Using LDAP Authentication to Log into GWAVA QMS

Alternatively, if you do not use LDAP, but use single sign-on. This article will work as well. Skip the steps about setting up the LDAP server. Simply set your Post Offices to High Security and check the eDirectory box. Now GroupWise will allow users access to GroupWise based on their eDirectory password rather than their GroupWise password.

1.     If you run a GWIA on the same server as a POA, then LDAP must be disabled on the GWIA. This sounds incorrect, but it is necessary. The POA will handle the LDAP authentication. The GWIA will ask the POA if the username and password provided to it is correct. The POA will then contact the LDAP server, check the username and password, and respond back to the GWIA. 

2.     LDAP can be disabled from ConsoleOne, in the properties of the GWIA, under the LDAP tab. However, to be sure, open the SYS:\SYSTEM\GWIA.CFG and remove or comment out the /LDAP and /LdapThreads switches.

3.     Completely unload the GWIA, and reload.

1.     Open ConsoleOne and connect to the primary domain.

2.     Go to Tools, GroupWise System Operations, LDAP Servers

 

3.     If LDAP is already configured in your environment, simply click edit and verify the settings with the steps below. If LDAP is not currently configured, it is recommended that you remove these objects, and create a new one, or choose one and edit. It’s always nice to remove the existing ones if not previously configured, and create a new object with a generic name.  If you have multiple Post Offices, you can then have all of them point to this one server object.

 

4.     Place a description of desired, if you use SSL enable this and enter the appropriate key file.

5.     Enter the IP address where the LDAP server is located. Don’t use a loopback.

6.     Enter the port. It should be 389 by default if not using SSL, if/when you enable SSL the port should be 636.

7.     Select Bind as the authentication method to enforce your defined policies.

8.     Click Select Post Offices.

 

9.     Select the Post Offices in your system that will be configured to use LDAP. Likely this will be all of them.

1.    Open the properties of the POST OFFICE, not the POA.

 

2.    Click the GROUPWISE tab and select SECURITY.

 

3.    Set the security to High and check the LDAP Authentication option.

 

NOTE: LDAP username and password is only necessary if you are using the compare method. Bind is recommended in this documentation. Consult the Novell documentation for further assistance.

4.     Click Select Servers, and move the post offices over to the Selected Servers section side.

There is just one necessary change in order for LDAP to function with GroupWise. 

The LDAP server must allow clear-text passwords. By default, eDirectory is not setup to allow clear-text passwords. This sounds like a security breach, and should be protected with SSL. This documentation sets up LDAP in a non-SSL environment. You will need to go back and enable SSL to protect passwords between the POA and eDirectory.

1.    Edit the LDAP Group <server_name> object in you eDirectory tree.

2.    On the LDAP Group General properties, make sure that the Allow Clear Text Passwords option is checked.

3.    If you do not have the correct snap-ins, go to the OTHER tab, open the attribute labeled Allow Clear Text Passwords, and change the value from false to true.

4.    Apply the changes.

5.    At the server prompt type “unload nldap”, then “load nldap"

TEST FUNCTIONALITY

1.    Pick a user in your system.

2.    Go to the post office that they are in

Highlight their object and open the properties of it

On the GROUPWISE tab, change the password to something different than the eDirectory password is.

NOTE: If you are thinking “hmmm…isn’t this the same as the eDirectory password?” This is not correct. eDirectory and GroupWise are two distinct and different databases. They can be linked. However, both eDirectory and GroupWise contain passwords for a user.   Setting the Post Office to High Security tells the Post Office to use LDAP (or eDirectory) for authentication rather than what is contained within the GroupWise system.

5.     Now log out of your GroupWise Client and attempt to re-login. You can quickly tell if LDAP is working properly by which password allows you to login. If it is the newly reset GroupWise password this is NOT working right, and is NOT using the LDAP server for authentication. Check to make sure Clear text passwords is enabled and security is set to High.

Now try your eDirectory password. This should allow you to login. If it does, you have setup LDAP authentication correctly.

6.     Finally, go to your QMS webpage, enter your full email address as the username, and enter the LDAP password. You should be logged in. Using the GroupWise password will fail login.

NOTE: Alternatively, if you do not use LDAP, but use single sign-on. This article will work as well. Skip the steps about setting up the LDAP server. Simply set your Post Offices to High Security and check the eDirectory box. Now GroupWise will allow users access to GroupWise based on their eDirectory password rather than their GroupWise password.