Secure Global Desktop 4.31 Administration Guide > Applications, documents and hosts > Mirroring your LDAP organization in ENS

Mirroring your LDAP organization in ENS

If you have configured Secure Global Desktop to authenticate users with either the LDAP login authority, the Active Directory login authority or web server/third party authentication (using the LDAP search methods), all users have the same webtop content (defined by the default LDAP profile object o=Tarantella System Objects/cn=LDAP Profile) and have the same Secure Global Desktop-specific settings.

In order to customize webtop content and/or Secure Global Desktop-specific settings, you have to mirror some of your LDAP organization in ENS by creating the person objects that will be used as login profiles. These login profiles can then be used to control the following:

• Webtop content.
• Access to standard or secure connections to Secure Global Desktop.
• Access to client drives on Microsoft Windows client devices.
• Access to printers on Microsoft Windows client devices.
• Access to serial ports.

Note Directory Services Integration offers a more efficient and flexible way of customizing webtop content.

For details of how the login profiles are determined, see the LDAP login authority, the Active Directory login authority or web server/third party authentication.

When you create person objects as login profiles:

• You don't need to mirror your entire LDAP organization in ENS, only as much of the structure as you need.
• Inherit as much as possible from other objects in the organizational hierarchy.
• Only create person objects for individual users if you really have to.

Example

• Indigo Insurance has five departments: IT, Sales, Marketing, Finance, and Administration
• It has a flat organizational hierarchy.
• The Finance and Marketing departments need different webtop content to the other departments.
• Sid Cerise in the Finance department also wants access to the Cust-o-dat application but no-one else in Finance is allowed to access it.

The objects you create, depend on the type of LDAP directory being used.

Sun™ ONE Directory Server

If you are using Sun ONE Directory Server, the LDAP names are:

• ou=IT,o=indigo-insurance.com for IT
• ou=Sales,o=indigo-insurance.com for Sales
• ou=Finance,o=indigo-insurance.com for Finance
• ou=Marketing,o=indigo-insurance.com for Marketing
• uid=Sid Cerise,ou=Finance,o=indigo-insurance.com for Sid Cerise

To give users the webtops they need, you could create the following objects in the organizational hierarchy:

Note You must create the person object using a uid= prefix. Use BACKSPACE to delete the Secure Global Desktop default cn= prefix for person objects and then type uid=. You can only do this when you create the object. Once the object has been created, you cannot amend the cn= part of the name.

With this organizational hierarchy:

• Sid Cerise receives the webtop defined for his person object. He also inherits webtop content and other settings from parent OU objects in the organizational hierarchy.
• Users in the Finance and Marketing departments receive the webtop defined for the Finance and Marketing cn=LDAP Profile objects. They also inherit webtop content and other settings from parent OU objects in the organizational hierarchy.
• All other users receive the webtop and other settings defined for the o=tarantella System Objects/cn=LDAP Profile object.

Microsoft Active Directory

If you are using Microsoft Active Directory, the LDAP names are:

• cn=IT,dc=indigo-insurance,dc=com for IT
• cn=Sales,dc=indigo-insurance,dc=com for Sales
• cn=Finance,dc=indigo-insurance,dc=com for Finance
• cn=Marketing,dc=indigo-insurance,dc=com for Marketing
• cn=Sid Cerise,cn=Finance,dc=indigo-insurance,dc=com for Sid Cerise

To give users the webtops they need, you could create the following objects in the organizational hierarchy:

Note You must use domain component and Active Directory container objects to mirror your LDAP organization.

With this organizational hierarchy:

• Sid Cerise receives the webtop and other settings defined for his person object.
• Users in the Finance and Marketing departments receive the webtop and other settings defined for the Finance and Marketing cn=LDAP Profile objects.
• All other users receive the webtop and other settings defined for the o=tarantella System Objects/cn=LDAP Profile object.

Note It is not possible to inherit webtop content or other settings from domain component and Active Directory container objects.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.