Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IdentityGuard 8.1
CHAPTER 1
Configuring Active Directory and Active Directory Application Mode . . . . . . .25
Preparing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Setting users and privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring Active Directory with LDIF files . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuring Active Directory manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring the index attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Creating a custom administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
CHAPTER 2
Configuring Critical Path Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Preparing the Critical Path Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring the Critical Path Directory with LDIF files . . . . . . . . . . . . . . . . . . . 36
Configuring the Critical Path Directory manually . . . . . . . . . . . . . . . . . . . . . . . 38
Synchronizing the indexes after an upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configure the directory size limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
CHAPTER 3
Configuring IBM Tivoli Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Preparing the Tivoli Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring the Tivoli Directory with LDIF files . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring the Tivoli Directory manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
CHAPTER 4
Configuring Novell® eDirectory™ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Preparing the Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring the Novell eDirectory with LDIF files . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring the Novell eDirectory manually . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
CHAPTER 5
Configuring Sun™ ONE Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Preparing the Sun ONE Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Choosing your configuration method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Configuring the Sun ONE Directory with LDIF files . . . . . . . . . . . . . . . . . . . . . 54
Configuring the Sun ONE Directory manually . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating a user to store policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5
6 Entrust IdentityGuard 8.1 Directory Configuration Guide Document issue: 1.0
About this guide
7
About Entrust IdentityGuard
Installing Entrust IdentityGuard 8.1 allows you to add the benefits of multifactor
authentication to your primary authentication method.
Entrust IdentityGuard 8.1 provides multifactor authentication to help organizations
counter identity theft by making it more difficult for attackers to steal users’ online
identities. It addresses the real-world demands for strong authentication, making it
easier to use while helping to reduce deployment and management costs.
Note: You must follow and complete the instructions in this configuration guide
dedicated to your specific directory before you install Entrust IdentityGuard. For
information about installing and configuring Entrust IdentityGuard 8.1, refer to
the refer to the Entrust IdentityGuard Installation Guide.
Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema. Restoring your directory from backup files enables you to
undo changes made by any errors, as well as recover from system failures.
Note: Information for all policies, groups, grouplists, and roles is stored in a
single entry in the LDAP repository. In contrast, each user and administrator has
a separate entry in the LDAP repository.
When run, the LDIF files create the following objects and attributes. If you do not
use an LDIF file, you must create and configure them manually. By default,
Entrust IdentityGuard adds these three object classes to directory entries as
needed. To change the way Entrust IdentityGuard adds object classes, refer to the
topic “Configuring LDAP properties” in the Entrust IdentityGuard Installation
Guide.
The following attributes have special requirements for determining their ordering and
matching. When run, the LDIF files set the correct ordering. If you do not use an LDIF
file, you must create and configure them manually.
This does not apply to Active Directory and ADAM.
Will you be using SSL to If you answer yes to this question, you will need to provide
connect to the LDAP server? information on the SSL certificate (file name, owner, issuer,
serial number, valid-from date, and certificate fingerprints).
For more information on securing LDAP connections with
SSL, refer to the Entrust IdentityGuard Installation Guide.
LDAP host Provide the name of the computer where your LDAP
repository resides.
LDAP port number Provide the port used by your LDAP repository. The default
port is 389 for a non-SSL connection and 636 for an SSL
connection
LDAP base DN Provide the DN under which the Entrust IdentityGuard policy
entry is found.
LDAP password Provide the password of the user that Entrust IdentityGuard
will use to connect to the LDAP repository.
LDAP policy RDN Specify the user entry in the LDAP repository used to store
Entrust IdentityGuard policy information. See the section
entitled “Creating a user to store policies” in the chapter
specific to your directory for more details.
Generalized Time format Does your LDAP repository support subseconds as part of
generalized time data? Once you install Entrust
IdentityGuard, ensure that you correctly set the
identityguard.ldap.GeneralizedTimeWithSubSecs
property in the identitygaurd.properties file. For a
Novell eDirectory repository, set this to false. Set it to true
for other repositories.
