It is important to understand that the CommuniGate Pro LDAP module itself does not provide any Directory services. It just implements an access protocol, and the functionality it provides depends on the CommuniGate Pro Directory Manager and its units.
Very often LDAP services are used to look for names and E-mail addresses of Server users. But since the LDAP module provides access to the entire Directory tree, it can be used to work with any type of data placed into the CommuniGate Pro Directory. While the CommuniGate Pro Directory can be stored in several Storage Units - both local and remote, the LDAP clients see the entire Directory as one large tree.
To browse and modify the Directory, system administrators can use either LDAP clients and utilties, or the Directory Browser interface built into the CommuniGate Pro WebAdmin Interface.
Note: while the LDAP module implements an LDAP server functionality, the CommuniGate Pro Server can also work as an LDAP client, using the LDAP protocol to access external LDAP servers and their databases. Those external Directories are presented as subtrees of the CommuniGate Pro Directory tree. See the Remote Units Directory section for more details.
Use a Web browser to configure the LDAP module. Open the Access page in the WebAdmin Settings section.
The LDAP module records in the System Log are marked with the LDAP tag. Please note that LDAP is a binary protocol, so all low-level data is presented in the hexadecimal form.
Note:The pre-4.7 Netscape ® LDAP clients crash if they communicate with a very fast server returning more than 90 records. Ask your users to update to the 4.7 or later version of Netscape browser/mailer product.
Note:The Netscape® LDAP client (version 4.7) does not correctly process the "properties" command - it always tries to connect to the port 389, even if the search was successfully made on a different (for example, secure) port.
Sometimes you need to specify the Directory Tree Root element (an empty string) as the
"search base DN". Some LDAP clients do not process this situation correctly (for example,
Microsoft LDAP client silently replaces an empty Search Base string with the
In these cases you should specify the string top as your Search Base string. The LDAP module interpretes this string as an empty string (Directory Root DN).
The Directory Access Rights set by default do not require Directory (LDAP) clients to authentiate in order to retrieve any information from the Directory tree.
When an LDAP client tries to authenticate as a certain DN, the LDAP server retrieves the Directory record with the specified DN and compares that record userPassword attribute with the password supplied by the LDAP client. If the record exists, and it contains the userPassword attribute, and the attribute value matches the supplied password, the LDAP client authentication succeeds.
The LDAP module provides an alternative authentication method, when the client specifies a CommuniGate Pro Account name instead of some record DN. In this case, the CommuniGate Pro Server opens the specfied Account and compares the Account password with the supplied password. If the passwords match, the Server builds a DN for the Account record using the Directory Integration settings, and uses it as the Bind DN.
|Domain RDN attribute:||cn|
The LDAP module uses the alternative authentication method if the specified string does not contain any equals (=) sign, or if it starts with the mail= symbols and does not contain any other equals (=) signs.
This authenitcation service can be disabled by disabling the LDAP Service for a Domain and/or an Account.
The LDAP Provisioning option can modify the authentication process. If this option is enabled and the supplied Bind DN represents the DN for some CommuniGate Pro Account, the supplied Bind DN is converted into that Account name, and the alternative method is used.
|Bind DN string specified||Data used to verify the password|
(LDAP Provisioning is off)
|the userPassword record attribute of the uid=user,cn=domain.dom,o=myCompany Directory record|
|ou=human_resources,o=myCompany||the userPassword record attribute of theou=human_resources,o=myCompany Directory record|
|firstname.lastname@example.org||the email@example.com Account password|
|firstname.lastname@example.org||the email@example.com Account password|
(LDAP Provisioning is on)
|the firstname.lastname@example.org Account password|
The LDAP module allows users to employ all authentication methods supported with the CommuniGate Pro Server. It supports Simple, SASL, and NTLM BIND methods.
If the Account password authentication method is used, and the specified Account has the Directory Administrator access right, the LDAP client can access and modify all Directory data ("master"-type access).
To search the Directory for CommuniGate Pro Domain Objects (Accounts, Groups, Mailing Lists), the LDAP clients should be tuned to point to the proper Subtree (this parameter is called "Search Base" in many LDAP clients). The Directory Subtree for the company.com domain is cn=company.com,o=MyCompany, where cn is the Domain RDN attribute, and o=MyCompany is the Base DN for CommuniGate Pro Domains. The Base DN and Domain RDN attribute are the Directory Integration settings and can be modified. If these settings are modified, the locations of domain subtrees are changed, and the LDAP clients should be reconfigured to specify the new locations in their "Search Base" settings.
The LDAP module can also be used to perform basic provisioning operations within regular Domains. This feature is called is called LDAP Provisioning. If the DN specified in the request "looks like" a DN of a Directory record that some CommuniGate Pro Account has (or could have), the LDAP module does not perform any operation on the Directory at all. Instead of passing the request to the Directory, the LDAP module sends a command directly to the Account Manager, and the Account Manager creates/removes/renames/updates/reads the specified Account. See the Directory Integration section for more details.
If the LDAP module has to return such a record (a record of the CommuniGateAccount, CommuniGateMailList, or CommuniGateGroup object class), and that record does not contain the mail attribute, the LDAP module can compose that attribute on-the-fly, using the Object record DN: it takes the uid value from the DN (Account/Object name), the cn attribute value (Domain name), and merges them using the @ sign to build the uidValue@cnValue mail attribute value. As a result, when an object is renamed (its record uid attribute is changed), or when the domain is renamed (the cn attribute in the object DN is changed), the mail attribute is automatically updated.
Since the mail attribute is not stored in the Directory records by default, all search filters that use the mail attribute can be modified internally to use the uid attribute instead. If the search operation is "equals to", and the search string contains the @ sign, only the part of the string before that sign is used.
These two features can be enabled or disabled using the Domain Integration page in the Domains realm of the WebAdmin Interface:
The LDAP module checks if a search request explicitly specifies the displayName attribute. If a retrieved record does not contain that attribute, but the record contains the cn attribute, or the uid attribute, the value of the cn or uid attribute is included into the response as the displayName attribute value.