Directory Setup

Form tabs

General

Users

Replication

Use this form to configure FirstClass Directory Services (FCDS).

General tab

Use this tab to specify information concerning:

• the operating mode

• general setup.

General setup
Operation mode	The operating mode for FCDS. Choices are LDAP, User Replication, and Authentication Only.
Directory root DN	The DN that you want FCDS to use as the root (highest level) of the FirstClass Directory's tree view. Example: ou=Administration,o=Husky Planes,c=CA This is normally the same as the external LDAP server's root DN. If you only want to replicate a subtree of the external LDAP server's directory, type the DN that represents the root of that subtree.
LDAP port	The LDAP port number on the machine that is running FCDS. To use the default port 444 on Mac or Linux, you must be logged in as a super user. If you don't want to have this restriction, change this value to something over 1000.

Top

Users tab

Use this tab to specify information concerning:

• the use and creation of user aliases

• the creation of LDAP user distinguished names (DNs)

• the custom data attribute value to replicate to the "Custom ID" field on the User Info form.

FirstClass SMTP user aliases
By default, FCDS creates an SMTP user alias for any user who doesn't already have an alias. This alias takes the form you specify here. Exception FCDS won't create SMTP user aliases for remote names.
Use alias from UIF if present	Uses the first valid SMTP address encountered in the "Mail aliases" field on the User Information form (UIF). If there is none, and you also select "Generate SMTP user aliases", this field also tells FCDS to use the first name encountered at "Mail aliases" when generating the alias. You can also select this field to improve startup performance when you have FirstClass Community users. By default, the email redirection addresses of these users are retrieved from their preferences at startup. If you select this field, these preferences aren't opened to retrieve the addresses.
Generate SMTP user aliases	Generates aliases if no valid SMTP user aliases exist on the UIF, or you didn't select "Use alias from UIF if present". If there is no "Mail aliases" information on the UIF at all, FCDS uses the elements you specify below to create the aliases. If you select neither "Use alias from UIF if present" nor "Generate SMTP user aliases", FCDS won't have any SMTP user alias information.
Generate name from	First and last name	Generates the name portion of the alias from the user's first name, then the user's last name. Resulting alias: first separator last@domain
	Last and first name	Generates the name portion of the alias from the user's last name, then the user's first name. Resulting alias: last separator first@domain
	User ID	Generates the name portion of the alias from the user's user ID. Resulting alias: user_id@domain
	Separator character	Specifies the character to use between name elements (first, last, and initials).
	Use initials	Adds the user's initials to the end of the name portion of the alias. The initials aren't edited, so will include any periods that were entered. Resulting alias: first separator last separator initials@domain or last separator first separator initials@domain
Domain	The domain name to use for the creation of user aliases. This domain name is used if the highest organizational unit for that user doesn't have a domain name.
LDAP user DNs
DN naming attribute	The naming attribute to be used for the creation of LDAP user DNs. In authentication only mode, if you choose CommonName (cn), be aware that the cn will be the FirstClass user ID, because that is the only information passed to FCDS from the FirstClass server. You can choose this when the user ID and cn are the same (for example, in some Active Directory installations where cn is the required naming attribute for LDAP BIND, and matches the FirstClass user ID).
UIF custom data setup
UIF custom data attribute	The custom attribute name to use in the "Custom ID" field on the User Info form. This field will be available in the FCDS LDAP tree, and its value will be searchable using LDAP queries.
UIF custom data attribute matching rule	The rule to use for matching custom attribute values.
Attribute is local to FirstClass	Populates the "Custom ID" field with the value you specify here. The attribute isn't replicated from the external LDAP server. If you prefer, you can leave this whole section blank and enter a value directly on the User Info form.

Top

Replication - Setup tab

Use this tab to specify basic replication options.

General replication setup
Replication mechanism	How replication will be performed in LDAP or user replication mode:
	None	No replication. Choose this if you want to run in LDAP mode to see a tree view, but don't want replication.
	External LDAP Server's Standard	Uses the external LDAP server's replication method.
	Generic LDAP Replicator	Uses FCDS' Generic LDAP Replicator. This uses time stamp-based LDAP search queries to detect changes in the external LDAP directory, then updates the FirstClass Directory to match.
Enable delete	Truly deletes from the FirstClass Directory any "deleted" entries. By default, FCDS unlists these entries, moves them to the DS Deleted group, and renames them using their client IDs, to free up their old user IDs.
Postal address is single LDAP attribute (postalAddress)	Select this if the postal address on your LDAP server is always the single attribute postalAddress. This will speed up replication, because FCDS won't try to build the postal address from LDAP composite address attributes. If this is cleared, the postal address will be built from the LDAP attributes: street, localityName, stateOrProvinceName, postalCode, countryName, and/or countryFriendlyName.
CommonName (cn) attribute is always in sync with name components	Select this if the cn attribute on your LDAP server is always made up of the name components: first, last, and initials. This will speed up replication, because FCDS will skip resyncing the cn attribute during a full directory synchronization.
Show/replicate	Select the information you want FCDS to replicate. For LDAP mode without replication, this controls the information shown in the FirstClass Directory LDAP tree.
	User details	Phone, fax, and postal address.
	Replicate mail lists as member lists	Causes FCDS to create an OU of Level 7 Team and make all users in a mail list members of this group. If this field is cleared, mail lists are replicated as regular mail lists.
	Replicate account lists (posixGroup)	Replicates posixGroup information as member lists.
	Replicate containers	Replicates nodes with objectClass "container".
Connection type
Use secure connections (SSL) for replication	Uses SSL connections when replicating.
External SMTP user aliases
Don't replicate external SMTP user aliases	The default state (cleared) replicates external SMTP user aliases to the "Mail aliases" field on the UIF. The information in this field can determine the alias that FCDS will use, as described above.

