Marina.Davidovichat_private wrote: > > The LDAP server behind the iPlanet calendar server is not the same master LDAP > server which is used to contain user/group profiles, passwords, ACLs, SSL > certificates, or other sensitive company information. It is only used to store > calendar-specific data and user preferences related to their calendar. The > attached document describes the interaction of the iPlanet calendar server with > this calendar-specific database and has been signed-off by both the security and > architectural committees (see iPlanet Calendar Authentication and Registration > section, pg 8). from the calendar installation guide (http://docs.iplanet.com/docs/manuals/calendar/ics50/ig/icsigprp.htm#1017976): "If your users are already stored in an LDAP directory, the simplest solution for deploying iPlanet Calendar Server is to upgrade your directory server to Netscape Directory Server 4.12 (or later) which supports the schema extensions that enable users to access iPlanet Calendar Server data. Otherwise, you can modify your directory schema manually to allow your users to access to iPlanet Calendar Server data." the installation process requests admin username & password to your existing LDAP server (a prerequisite for the install), and installs the required schema updates. to do this it needs "root" access to the LDAP server. it then stores the supplied username and password in the file ics.conf, preceded by the comment: ! WARNING: DO NOT CHANGE OR DELETE THE FOLLOWING CONFIGURATION FILE ENTRY. ! THIS ENTRY WAS AUTOMATICALLY GENERATED BY THE INSTALLATION PROGRAM. ! IT IS USED ONLY BY THE INSTALLATION AND UNINSTALLATION PROGRAMS. ! THIS ENTRY IS COMPLETELY IGNORED BY ALL OF THE INSTALLED PRODUCTS. ! IF YOU CHANGE OR DELETE THIS ENTRY, THE INSTALLATION AND UNINSTALLATION ! PROGRAMS COULD FAIL THE NEXT TIME THEY ARE RUN. and the entry itself: ! Bind credentials (password) for user specified in local.authldapbinddn. local.authldapbindcred = "oopsilostmypassword" ! ! DN used to bind to LDAP authentication host to search for user's dn. local.authldapbinddn = "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" the LDAP server is usually a Netscape Directory Server. installation notes from that product (http://home.netscape.com/eng/server/directory/4.1/install/prepare.htm#1016382) say: "All 4.x Netscape servers use an instance of the Directory Server to store configuration information. This information is stored in the o=NetscapeRoot directory tree. Your configuration directory is the Directory Server that contains the o=NetscapeRoot tree used by your Netscape servers." the above server is administered by the netscape admin console (/usr/netscape/server4/startconsole). using the username & password provided earlier, and now found in ics.conf, full administrative access to the Directory Server is granted, including access to SSL certs and any other Netscape product information stored on that server. > The ics.conf configuration file does contain information about the > calendar-specific LDAP server so that the calendar server processes can connect > to it. indeed. the calendar specific entries would appear to be: ! User specified as the iPlanet Calendar Server administrator. service.admin.calmaster.userid = "calmaster" ! Bind credentials (password) for user specified in service.admin.calmaster.user id. service.admin.calmaster.cred = "fubar" > The ownership on the file is icsuser and group is icsgroup. The > security mode on this file does not need to allow read access by anyone who is > not in the icsgroup. Thus, the permissions may be set to - r w - r - - - - - > with no adverse effects. This will secure the administrative access to this > calendar-specific LDAP serve. i suggest iplanet do that by default then. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adamat_private UNITED KINGDOM PGP key on keyservers
This archive was generated by hypermail 2b30 : Tue May 01 2001 - 09:08:34 PDT