LDAP user name attribute Each user entry in the directory must have an existing
attribute that Entrust IdentityGuard can use as a unique user
name. Specify the LDAP attribute that identifies Entrust
IdentityGuard users. For the primary search base, or in the
case of a single search base, the attribute is usually:
• sAMAccountName for Active Directory
• CN (common name) or uid for ADAM and all other
supported repositories
For additional search bases, use a different attribute that
provide a unique ID. Also see “Configuring additional search
bases” in the Entrust IdentityGuard Installation Guide.
The Entrust IdentityGuard Server installer will also ask for the type of repository to
use.
• Select Active Directory for an Active Directory or ADAM repository.
• Select LDAP all other supported repositories.
Note: Information to help you maximize the benefits of your Entrust product.
Documentation feedback
You can rate and provide feedback about Entrust product documentation by
completing the online feedback form. You can access this form by
• clicking the Feedback on guide link located in the footer of Entrust’s PDF
documents (see bottom of this page).
• following this link: http://www.entrust.com/products/feedback/index.cfm
Feedback concerning documentation can also be directed to the Customer Support
email address:
support@entrust.com
Technical support
Entrust offers a variety of technical support programs to help you keep Entrust
products up and running. To learn more about the full range of Entrust technical
support services, visit our Web site at:
http://www.entrust.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust TrustedCare Online offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://www.entrust.com/trustedcare
If you contact Entrust Customer Support, please provide as much of the following
information as possible:
• your contact information
• product name, version, and operating system information
• your deployment scenario
• description of the problem
• copy of log files containing error messages
• description of conditions under which the error occurred
• description of troubleshooting activities you have already performed
Telephone numbers
For support assistance by telephone call one of the numbers below:
• 1-877-754-7878 in North America
• 1-613-270-3700 outside North America
Email address
The email address for Customer Support is:
support@entrust.com
25
Preparing Active Directory
This chapter includes the following sections:
• “Choosing your configuration method” on page 26
• “Setting users and privileges” on page 26
• “Configuring Active Directory with LDIF files” on page 27
• “Configuring Active Directory manually” on page 30
• “Configuring the index attributes” on page 31
• “Creating a custom administrator” on page 31
• “Creating a user to store policies” on page 32
Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema.
Note: Complete the procedures in this guide before you install Entrust
IdentityGuard.
Finding your DN
The following section shows to ways to find the DN of the schema entry in your
Active Directory. The first example uses the ldp.exe utility available on Windows
2000 and 2003. The second example uses the same utility you execute to install the
LDIF files.
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.
2 Modify your LDAP schema so that the Entrust IdentityGuard attributes can be
added to existing user entries. Typically, this is done by adding them as optional
attributes of an existing object class. Since Active Directory does not allow the
object class of user entries to be changed, you must update the Active Directory
schema by adding the Entrust IdentityGuard specific object classes as auxiliary
classes. When added as auxiliary classes, they are associated with the User class.
This allows Entrust IdentityGuard to add the attributes in the Entrust
IdentityGuard object classes to the users.
Manually add the object classes and their attributes listed in Table 3 on page 14.
Specify all attributes as optional (that is, use the MAY CONTAIN option).
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.
35
Preparing the Critical Path Directory
This chapter includes the following sections:
• “Choosing your configuration method” on page 36
• “Configuring the Critical Path Directory with LDIF files” on page 36
• “Configuring the Critical Path Directory manually” on page 38
• “Synchronizing the indexes after an upgrade” on page 39
• “Creating a user to store policies” on page 40
• “Configure the directory size limit” on page 40
Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema.
Note: Complete the procedures in this guide before you install or upgrade
Entrust IdentityGuard.
Note: Before you run ldapmodify, ensure that the Critical Path Directory is
running. If not, use the odsstart command to start it.