Top

Replication - Scheduling tab

Use this tab to set up replication scheduling.

Generic LDAP Replicator scheduling
Only fill in these fields if you chose Generic LDAP Replicator at "Replication mechanism".
Scan external directory for changes every	The number of minutes the Generic LDAP Replicator will wait before rechecking the external LDAP server's directory for changes.
Check for deleted entries	When to check for entries that have been deleted from the external LDAP server's directory. FCDS can check either once a day or at intervals. For large directories, this operation may lock up FCDS for a long time, because every entry in the FirstClass Directory has to be checked against the external directory. For this reason, we recommend that you balance your installation's size and needs against the frequency with which you make FCDS scan for deleted entries.
System startup replication
Enable and start replication at system startup	Mainly applies if you are running FCDS as a Windows service. Makes FCDS automatically start syncing after the FCDS machine is restarted/reset.
Last replication information
This section displays information that is updated by FCDS after every replication. Hi-water-mark is the USN (Universal Serial Number) or CSN (Change Sequence Number) that is incremented each time an entry on the external LDAP server is updated. FCDS stores the highest USN/CSN found when it replicates these data categories: • organizational units • users • contacts • mail lists • deleted items. FCDS uses this information for the next time it replicates, to determine what needs updating on the FirstClass server. For each of the categories above, the external LDAP server is asked to send all entries with a USN/CSN that is higher than the stored value. Tip If you need a normal sync and a full directory sync to be the same, you can manually change these values to zero. In this case, all entries are retrieved and updated.

Top

Replication - Filtering tab

Use this tab to control which entries on the external LDAP server will be replicated.

Filtering with filter conditions
Use this section to apply filters that control whether entries on the external LDAP server will be replicated based on certain conditions.
Default action	The action to take if none of the filter conditions are met:
	Filtering OFF - All Entries Are Replicated	No filters are used to restrict the entries to be replicated.
	Filtering ON - Nonfiltered Entries Are Replicated	Entries that don't meet any filter conditions are replicated.
	Filtering ON - Nonfiltered Entries Aren't Replicated	Entries that don't meet any filter conditions aren't replicated.
If	Meeting this condition will cause the entry to be treated according to the "then" and "using" values. The condition syntax is attribute name = attribute value You can specify multiple conditions, separated by commas. If any of these conditions are met, the filter condition as a whole is considered met. You can also include quoted attribute values. This allows you to include commas within the quoted string, and those commas won't be considered delimiters.
then	The action to take when a filter condition is met:
	Replicate Entry	Replicates the entry.
	Don't Replicate Entry	Doesn't replicate the entry.
	Add Entry to Groups	Replicates the entry and adds it to the specified FirstClass non-OU group(s). Use the "using" field to specify the group(s).
using	Updates the replicated entry's User Information Form to add the entry to the specified group(s). This is only applicable when you choose Add Entry to Groups at "then". If you want to add the entry to multiple groups, separate each group with a comma.
Examples of filters are:
If	description=student
then	Don't Replicate Entry
using
If	description=teacher
then	Add Entry to Groups
using	Staff,Teachers

Filtering with bounding OUs
Treat bounding OUs as	How you want FCDS to treat the bounding OUs listed at "Allow these groups to use this service" on the Directory gateway form for the purpose of filtering replication:
	Cluster or filtered cluster	The first thing in the list is considered the cluster OU. Replicated DNs must contain a cluster OU followed by OUs only from this list. Only selected OUs are replicated.
	Cluster with branch filter	The first thing in the list is considered the cluster OU. Replicated DNs must contain a cluster OU followed by at least one OU from this list. FCDS replicates everything in the cluster OU plus selected OUs and the OUs under them.
	Simple branch filter	The first thing in the list is considered the root DN. Replicated DNs must contain at least one OU from this list. FCDS replicates users in the root DN plus selected OUs. You can't use remote authentication with simple branch filtering, because users in the root DN can't be authenticated remotely.

Top

Replication - Advanced tab

Use this tab to specify advanced replication options. These may not be necessary in your environment.

