4 Replies Latest reply on Oct 13, 2008 7:17 AM by m.taylor

    LDAP Connector & eDirectory 8.7

      Hi
      Has anyone any recommendations for setting up the SafeBoot Connector Manager with Novell eDirectory?
      e.g. search setting, attribute type value, attr mappings, change attribute, etc..
      We have setup a basic connector, with the General:attribute types containing uniqueid of type ascii string, search setting to (objectClass=user), default attr mappings and a search group using full dn... It seems to work ok in test environment, I just want to be a bit more sure before we start our production pilot...!
      (Another alternative is that we use AD connector, as we use Novell IDM to sync eDir/AD and the AD Connector appears to be more fully populated, etc.)
      Any thoughts or suggestions welcome!
      Thanks
      David
        • 1. RE: LDAP Connector & eDirectory 8.7
          Hi

          Battling on.. We have a process that can add users and filter on group, etc.
          The main issue I am concerned with is the ability to disable the safeboot account when the edirectory account is disabled.
          The attribute mapping for Account Control would appear to be the edirectory (ldap) attribute 'logindisabled'
          The issue I am having is getting the LDAP connector to acknowledge that there is a change i.e. the attribute mapping for 'Change Attribute' I have tried an edir attribute named revision, but this appears to be somewhat 'hidden' for ldap queries and is replica server specific. I then thought I'd try 'logindisabled', as this is the only attribute we actually care about - again, no joy...
          Any suggestions?!?

          Cheers

          David
          • 2. RE: LDAP Connector & eDirectory 8.7
            I've never found a reason to try and populate the Change Attribute here, Account Control is set to the default of loginDisabled which I confirmed matched our LDAP attribute through LDAP Browser. I have confirmed SB accounts are disabled when the eDirectory account is disabled as well, though the SB account isn't disabled until the next LDAP sync.

            We use a filter under Search Settings, not the Search Group here. Search Groups seem to be a much better choice except performance is ridiculous compared to our search filter (which is effectively doing the same thing). I've also seen that the Search Groups incorrectly identify some users as "not a user" but I've been unable to determine a reason. If you go with the Search Settings make sure your Entry Limit is high enough to accommodate the number of records being returned.
            • 3. RE: LDAP Connector & eDirectory 8.7
              Hmm, that's interesting, I was assuming you needed the change attribute for it to assess whether to read the other attributes...
              Hey ho, as you've seen from the other post we went for the AD Connector route..

              Thanks for posting
              Regards

              David
              • 4. RE: LDAP Connector & eDirectory 8.7
                Yeah, AD sounds like the smart choice. That's currently not an option here but from your posts it appears performance is 20x better with AD. Using Search Groups with eDirectory I've found it takes over an hour for one sync of 1 group with 1K users. Not to mention the user enrollment issue I mentioned last post.