuration After installing FCDS, you need to provide it with the information it needs to operate. To do this: 1 Open the DS Admin form in the Groups folder. 2 Select "Subadministrator" on the Features tab. Caution Because the FCDS account has subadministrator privileges, and will be using the FirstClass

10 scripting password to connect to the FirstClass server, you must take the same security precautions regarding inappropriate use of this account as you would for any other FirstClass administrator or subadministrator account. 3 Open the Directory gateway form in the Gateways and Services folder. 4 Click Directory Information. 5 Enter your FirstClass scripting password at "Password" on the Gateway Directory Information form. 6 Restrict the portions of the FirstClass Directory to be used for the LDAP tree view, if desired. Return to the Directory gateway form. Add all organizational units (OUs) that you want in the LDAP tree view at "Allow these groups to use this service" on the Directory tab. When FCDS is started, it will build an LDAP tree view only from users who belong to these OUs. All OUs to which a user belongs must be in this list, before the user will be included in the tree view. Restrictions OUs included in the LDAP tree view must be manually created when you filter them in this way. They can't be created automatically. Users in the root DN of the LDAP directory (not belonging to any OUs) can't be authenticated remotely, because the FirstClass server will never send their authentication request to FCDS. Note Don't touch anything else on the Directory gateway form, and don't update the gateway permissions. 7 Update the Directory Setup form in the Directory Services folder. 8 Enable FirstClass Provisioning Protocol (FPP) on the FirstClass server. Use a text editor to uncomment and update the TCPFPPPORT statement in the Netinfo file located in..\fcns\server. The FPP port number is the number you specified when you updated the Directory Setup form. Additional configuration for Sun Microsystems iplanet Directory Server To replicate to FCDS, set up a Replication Agreement on the Configuration tab of the Directory Server administrator console. Specify the following: Field replica type schedule Value to use Master replica Always keep in sync You can also improve replication performance by defining the replicated attributes and setting them to the FCDS-supported set of attributes. Additional configuration for OpenLDAP (SLAPD) Directory Server To replicate to FCDS, use the OpenLDAP SLURPD daemon. In the slapd.conf file, specify these parameters: replogfile Activates replication log file creation. replica parameter block uir/host Point to FCDS. binddn bindmethod credentials The FCDS administrator's DN. Simple. The FCDS administrator's password. Generate an LDIF file of the OpenLDAP directory. You will need this file later to get FCDS and

11 OpenLDAP into sync for the first time. On FCDS' Directory Setup form, choose slave mode, and Generic for the external LDAP server type. Updating the FCDS settings file FCDS ships with a settings file (fcds.fc) that FCDS uses to connect to the FirstClass server. This settings file is located in the FirstClassDS folder. Update this settings file just as you would any other settings file, then test it to make sure you can use it to log into your FirstClass server. In addition to the other connection information in the settings file, save both the user ID and password, using these values: user ID password This is already specified in the shipped settings file. Your FirstClass scripting password. Registering FCDS as a Windows server You can either register FCDS as a Windows server, or register it as a Windows server and set it up to run as a Windows service. Running as a Windows service is described in our server administration help. To register FCDS as a Windows server: 1 Open the DOS command prompt window. 2 Navigate to the FirstClassDS folder. 3 Enter one of the following commands: fcds /RegServer fcds /Service Note If you ever want to unregister FCDS, type fcds /UnregServer Registers FCDS as a Windows server. Registers FCDS as a Windows server and sets it up to run as a Windows service. As part of this setup, you specify the startup parameters, and can tell it to start automatically. Optional configuration Creating remote users If you want some of the users on the external LDAP server to be created as remote users on the FirstClass server, specify an attribute shared by these users on the Replication - Advanced tab of the Directory Setup form located in the Directory Services folder. Using FCDS with clustered OUs You can set up multiple instances of FCDS for your server, each one servicing different sets of users as defined by a cluster-defining OU. FCDS clusters are defined and controlled by the cluster-defining OUs. A cluster-defining OU is the first and highest OU in the DN after the cluster's root DN.