Remote users
Remote user attribute	An attribute on the external LDAP server that can be used to identify who should be created as remote users on the FirstClass server.
Remote user attribute value	The value of this attribute that is shared by all users to be created as remote users on the FirstClass server.
Remote names
Remote name gateway	The name of the Internet gateway you want FCDS to use when creating a remote name. This is the gateway through which all remote names are routed.
Remote name object class	The LDAP object class which identifies remote names on the external LDAP server. Use this field if you want to specify a different object class for contact entries than the default value of top objectClass=person. For Active Directory, use "contact".
Correlator setup
Caution Don't change these fields unless you have the specific circumstances described here, or you risk breaking replication completely. The correlator attribute and type is used to uniquely identify an entry on the external LDAP server, and detect if its DN has changed. It is needed so that scanning replicators (such as Microsoft Active Directory (Active Directory) and FCDS' Generic LDAP Replicator) can find entries on the external LDAP server without using the DN. This allows replicators to: • get the actual cn attribute value at startup (FCDS doesn't hold cn values) • detect when an entry has moved, and generate a MODIFY DN command.
Custom correlator attribute	Leave blank to make FCDS use these object classes/attributes: contacts/mail users/userid mail lists/commonName. The value "userid" also makes FCDS use the default object classes/attributes. The value "mail" makes FCDS use these object classes/attributes: contacts/mail users/mail mail lists/commonName. For any other value, you must specify the attributes that you want FCDS to use for the contacts, users, and mail lists object classes. For Active Directory, we recommend "objectGUID".
Correlator attribute matching rule	Specifies the correlator type for this attribute.
FirstClass Communities support
Replicate users to a FirstClass Communities server	Replicates external users to a server running FirstClass Communities.
Update handling
Update all user fields when modifying DN	Automatically updates the DN in all user information when that user's DN is changed.

Top

Authentication tab

Use this tab to specify information concerning:

• types of logins to allow

• FirstClass login authentication

• external LDAP server authentication (remote authentication)

• the time to hold open authentication connections for reuse.

FCDS authentication and security
Allow anonymous login	Allows anonymous logins to FCDS by external connections.
Use secure connections (SSL)	Uses external SSL connections to FCDS. If you select this field, supply your SSL port number and certificate file name.
SSL port	The SSL port number on the machine that is running FCDS.
Certificate file name	The name of the certificate file that you want FCDS to use for secure connections.
FirstClass login authentication
Authentication method	What will authenticate logins to the FirstClass server:
	FirstClass Secure	The FirstClass server will authenticate logins.
	Remote	The external LDAP server will authenticate logins for all remote users. The FirstClass server will negotiate with the client to get the encrypted login credentials.
External LDAP server authentication
Authentication mechanism	How users will be authenticated when authentication is remote:
	LDAP BIND	The standard LDAP BIND command will be issued. FCDS will use the user ID and password to find the user in the LDAP tree, and obtain the DN needed for the BIND command.
	LDAP BIND to Authentication Root DN	Only applies if the external LDAP server's root DN is different from the FirstClass Directory root DN you specified on the General tab. If you choose this, supply the external LDAP server's root DN at "Authentication root DN". FCDS will use this root DN to construct users' DNs for authentication on the external LDAP server.
	Microsoft Active Directory Login	If your external LDAP server is Active Directory, you can choose this instead of LDAP BIND. In this case, the user ID and password will be used directly as Active Directory login credentials. In user replication mode, you normally use this mechanism.
	HTTP to OpenText Content Server	Choose this to force HTTP authentication against an OpenText Content Server. This runs in authentication only mode.
Authentication root DN	Only applies if you chose LDAP BIND to Authentication Root DN or HTTP to OpenText Content Server at "Authentication mechanism". The external LDAP server's root DN. In the case of OpenText Content Server, this must contain the Content Server-specific URL.
Authentication filter	Only applies if you chose either of the LDAP BIND options at "Authentication mechanism". The LDAP search filter to use for remote authentication. The filter must be an RFC 2254-compliant text filter. A example filter is (!(studentStatus=suspended)) which means the student status is not suspended. If the search result is true (in the example above, the user trying to log in is not suspended), the user is authenticated.
Use secure connections (SSL) for external authentication	Uses SSL connections with remote authentication.
External LDAP server connection pool control
Connection timeout	The time after which an inactive authentication connection is dropped. FCDS holds authentication connections in a pool for reuse, and checks this pool for an available connection when an authentication request arrives. This field controls when these held connections are dropped due to inactivity. Make this timeout shorter than the timeout on your external LDAP server. A value of zero means each authentication connection is dropped immediately after authentication.

Top

LDAP Server tab

Use this tab to specify information concerning:

• the external LDAP server

• any LDIF file that you want to import to the FirstClass Directory.

Server identification
Server address	The IP address or domain name of the external LDAP server.
LDAP port	The LDAP port number on the external LDAP server.
LDAP SSL port	Only applies if you will use SSL connections to replicate or authenticate remotely. The SSL port number on the external LDAP server.
Login DN	The login DN on the external LDAP server.
Login password	The login password on the external LDAP server.
Type	The type of external LDAP server. For OpenLDAP, choose Generic. For other server types not documented here, try Generic. Certain other server types may work with this setting.
LDIF import
Only fill in this section if you want to import entries to the FirstClass Directory using an LDIF file.
LDIF file	The full path and name of the LDIF file that you will be importing to the FirstClass Directory.

Top

For more information

Configuring FCDS