wiki:LDAP_AD

Setting up LDAP

Assumptions

  • The URI to your LDAP server site.company.com
  • A user name mulberry

HOWTO (specifically targeted at AD)

In the Accounts preferences

  • Create a new LDAP account called company
  • Server: site.company.com
    • Possible port numbers typically are 389 (plain text authentication), 636 (SSL authentication) and 3268 (global catalogue). Only the latter needs to be specified manually. 389 and 636 are used automatically, depending on the authentication options selected.

Accounts -> Authenticate

  • User: mulberry.
    • When connecting to an AD server, the domain should be included with the user name, typically something like company\mulberry.

Accounts -> Attributes 1

  • Root: OU=com,DC=site,DC=company,DC=com
    • Note that the three DC (DC = domain component) arguments are (typically should be?) based on the domain name of the LDAP-server. The first OU (OU = organization unit) is then a branch at the root level of the LDAP tree.
    • If the LDAP tree is big, more specific searches can be achieved by specifying the root in more detail, e.g., Root: OU=department,OU=site,OU=com,DC=site,DC=company,DC=com
  • Typical values for Nameand Email are cn and mail.
    • You can map your own LDAP objects to Mulberry address book element. Find their label by browsing your LDAP tree with an LDAP browser and just take the name in the tree and insert in the field of your choice.

Notes

  • In an LDAP context bind and binding mean what usually is referred to as log in. When you bind to an LDAP server you login/authenticate to it.
  • Mulberry seems to have some limitations in its LDAP support, mainly scope and referral chasing. This means that if users are listed in both DC=site,DC=company,DC=com and DC=site,DC=company,DC='''net''' Mulberry needs two LDAP accounts with different roots (or is there a workaround for this situation? Please elaborate!).
  • List of LDAP acronyms
Last modified 6 years ago Last modified on 02/03/11 05:25:25