12 Adding additional FCDS clusters The original Directory Services folder is automatically considered cluster zero (your first FCDS cluster),as you add more clusters, this number will increment for each new Directory Services folder. In addition, a Directory Services 1 gateway form is created in the Gateways & Services folder. You can then: Open the Directory gateway form. Enter the cluster-defining OU associated with your first FCDS cluster at "Allow these groups to use this service" on the Directory tab. Open the Directory Services 1 gateway form. Enter the cluster-defining OU associated with your second cluster at "Allow these groups to use this service" on the Directory tab. Caution Don't enter more than one OU in each of the gateway forms. If you enter multiple OUs in the list, FCDS will not assume that this is a cluster, but rather that you are trying to restrict the users to be handled by FCDS. Each FCDS cluster will now handle only the branch of users and OUs that is under the cluster-defining OU. Any replication from the external LDAP server in slave mode will be limited to that branch. Example Root DN First cluster Second cluster o=husky Planes,c=CA ou=sales ou=marketing In this example, "Sales" is entered in the Directory gateway form and "Marketing" is entered in the Directory Services 1 gateway form. Restricting the users to be handled by FCDS You can specify that FCDS handle only certain OUs. These OUs must be created on the FirstClass server before you can do this. Note After you restrict the users to be handled by FCDS, any dynamic creation of OUs in slave mode is disabled. To specify the users you want FCDS to handle: 1 Open the Directory gateway form (or the gateway form for the cluster you want to work with). 2 Enter the OUs you want FCDS to handle at "Allow these groups to use this service" on the Directory tab. FCDS will only handle the OUs in this list. If a user belongs to any OU not in this list, FCDS won't handle that user. Caution If you only list one OU, FCDS will assume this is a cluster, rather than an attempt to restrict the users to be handled.

13 Running FCDS in another language If you want FCDS to run in a language other than English: 1 Use FirstClass Designer to open the lang.rez file located in the FirstClassDS folder. 2 Replace the object names in FOLDER_NAMES with the translated object names. Starting FCDS (UPDATED) Basic startup To start FCDS: 1 Open the DOS command prompt window. 2 Navigate to the FirstClassDS folder. 3 Enter one of the following commands: fcds fcds /FC=settings file /NOLOG="information to exclude" /ALLOWDUPLICATES Runs FCDS with the default startup parameters, or, if FCDS is running as a Windows service, with the parameters you specified. Runs FCDS with the specified startup parameters. Startup parameters Parameter FC NOLOG Values The name of the settings file you created for FCDS. The name that FCDS expects by default is fcds.fc. Logging information that you don't want the FCDS console to display. You can type any string you want, enclosed in quotation marks. For example, you could specify a node name if you don't want to see details about a specific node. You can type multiple strings, and combine your own strings with a standard value. Use ; to separate each string, and enclose the complete NOLOG value in quotation marks. Example: NOLOG="Connection;BASIC" These are the standard NOLOG values: "" Logs everything (Debug level). "DEBUG" "DEBUG;WARNING" "DEBUG;WARNING;INFO" "DEBUG;WARNING;INFO;ERROR" Excludes debug information (Verbose level). Excludes debug information and warnings (Normal level). Excludes debug information, warnings, and informational messages (Basic level). Doesn't log anything (Quiet level).

14 ALLOWDUPLICATES Builds the names dictionary in fast mode. By default, the names dictionary is built in slow mode. This optimizes the names dictionary for fast searches. The difference in search speed is only evident when the entries are bigger than 5-10K. The default command is fcds /FC=fcds.fc /NOLOG="DEBUG;WARNING" These are all in the "Syncing to the external LDAP server" document: How FCDS decides what to update FCDS stores the Universal Serial Number (USN) or Change Sequence Number (CSN) that is incremented each time an entry on the external LDAP server is updated. You can find this information on the Replication - Last Update tab of the Directory Setup form located in the Directory Services folder. These numbers are called hi-water-marks on that tab, and they are updated after every replication. FCDS stores the highest of these numbers found when it replicates: organizational units users contacts mail lists deleted items. FCDS uses this information for the next time it replicates, to determine what needs updating on the FirstClass server. For each of the categories above, the external LDAP server is asked to send all entries with a USN/CSN that is higher than the stored value. Storing these values allows FCDS to avoid a full directory synchronization at startup, and to update entries from the last known state. This optimizes replication for very large LDAP trees. Even full dir syncs are optimized, because the stored values are checked for every entry, to determine whether an update of an entry is required. Enabling sync autostart Mainly applies if you are running FCDS as a Windows service. You can make FCDS automatically start syncing after the FCDS machine is restarted/reset. To do this, select "Enable and start replication at system startup" on the Replication - Scheduling tab of the Directory Setup form. Selecting this will also cause failed full directory synchronization to restart after one minute. This is important because failed full syncs could result in dropped connections either to the external LDAP server or to the FirstClass server. Syncing only OUs You can sync just the OUs, before syncing users. This gives you a chance to prepare the OUs with all the necessary permissions before you sync the users. To sync only OUs, choose Directory > Sync Options > Sync OUs Only on the FCDS console. Disabling syncing Normally, you won't stop syncing once it has started. If you ever need to make FCDS stop accepting syncing, do one of the following:

