|Softerra LDAP Administrator Help||Show AllHide All|
Server profiles can be created either under groups or directly under the root element of LDAP Administrator. If you are browsing directory structure of an LDAP server and launch the Profile Creation Wizard, then the new server profile will be created under the nearest group. If you want to create a server profile under a specific group you can set context to it before launching Profile Creation Wizard.
To create a new profile:
Select an element, under which you want to create a profile.
Select New from the File menu and then click New Profile.
You can also launch the Profile Creation Wizard using the context menu of the parent element you want.
The Profile Creation Wizard requires the following steps to be completed:
On this step you need to enter a desired name of the new profile. You can accept the default name New Profile and rename the profile later. The name will help you make further use of the profile, distinguishing it from the others.
Usually the profile is created for immediate use and the Connect to the server right after the profile has been created box is checked. If the server is remote or you would like to create several profiles before working with them or due to other reasons you wouldn't like to connect to the server right after the profile has been created then please unchek this box.
General information about the profile comprises the following:
Host Information. Profile host, port and base DN should be specified. Host and port describe the LDAP server to connect to. Usually LDAP servers run on port 389 for regular connections and on port 636 for secure connections. You can either specify a server host/port manually, or perform a DNS lookup of LDAP servers registered in a DNS domain. Base DN is the starting point of your browsing the directory tree. Fetch Base DNs command fetches all the published naming contexts, but you can enter a deeper base DN. You can leave the base DN blank to start browsing from the RootDSE.
Security Options. Data encryption during communications with the server is enabled when the Use secure connection (SSL) box is checked. This box automatically toggles server port between regular (port 389) and secure (port 636) values. With the Read-only profile option enabled, all sorts of directory data modification will be unavailable. You can use the read-only option for the purpose of protecting your directory data from unwanted changes.
LDAP URL. LDAP URL is automatically updated as you configure settings of the profile. However having an LDAP URL gives you a possibility to fill in the single field and the Profile Creation Wizard will extract all the settings from it.
Credentials provide information for authenticating a user when connected to the server. Available are the following authentication options:
Anonymous Bind. Determines an anonymous authentication type for the given server.
Currently Logged On User. Prompts a connection to use credentials of the currently logged on Windows user. This option is Active Directory-specific and works properly only when connecting to an Active Directory or ADAM server.
Other Credentials. Used when it is required to specify custom credentials for a connection. The Mechanism option sets the way in which the client and the server will negotiate with each other when establishing the connection and checking the provided credentials. Currently LDAP Administrator supports the following authentication mechanisms:
|Simple||Standard LDAP authentication mechanism. The principal and the password are transmitted in plain text, which makes this mechanism potentially vulnerable to cyber attacks. This mechanism is not recommended for usage in an unsafe environment like the Internet. However, using this mechanism when you connect to an LDAP server over SSL or a protected VPN channel is quite secure.|
|Digest MD5||This is a SASL authentication mechanism that provides a much higher protection from cyber attacks. If your server supports this mechanism, it's recommended you always prefer Digest MD5 over Simple.|
|GSS Negotiate||A SASL mechanism that allows both client and server to negotiate for and then use the best authentication mechanism they mutually support. It’s recommended you prefer GSS Negotiate overSimple or Digest MD5 whenever possible.|
Basically, a Principal is a general term for a user name, while the actual form of the principal string is mechanism-specific. The following table lists the most widespread forms of 'principal':
|LDAP DN||The principal string is an LDAP distinguished name string as described in RFC4514*.||cn=JohnDoe,ou=People,dc=Example,dc=com|
|Kerberos principal||The principal string is a Kerberos principal email@example.com|
|NTLM name||The principal is the a Windows NTLM authentication string.||EXAMPLE\johndoe|
Principal and Password are used to authenticate the client to the server. The unchecked Save password box will result in LDAP Administrator asking you for the password before granting access to the server. You won't have to bother entering your password more than once in any case during a session, meaning that LDAP Administrator will only discard it after you exit the application. But if you check the Save password box for a selected profile, you'll no longer need to enter the password at all unless the box is unchecked.
You can use the Select credentials command to choose from among the existing credentials for the host and port configuration.
The Try matching the credentials required for referral rebind box indicates whether the credentials will be automatically determined by the Credentials Manager when you follow LDAP referrals. If the Credentials Manager is unable to automatically determine the appropriate credentials for the LDAP referral, or if this box is unchecked, then the application will ask for credentials right after you attempt to follow a referral.
At this step, you can either accept the default application settings by pressing Finish, or adjust the selected settings according to your requirements.
Filter. Filter is used for filtering directory content under the profile. By default, it is propagated down the directory structure. To specify a filter, you can use LDAP Filter Builder, which is launched by clicking the button inside the edit box.
Timeout. The Timeout parameter specifies the maximum time in seconds that LDAP Administrator will wait for search or browse operations to complete on an LDAP connection. A 0 value means no timeout, i.e. LDAP Administrator will wait for as long as it takes for an operation to complete.
Sizelimit. Sizelimit is a server-side setting that specifies the maximum number of entries to be returned in a search result or while browsing on an LDAP connection. A 0 value means no sizelimit, i.e. the server will return full query results. However, some servers may have internal sizelimits that can't be controlled by this setting.
Referral handling. Configures referral handling modes for viewing or following LDAP referrals.
Dereference aliases. Configures whether aliases are dereferenced when locating the base object of the search and in the subordinates of the base object being searched.
Advanced. Configures advanced options of the server profile.