Secure Global Desktop 4.31 Administration Guide > Users and authentication > Enabling the LDAP login authority

Enabling the LDAP login authority

To use LDAP directory servers to authenticate users to Secure Global Desktop, you need to enable the LDAP login authority. To do this:

1. Make sure all the Secure Global Desktop servers in the array can contact each LDAP directory server you will be using for authentication.
2. In Array Manager, open Secure Global Desktop Login properties.
3. Check the LDAP login authority box.
4. In the URL field, type the URL of one or more LDAP directory servers, for example ldap://melbourne.indigo-insurance.com.
   • To secure the connections to LDAP directory servers with SSL/TLS, follow these instructions.
   • Separate each URL with a semicolon.
   • If you enter more than one URL, the URLs are used in the order they are listed. If the first LDAP directory server listed is unavailable, Secure Global Desktop tries the next one in the list.
   • The standard port used for connections to LDAP directory servers is 389/tcp. If the LDAP directory server uses a different port, you must specify the port number as part of the URL, for example ldap://melbourne.indigo-insurance.com:5678.
   • Normally, the LDAP login authority searches the entire LDAP directory. You can restrict the search to part of the LDAP directory by adding a search root to the end of the URL, for example ldap://melbourne.indigo-insurance.com/dc=indigo-insurance,dc=com
5. Enter the details of an LDAP user in the Username and Password fields.
   • The username must be the distinguished name of the user, for example cn=tarantella-ldap,cn=Users,dc=indigo-insurance,dc=com.
   • Some LDAP directory servers support anonymous logins, so you don't need to supply a username or password. Others, including Microsoft Active Directory, require the username and password of a user that has sufficient privileges to search the LDAP directory.
   • You might want to create a special LDAP user reserved for the Secure Global Desktop LDAP login authority.
   • As you can only enter one username and password, this user must be able to search all LDAP directory servers listed in the URL box.
6. Click Apply.

Once the LDAP login authority is enabled, users can log in to Secure Global Desktop using either:

• their full name (common name or cn);
• their uid;
• their e-mail address; or
• their SAM account name.

Users then receive the webtop that has been configured for them using:

• LDAP user login profile objects; and
• Directory Services Integration.

Password expiry

Secure Global Desktop can prompt a user for a new password if their password has expired on the LDAP directory server. When a user attempts to log in with an expired password, the aged password dialog displays. This dialog:

• confirms that the password has expired; and
• allows the user to enter and confirm a new password.

If the new password is accepted, the user is logged in to Secure Global Desktop.

Sun One Directory Server

For Sun One Directory Servers:

• do not use the "User must change password after reset" option either in the global password policy or for an individual password policy. This causes the password change to fail.
• The LDAP user entered in the Username and Password fields on the Secure Global Desktop properties panel in Array Manager must have administrative privileges.

Microsoft Active Directory

With Microsoft Active Directory, password expiry (including forcing the user to change their password at next logon) can only be handled if there is a secure (SSL) connection between the Secure Global Desktop server and the Active Directory server. See Securing connections to LDAP directory servers for details.

LDAP timeouts

Secure Global Desktop uses two timeouts to control what happens in the event of an LDAP failure.

The LDAP discovery timeout controls how long Secure Global Desktop waits for an LDAP directory server to respond to the initial contact request. The default is 30 seconds. To change this timeout, run the following command:

tarantella config edit --tarantella-config-ldap-discovery-timeout secs

The LDAP timeout controls how long Secure Global Desktop waits for an LDAP directory server to respond to LDAP operations, such as requests for data. The default is 30 seconds. To change this timeout, run the following command:

tarantella config edit --tarantella-config-ldap-timeout secs

With both timeouts, Secure Global Desktop makes two attempts to contact the LDAP directory server. If there is no response, Secure Global Desktop tries the next LDAP directory server listed in the URL field on the Secure Global Desktop Login properties panel in Array Manager. If all LDAP directory servers time out, users can't be authenticated with the LDAP login authority and webtop content can't be generated.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.