15 choose Directory > Disable Sync (console) choose Directory > Disable Full Dir-Sync (console) choose this to interrupt a full directory synchronization. click Disable Sync (form). Directory Setup form help SMTP user aliases By default, FCDS creates an SMTP user alias for any user who doesn't already have an alias. This alias takes the form you specify here. Exception FCDS won't create SMTP user aliases for remote names. Use and generate SMTP user aliases Uses aliases if they already exist, and generates them if they don't. If you clear this field, FCDS won't have any information about existing aliases. Enable and start replication at system startup Mainly applies if you are running FCDS as a Windows service. Makes FCDS automatically start syncing after the FCDS machine is restarted/reset. Replication - Last Update tab This tab displays information that is updated by FCDS after every replication. Hi-water-mark is the USN (Universal Serial Number) or CSN (Change Sequence Number) that is incremented each time an entry on the external LDAP server is updated. FCDS stores the highest of these numbers found when it replicates: organizational units users contacts mail lists deleted items. FCDS uses this information for the next time it replicates, to determine what needs updating on the FirstClass server. For each of the categories above, the external LDAP server is asked to send all entries with a USN/CSN that is higher than the stored value. Tip If you need a normal sync and a full directory sync to be the same, you can manually change these values to zero. In this case, all entries are retrieved and updated. Startup parameters Other ways to start FCDS You can also start FCDS in the following ways: double-click fcds.exe in the FirstClassDS folder Starts FCDS with the default startup parameters.

16 create a shortcut to fcds.exe If you do this, you can either run with the default startup parameters or specify your own parameters as part of the shortcut properties. Importing and exporting LDIF files An LDAP Data Interchange Format (LDIF) file is a text file that contains directory entries. You can import an LDIF file to add a large number of entries to the FirstClass Directory at once, or export FirstClass Directory entries to an LDIF file. You can use menu items on the FCDS console or buttons on the Directory Monitor form in the Directory Services folder to import and export LDIF files. Importing LDIF files To import an LDIF file to the FirstClass Directory: 1 Open the Directory Setup form in the Directory Services folder. 2 Provide the full path and name of the LDIF file at "LDIF file" on the LDAP Server tab. 3 Do one of the following: choose Directory > Import LDIF File (console) click Import LDIF File (form). Note: To ensure proper function in clustered mode,make sure that the admin/subadmin being used by the DS cluster also belongs to that cluster. Exporting LDIF files To export FirstClass Directory entries to an LDIF file, do one of the following: choose Directory > Export LDIF File (console) click Export LDIF File (form). The LDIF file is saved in the FirstClassDS folder with the name FCDS_year_month_day_hour_second generated.ldif Syncing to the external LDAP server You can use menu items on the FCDS console or buttons on the Directory Monitor form in the Directory Services folder to control syncing to the external LDAP server. As well as containing buttons to control syncing, the Directory Monitor form includes lights that indicate whether syncing is active and enabled. Enabling syncing To make FCDS ready to accept syncing, do one of the following: choose Directory > Enable Sync (console) click Enable Sync (form). Note This doesn't actually start syncing. First, you must enable syncing. Then, you can start it. Starting syncing

