LDAP Group General Page

The LDAP Group object stores the configuration data for a defined LDAP Group within your Novell® eDirectoryTM tree. Use this page to configure or enable the following options.

Referral Option
Allows a client that supports referrals to search for objects on a single server it is connected to. When the requested search object is not found on the LDAP server the client has connected to, the client receives a URL, known as an LDAP referral, containing the information needed to connect an LDAP server that does have information on the object.

Prefer Chaining (Chain Requests to Other NDS Servers)
The LDAP server will chain the request to other eDirectory servers rather than returning referrals, except when servicing a persistent search operation and an entry is not present on the local server, or when servicing any extended operation that returns referrals.

Prefer Referrals
The LDAP server will traverse the tree if there is no LDAP server running on another replica server that has the relevant objects. If there is an LDAP server running on another replica server, an LDAP referral of that server will be returned.

Always Refer (All NDS LDAP Servers in Tree Must Support Referrals)
The LDAP server will always return an LDAP referral. If no LDAP referral exists, an error is returned.

Default Referral
Shows the location of the default referral. An LDAP referral will be returned if the LDAP server cannot contact any other replica server in the same tree or if there is no other LDAP server running on the other replica server.

Require TLS for Simple Binds with Password
Specifies whether or not the server will accept unencrypted LDAP simple bind requests containing a password. Selecting this option this will cause the server to return an error code confidentialityRequired (13) when a client attempts a simple bind with a password without using a TLS (SSL) connection. This helps prevent passwords being transmitted in the clear.

Note: Setting this option discourages users from attempting to bind with passwords over a non-encrypted connection because the bind attempt fails. The password, however, is sent to the server before the bind fails. It is possible for an eDirectory username and password to be captured during a failed bind attempt. To protect against this scenario, make sure the Require TLS For All Operations option is selected on the LDAP Server object property page.

Proxy Username
Allows administrators to configure a separate identity (other than [Public]) for anonymous binds. (An anonymous bind is a user connection to a network service that does not contain a username.) The Proxy Username is the name of an eDirectory User object. The Proxy User must have a password and is assigned to all anonymous binds.

If a Proxy Username is not assigned to the LDAP Group object, all anonymous requests are validated to eDirectory as the [Public] user. LDAP clients who are validated as user [Public] are constrained by the rights that you give to user [Public]. Because any eDirectory rights granted to [Public] for LDAP access are also granted to all eDirectory users, using a proxy username gives better control over the access to eDirectory information.

If a proxy username is assigned to the LDAP Group object, all anonymous requests are validated to eDirectory using the proxy username you select. This allows you to create an eDirectory user who has exactly the rights you want to give to your LDAP clients. Typically, the proxy user rights provide more privileges than those assigned to user [Public] and fewer than those assigned to other eDirectory users.

Note: The proxy username that you create in eDirectory must have a null password and should not be configured to require password changes. Also, the proxy user should not be allowed to create or change the password. LDAP anonymous binds do not have passwords, so any bind that includes both a username and password is treated as an eDirectory user bind. The proxy username can be anything, although LDAP PROXY is common.

A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For information on trademarks, see Legal Notices.