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.
5 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify Entrust IdentityGuard user information.
Note: As noted in the iCon documentation, many special characters are not
allowed in passwords, including (but not limited to) quotes, numbers signs,
forward and backward slashes, and common currency symbols.
41
Preparing the Tivoli Directory
This chapter includes the following sections:
• “Choosing your configuration method” on page 42
• “Configuring the Tivoli Directory with LDIF files” on page 42
• “Configuring the Tivoli Directory manually” on page 44
• “Creating a user to store policies” on page 45
Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema.
Note: Complete the procedures in this guide before you install Entrust
IdentityGuard.
Note: Do not use the IBM Tivoli Directory Configuration Tool to import the LDIF
files. Use ldapmodify instead.
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.
5 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify Entrust IdentityGuard user information.
47
Preparing the Novell eDirectory
This chapter includes the following sections:
• “Choosing your configuration method” on page 48
• “Configuring the Novell eDirectory with LDIF files” on page 48
• “Configuring the Novell eDirectory manually” on page 50
• “Creating a user to store policies” on page 51
Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema.
Note: Complete the procedures in this guide before you install Entrust
IdentityGuard.
Attention: Once you install or upgrade Entrust IdentityGuard, ensure that you
set the identityguard.ldap.GeneralizedTimeWithSubSecs property in
the identityguard.properties file to false. Your Novell eDirectory will
not function properly unless you make this setting.
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these to the entrustIGUser
object as optional items.
5 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify Entrust IdentityGuard user information.
53
Preparing the Sun ONE Directory
This chapter includes the following sections:
• “Choosing your configuration method” on page 54
• “Configuring the Sun ONE Directory with LDIF files” on page 54
• “Configuring the Sun ONE Directory manually” on page 56
• “Creating a user to store policies” on page 57
Attention: Back up your repository before you load or update the Entrust
IdentityGuard schema. Restoring your directory from backup files enables you to
undo changes made by any errors, as well as recover from system failures.
Note: Complete the procedures in this guide before you install Entrust
IdentityGuard.
Note: Do not use the Sun ONE GUI tool to import the LDIF files. Use Sun’s
ldapmodify tool instead.
Note: There are five new attributes related to tokens – numbers IG.2.30 to 34
in Table 2 on page 11. For an upgrade to 8.1, add these attributes.
4 Manually add the object classes and their attributes listed in Table 3 on page 14.
Specify all attributes as optional (that is, use the MAY CONTAIN option).
5 Create an LDAP user DN that has read, write, and modify access to your directory
entries using simple LDAP authentication. Entrust IdentityGuard uses this
account to modify Entrust IdentityGuard user information.
Active Directory 25
ADAM 25 I
attribute
IBM Tivoli 41
LDAP user ID 19 indexing
attributes 11
Critical Path 38
indexing
Novell 50
Critical Path 38 Sun ONE 56
Novell 50
Sun ONE 56
ordering, matching 15 L
LDAP
C attributes 11
base DN 18
classes 11
host 18
configuration password 18
data 18
policy RDN 18
manual
port 18
Active Directory 30 user DN 18
Critical Path 38
LDAP policy RDN 40
eDirectory 50
LDIF files
Sun ONE 56 Active Directory 26
Tivoli 44
Critical Path 36
Critical Path 35
IBM Tivoli 42
Customer support 23 Novell eDirectory 48
Sun ONE 54
D
directory M
size limit 40 matching 15
E N
Entrust IdentityGuard
Novell eDirectory 47
about 8
repositories 9
O
G OID 11
ordering 15
Getting help
59
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
P
password 18
port 18
prepare
Active Directory 26
Professional Services 24
R
repository
size 9
S
sAMAccountName 19
size 9
Critical Path limit 40
SSL 18
store policies 32, 40, 45, 51, 57
Sun ONE 53
T
Technical Support 23
typographic conventions 20
U
UID 19
Index 61