17 Make sure you enable syncing before you start it. Actually starting syncing varies depending on your external LDAP server: iplanet DS OpenLDAP Directory Server Active Directory This server must initiate syncing. FCDS cannot do so, but must wait for syncing to start. This server must also initiate syncing. To get FCDS and OpenLDAP in sync for the first time, import the LDIF file you created as part of configuration, with replication disabled. After this is done, you can enable replication and start SLURPD. Either this server or FCDS can initiate syncing. If you want to start syncing from FCDS, do one of the following: choose Directory > Start Sync (console) click Start Sync (form). After you have started syncing to the external LDAP server, replication will happen in the background indefinitely unless you disable syncing. Disabling syncing Normally, you won't stop syncing once it has started. If you ever need to make FCDS stop accepting syncing, do one of the following: choose Directory > Disable Sync (console) click Disable Sync (form). Reconfiguring syncing If you have changed values on the Directory Setup form, make FCDS pick up the new values in one of the following ways: choose Directory > Reset (console) click Reset (form). FCDS logging FCDS logs FCDS logs activity in both the console and a plain text log file. There is one log file generated per day. These files are stored in the FirstClassDS folder. The current day's activity is written to FCDS.LOG. At midnight, this log is renamed FCDS_year_month_day_hour started.log and a new FCDS.LOG is generated. Notes The log is also renamed if you stop FCDS. If FCDS is stopped at midnight for an abnormal reason, such as a power outage, this renaming will not take place. You will only find the FCDS.LOG file for that day. To save that day's logging information, rename the log manually. Changing the logging level You set the level of logging detail when you prepared FCDS. You can change this level from the console by choosing Log Level and the new level you want.

18 If FCDS is running as a Windows service, you can also use the logging level buttons on the Directory Monitor form in the Directory Services folder. Caution If you specified nonstandard values for information to be excluded, then choose a new logging level, you will lose the customized specifications. Adding trace information If you are trying to troubleshoot a problem, you may be asked to turn on trace information for specific FCDS activities. This information is added to the log file. To turn on trace information: 1 Ensure that the logging level is Debug. 2 Choose Log Level > Trace Component, then the activity or activities that you want traced. Making manual Directory changes You can use third-party LDAP-enabled administrative tools to make manual changes to the FirstClass Directory. To do this, you must: run in slave mode have sync enabled specify the external LDAP server address as "localhost" and the external LDAP server type as Generic on the LDAP Server tab of the Directory Setup form located in the Directory Services folder (only necessary if there is no external master LDAP server). Directory Setup form Use this form to configure FirstClass Directory Services (FCDS). General tab Use this tab to specify information concerning: general setup the FirstClass administrator. General setup Operation mode Directory root DN LDAP port The operating mode for FCDS. The DN that you want FCDS to use as the root (highest level) of the FirstClass Directory's tree view. Example: ou=administration,o=husky Planes,c=CA This is normally the same as the external LDAP server's root DN. If you only want to replicate a subtree of the external LDAP server's directory, type the DN that represents the root of that subtree. The LDAP port number on the machine that is running FCDS.

19 Users tab Use this tab to specify information concerning: the creation of user aliases the creation of LDAP user distinguished names (DNs). SMTP user aliases By default, FCDS creates an SMTP user alias for any user who doesn't already have an alias. This alias takes the form you specify here. Exception FCDS won't create SMTP user aliases for remote names. Generate SMTP user aliases Generate name from Domain LDAP user DNs DN naming attribute Generates aliases if they don't already exist. First and last name Last and first name User ID Separator character Use initials Generates the name portion of the alias from the user's first name, then the user's last name. Resulting alias: first separator Generates the name portion of the alias from the user's last name, then the user's first name. Resulting alias: last separator Generates the name portion of the alias from the user's user ID. Resulting alias: Specifies the character to use between name elements (first, last, and initials). Adds the user's initials to the end of the name portion of the alias. The initials aren't edited, so will include any periods that were entered. Resulting alias: first separator last separator domain or last separator first separator The domain name to use for the creation of user aliases. This domain name is used if the highest organizational unit for that user doesn't have a domain name. The naming attribute to be used for the creation of LDAP user DNs. In slave mode, this must be the same as that used by the external LDAP server. Replication - Setup tab Use this tab to specify basic replication options. General replication setup Replication mechanism How replication will be performed in slave or master-slave mode: External LDAP Server's Standard Uses the external LDAP server's replication method.

