FunctionIn the Authentication section of the Connector settings panel you define whether the current connector is used for authentication. All fields in this section are mandatory, except the Password change section in Exchange setups.
[ Expand All | Collapse All ]
The Function group of functions contains the following field:
If you select this field, the current connector will by used for authentication purposes, meaning that it will accept user authentication requests from the DME server. The connector will verify the username and password of the user, and will detect which directory groups the user is member of. The groups are matched against the directory group graph stored on the server to see if the user is member of DME_User. At least one DME connector must have this role.
The Authentication group of functions contains the following fields:
This is the directory (LDAP/AD) server used by the connector for authenticating DME users. After they have been authorized access to DME, the User for domain info queries (a.k.a. the server user) looks up domain information on behalf of the user, using the domain specified in the Domain panel section. That domain will usually be the same as the one specified in this field, but not necessarily.
This directory server may or may not be the directory server from which the group graph is derived. The user's group membership is sent to the server for comparison with the directory group graph, to verify that the user is in fact member of the DME_User group (or equivalent) and thus has access to the system. Note that if you just enter an IP address or a hostname without indication of protocol in this field, DME will prepend the IP address with ldap://.
If your system is set up to use secure LDAP, you must enter ldaps:// yourself, change to a secure port, and configure the firewall accordingly. The secure LDAP path has the following format: ldaps://LDAP_SERVER_HOSTNAME:SECURE_LDAP_PORT (the secure port is typically 636, but this may be different in your setup). For more information, contact your DME Partner.
If you are using Microsoft AD with Global Catalog (GC) or Global Catalog Secure (GCS), for the best performance, you should enter gc:// or gcs:// respectively.
One LDAP repository can refer to other LDAP repositories for information. This is especially the case for Active Directory environments. By default, DME allows this, but in some cases it may not be desirable. If you disable this field, DME will only search for information in the LDAP specified above, and not follow any chain of LDAP referrals.
The AD domain entered in this field is used for authenticating DME users. After they have been authorized access to DME, the User for domain info queries (a.k.a. the server user) looks up domain information on behalf of the user.
The AD domain must be entered in UPN suffix format, which is usually the same as your DNS domain, for instance your.domain.com or something similar to ad.domain.local. Do not use the old Windows 2000 format such as DOMAIN\.
The login information from the DME client usually only consists of your user name, which is passed to the DME server. In order for the DME server and connector to successfully authenticate against the Active Directory or the Exchange server, it is necessary that the AD domain (UPN suffix) is appended to this user name (for example your.domain.com), giving the unique UserPrincipalName of username@your.domain.com. You must enter the AD domain information in this field, even if you only use one domain.
Click this button to open the Test authentication window, in which you can attempt a login process against the authentication LDAP server specified in the LDAP server field.
Enter the user name and password of a user in the corresponding fields, and click Test. If the test is successful, the window shows some information about the user, and the amount of time it took to retrieve the information. If the test failed, an error message is shown to help you pinpoint the problem.
Click Back to try with another user, or Cancel to exit the window.
The Password change group of functions contains the following fields:
The DME client uses the users' AD password for authentication. At regular intervals, this password will expire according to company security policies. In order to ensure uninterrupted access to e-mail and calendar from the DME client, the client users are able to change their AD password from the client.
If you leave this field and the field Administrator password blank, the users have access to changing the password for as long as it is not completely expired yet - that is, when the users have received a warning that the password is about to expired in x days.
If you enter the user name of an AD administrator and a password in these fields, the users will be able to change their AD password, even if the password has expired completely (the flag ‘User must change password on next logon’ is marked on the user's account in AD).
Please note that the password change functionality requires a secure connection to your AD through the LDAPS protocol. The path to your secure LDAP server must be specified in the LDAP server field (above).
In this field you can specify the password of the AD administrator entered above.
Click Save to save the new settings.
|
Next topic |