Properties of LDAPv3 Directory Page

Management & Control Services (MCS) supports LDAP version 3 on specific directories to provide its user and group list. LDAP is supported for a limited number of LDAP-enabled directory service products — for this release, support is provided for Active Directory for Windows 2000, Netscape Directory 4.0, Novell NetWare 5.0 (LDAP Service for NDS), IBM OS/390 LDAP Server (via RACF), and IBM SecureWay Directory Server 3.2.2.

When you configure the LDAP server, you can leave the Password field blank if the server allows it. However, users of MCS-compatible products that are authenticated through MCS cannot use a blank password.

The following sections outline requirements for some specific LDAP directory server types.

Requirements for Active Directory

MCS users can be authenticated using the following ID types:

ID Type	Example
SAM account name	johnsmith
User principal name	johnsmith@subdomain.mycompany.com
Common name	John Smith
LDAP distinguished name	CN=John Smith, CN=Users, DC=subdomain, DC=mycompany, DC=com
MCS name with hierarchical path	/com/mycompany/subdomain/Users/John Smith

Active Directory computer accounts cannot be used for assigning MCS permissions.
MCS does not use nesting groups defined in Active Directory services.
In addition to the distinguished name, you can also enter the following ID types to browse the Active Directory:

ID Type Example

User principal name johnsmith@subdomain.mycompany.com

Active Directory canonical name /subdomain.mycompany.com/Users/John Smith

ID Type	Example
User principal name	johnsmith@subdomain.mycompany.com
Active Directory canonical name	/subdomain.mycompany.com/Users/John Smith

Requirements for Netscape Directory

The Netscape Directory values for Size Limit and Time Limit need to be adjusted according to the number of entries you have defined in the directory service.

Requirements for Novell NDS

The default route for the server needs to be configured to the network router. Refer to the NetWare documentation for further information.
The server needs to be set to allow clear text password authentication. (Select LDAP Group object properties and check the Allow Clear Text Password check box.)
The search limit for LDAP searches needs to be set depending on the size of the directory service. (Select LDAP Server object properties and set the Search Entry Limit to the appropriate size.)
If public browse rights are not enabled for the NDS tree, you must enter a userid and password when configuring the LDAP NDS server.

Requirements for IBM OS/390 (RACF)

Following is the format for a distinguished name for browsing an IBM OS/390 (RACF) directory server:
Racfid=administrator, profiletype=user, sysplex=ADCDPL

Server settings

Address: Enter the address of your LDAP directory server.

Port: Enter the port of the server you are using. The default, 389, is the standard LDAP port.

Schema: Select the type of schema that corresponds with the LDAP directory server you are using. The default schema is Netscape 4.0.

Distinguished name: Enter a distinguished name of a user who has browse permissions for the selected directory server. A distinguished name is a unique name of an item in a directory service. The following is an example distinguished name in standard LDAP format:

uid=jsmith, ou=Payroll, o=Acme.com, c=US

See the specific requirements for each of the supported LDAP directory server types (above) for supported distinguished name formats.

Password: Enter the password for the user who has browse permissions for the selected directory server.

Use SSL: Connect using SSL (Secure Sockets Layer) security. This encrypts all data between MCS and the LDAP server, if the LDAP server supports SSL.

Apply: Update the Directory view list (to the right) to display the directory from the selected address.

Depending on the security settings of your directory, you may need to provide a valid distinguished name and password for a user who has browse permissions to the directory before you can view the directory. These credentials are used by the MCS server whenever it browses the directory.

Directory view: Provides a view of the directory list of the selected directory server.

Browse recipients from: Use a subdirectory of the directory service for the MCS list of users and groups. The field is updated based on which directory is selected in the View list.

If you select the Active Directory schema, note that Active Directory computer accounts cannot be used for assigning MCS permissions.

If you select the RACF/OS 390 schema, it is recommended that you do not select the User or Group subdirectory, as this will limit you to assigning permissions only to the selected type; instead, you should select the sysplex-level directory. If you select "profiletype=User", for example, you will not be able to assign permissions to groups.


	Configuring the Directory Service
	Overview of Security