Creating Authentication Server(s)

1. Go to Signing-In Æ Servers

2. From New drop down menu select the Authentication Server.

3. Click on New Server.

For step 2 select Active Directory / Windows NT.

Active Directory / Windows NT Configuration

4. The Name field is arbitrary.

5. In Primary Domain Controller or Active Directory and Backup Domain Controller or

Active Directory field enter the FQDN or Hostname or IP address of the server. IVE
should able to resolve the FQDN or Hostname.

6. In Domain field enter the AD or NT domain – use the NetBIOS name.

7. If you want to allow users to specify domain name with the username while signing-in to
IVE then check the option “Allow domain to be specified as part of username”. If this
option is checked then user can enter username or domain\username while signing-in to
IVE.

8. If you check “Allow trusted domain” then it will list all the groups in trusted domain(s).

9. If you want to allow users to change their AD password via IVE, then enter the AD
administrator or AD domain administrator username and password under Administrator.

10. Under Additional Options…Authentication Protocol, if you select “Kerberos Only” you
need to use a domain admin account for the ‘admin username’ and ‘admin password’
fields. You’ll also need to ensure that the system time on the IVE is within a few minutes
as the AD server’s system time – use NTP for both IVE and AD server if possible.

11. Also under Additional Options select Use LDAP to get Kerberos realm name if you
want to use LDAP or you may define the Kerberos realm name

12. Save the changes.

Assume that in step 2 you selected LDAP Server.

LDAP Server Configuration

4. The Name field is arbitrary.

5. For the LDAP Server field enter the FQDN or Hostname or IP address of the server.
The IVE should be able to resolve the FQDN or Hostname of the primary LDAP server.
In the LDAP Port field enter the port on which LDAP is listening. The default port is 389
for unencrypted and 636 for LDAPS (encrypted).

6. If you have a backup LDAP server the pertinent values as in step 5.

7. From the LDAP Server Type dropdown menu select the type of LDAP server you are
using. If it is not listed in the dropdown menu then you can select Generic.

8. For Connection select Unencrypted or LDAPS depending on your LDAP configuration.

Depending on this configuration you have to define the corresponding port in step 2 and
3.

9. Connection Timeout value tells IVE for how many seconds the IVE should try to
establish connection with LDAP server before giving an unreachable error.

10. Search Timeout value tells the IVE for how many seconds it should search or wait for
the reply from LDAP server for the information requested by IVE.

11. Under Authentication required check the Authentication required to search LDAP
and enter the Admin DN and Password. The account you’ll need to use for the Admin DN
should be a domain administrator or local administrator, if you want to permit users to
change their password from the IVE (PMI feature). If you use AD as an LDAP server,
then for group lookup also you have to configure Admin DN and Password. For this you
may use normal user account. You may use an LDAP browser to get the DN of any user.

12. Under Finding user entries specify:

A. Base DN: Base DN is the point from where the IVE starts searching for the user.
Base DN will look something like dc=juniper,dc=com.

B. Filter: Is the unique variable which can be used to do a fine search in the tree.
Generally we use User ID because it is always unique. If you are using AD as
LDAP server then Filter will be sAMAccountName=<USERNAME> and for
iPlanet/Novel eDirectory you can use cn=<USERNAME>.

13. Information under Determining group membership is used for searching for the groups
in LDAP server and populating the IVE server catalog. The information under
Determining group membership is used by the Server Catalog built in LDAP search
application. Under Determining group membership specify:

a. Base DN: Base DN is the point from were IVE starts searching for the user.
Base DN will look something like dc=juniper,dc=com. Base DN in step 9 and
here should be same.

b. Filter: Is used to fine search the user groups. The Filter used for group search
will be cn=<GROUPNAME>.

c. Member Attribute: Used to identify all the members of a static group. For AD
the value will be member, for Novel eDirectory the value can be member and for
iPlanet the value can be uniquemember. It is always recommended to use an
LDAP browser to confirm the Member Attribute values because it may change
depending on the LDAP server configuration.

d. Query Attribute: Specify an LDAP query that returns the members of dynamic
qroups.

e. Nested Group Level: It tells the IVE how many levels within a group to search
for the user. Note that higher number = longer query or search time.

14. Under Bind options for Bind method select Simple bind or StartTLS bind. In Simple bind the
IVE sends user’s credentials in clear text to the LDAP Directory Service. In StartTLS bind the
 IVE encrypts the user’s credentials using Transport Layer Security (TLS) before sending it to the
LDAP Directory Service.

15. Save the changes.

16. If you are creating the server instance for the first time you will see Setting, Meeting (If meeting
license is present) and Users tab.

a. Setting: contains the LDAP server configuration details

b. Meeting: used to search users in the LDAP server for inviting them in a meeting.

c. Users: This displays users connected to IVE. If the users make changes to their IVE
home page, preference or add any bookmarks etc, those information and changes are
stored here and you will always see the username under this tab. If they don’t make any
changes then the user information is deleted after 10 – 15 minutes. If administrator
deletes the user manually then the user will loose all the changes made by that user.