20 Enable delete Postal address is single LDAP attribute (postaladdress) CommonName (cn) attribute is always in sync with name components Show/replicate Correlator setup Generic LDAP Replicator Uses FCDS' Generic LDAP Replicator. This uses time stamp-based LDAP search queries to detect changes in the external LDAP directory, then updates the FirstClass Directory to match. Truly deletes from the FirstClass Directory any "deleted" entries. By default, FCDS unlists these entries, moves them to the DS Deleted group, and renames them using their client IDs, to free up their old user IDs. Select this if the postal address on your LDAP server is always the single attribute postaladdress. This will speed up replication, because FCDS won't try to build the postal address from LDAP composite address attributes. If this is cleared, the postal address will be built from the LDAP attributes: street, localityname, stateorprovincename, postalcode, countryname, and/or countryfriendlyname. Select this if the cn attribute on your LDAP server is always made up of the name components: first, last, and initials. This will speed up replication, because FCDS will skip resyncing the cn attribute during a full directory synchronization. For standalone mode, select the information you want the FirstClass Directory LDAP tree view to show. For slave or master-slave mode, select the information you want FCDS to replicate. "User details" consist of: phone, fax, and postal address. The correlator attribute and type is used to uniquely identify an entry on the external LDAP server, and detect if its DN has changed. It is needed so that scanning replicators (such as Microsoft Active Directory (Active Directory) and FCDS' Generic LDAP Replicator) can find entries on the external LDAP server without using the DN. This allows replicators to: get the actual cn attribute value at startup (FCDS doesn't hold cn values) detect when an entry has moved, and generate a MODIFY DN command. Correlator attribute Correlator attribute matching rule Generally "userid" or "uid". For Active Directory, we recommend "objectguid". Specifies the correlator type for this attribute. Replication - Scheduling tab Use this tab to schedule the Generic LDAP Replicator. Only fill in these fields if you chose Generic LDAP Replicator at "Replication mechanism". Scan external directory for changes every Check for deleted entries The number of minutes the Generic LDAP Replicator will wait before rechecking the external LDAP server's directory for changes. When to check for entries that have been deleted from the external LDAP server's directory. FCDS can check either once a day or at intervals. For large directories, this operation may lock up FCDS for a long time, because every entry in the FirstClass Directory has to be checked against the external directory. For this reason, we

21 recommend that you balance your installation's size and needs against the frequency with which you make FCDS scan for deleted entries. Replication - Advanced tab Use this tab to specify advanced replication options. These may not be necessary in your environment. Remote users Remote user attribute Remote user attribute value Remote names Remote name gateway Remote name object class An attribute on the external LDAP server that can be used to identify who should be created as remote users on the FirstClass server. The value of this attribute that is shared by all users to be created as remote users on the FirstClass server. The name of the Internet gateway you want FCDS to use when creating a remote name. This is the gateway through which all remote names are routed. The LDAP object class which identifies remote names on the external LDAP server. Use this field if you want to specify a different object class for contact entries than the default value of top objectclass=person. For Active Directory, use "contact". Authentication tab Use this tab to specify information concerning: types of logins to allow FirstClass login authentication external LDAP server authentication (remote authentication). FCDS authentication and security Allow anonymous login Use secure connections (SSL) SSL port Certificate file name FirstClass login authentication Authentication method Allows anonymous logins to FCDS by external connections. Allows external SSL connections to FCDS. If you select this field, supply your SSL port number and certificate file name. The SSL port number on the machine that is running FCDS. The name of the certificate file that you want FCDS to use for secure connections. What will authenticate logins to the FirstClass server: FirstClass Secure Remote The FirstClass server will authenticate logins. The external LDAP server will authenticate logins for all users in slave mode and all remote users in master-slave mode. The FirstClass server will negotiate with the client to get the encrypted login credentials.

22 External LDAP server authentication Authentication mechanism Authentication filter How users will be authenticated when authentication is remote: LDAP BIND Microsoft Active Directory Login The standard LDAP BIND command will be issued. FCDS will use the user ID and password to find the user in the LDAP tree, and obtain the DN needed for the BIND command. If your external LDAP server is Active Directory, you can choose this instead of LDAP BIND. In this case, the user ID and password will be used directly as Active Directory login credentials. The LDAP search filter to use for remote authentication. The filter must be an RFC 2254-compliant text filter. A example filter is (!(studentstatus=suspended)) which means the student status is not suspended. If the search result is true (in the example above, the user trying to log in is not suspended), the user is authenticated. LDAP Server tab Use this tab to specify information concerning: the external LDAP server any LDIF file that you want to import to the FirstClass Directory. Server identification Server address LDAP port Login DN Login password Type LDIF import The IP address or domain name of the external LDAP server. The LDAP port number on the external LDAP server. The login DN on the external LDAP server. The login password on the external LDAP server. The type of external LDAP server. For OpenLDAP, choose Generic. For other server types not documented here, try Generic. Certain other server types may work with this setting. Only fill in this section if you want to import entries to the FirstClass Directory using an LDIF file. LDIF file The full path and name of the LDIF file that you will be importing to the FirstClass Directory.