You are here: Chapter 7: Configuration and Administration > Address Book Administration > Populating the Address Book > Dynamic Address Book Link (LDAP) Address Book Configuration

Dynamic Address Book Link (LDAP) Address Book Configuration

For FootPrints to access an outside contact database (e.g., Active Directory, Lotus Domino Server, etc.) for user contact information, the information described below must be entered. Please consult with your System Administrator if you need to gather some of this information. If the LDAP Address Book has been converted from a FootPrints Address Book, it may be converted back by checking a checkbox that appears at the top of the page.

Name for Address Book

This is an arbitrary name used to identify the Address Book in FootPrints, e.g., Widget Company Users.  The field in the wizard is pre-filled with the name entered during installation, but it can be changed here.  The name of the Address Book is visible to users in the Address Book.

LDAP Server Name

Enter the full domain name of the machine hosting the contact database server.

LDAP Server Port

This is the port that FootPrints uses to communicate with the LDAP contact database to retrieve user contact information. In most cases, the default value of 389 should be used. However, when a machine has more than one directory, a different port number may be used. Often when port 389 has already been used, administrators set port 390 as the LDAP port. An additional option for users beside the standard LDAP port (389) is the Global Catalog port for Active Directory (3268). This enables LDAP to access additional users from trusted domains using a set of common LDAP attributes. The typical scenario in which this would be used is when a large organization has a number of offices that each maintains an Active Directory for its local users. Using the standard port, you might be able to retrieve only a local office's users. Using the Global Catalog port, you can often retrieve everyone, assuming the search base is set correctly.

LDAP Search Base for Directory Entries

LDAP (including Active Directory) stores its data in a tree structure. To enable FootPrints to retrieve user information, a search base specifying where to search in the tree, and in what order, must be specified here. The search base is formed by adding names of the root and each subsequent branch of the tree until you reach the point where a search should commence. The search base should be the branch of the tree closest to the data being searched. In most instances, all data being sought are in one branch of the LDAP tree. For instance, if the root of the LDAP Directory tree is dc=server, dc=com and the next branch to be taken is ou=Users, which contains all the directory information, the search base would be: ou=Users, dc=server, dc=com

If users exist in multiple search bases, place each on a separate line. They will be searched in order for authentication from top to bottom.

The form of the search base is different for various LDAP servers. Please speak to your LDAP administrator, refer to the product documentation for that server or contact BMC support for help.

Note

Spacing, punctuation, and capitalization must be exact for a search base to work correctly. For instance, if one of the values in your search base has spaces and/or punctuation (e.g., o=My Company, Inc.), you must place the value in quotation marks (i.e., o="My Company, Inc.") and make sure that the spacing, punctuation, and capitalization are correct.

Last Name of Any Person Known to be in the Directory

Enter the last name (surname) of a contact in the LDAP directory. This is the name that FootPrints uses to test the connection to your LDAP server. The name should contain values for all the LDAP attributes (fields) you plan to use.

Distinguished Name (Optional)

Some LDAP servers allow an anonymous login. In these cases, a distinguished name and password are not needed; however, if your server requires an authenticated bind of a user to access the directory, you should enter the distinguished name and password of the Administrator user here. Specifying the distinguished name and password can also improve performance in searching and retrieving data from the LDAP server.

The distinguished name of the binding user can be obtained from the LDAP Administrator or can be found using the techniques discussed above for the LDAP Search Base. The distinguished name to use for binding is generally cn=userid (where userid is the ID for the account used for binding) followed by a comma and then the search base. For example, if the User ID is Administrator:

If the search base is: cn=Recipients,ou=organization,o=company

Then the distinguished name will be:  cn=Administrator,cn=Recipients,ou=organization,o=company

Active Directory also provides some alternatives in lieu of a distinguished name. For example, if you know the domain and userid of a user, you could place in the distinguished name field: DOMAIN\userid

An additional alternative for Active Directory is to use the userprincipalname of a user, which is typically of the form: [email protected]

If the search base is:  cn=Users, DC=NTdomain,DC=internetName,DC=com

Then the distinguished name will be: cn=Administrator,cn=Users, DC=NTdomain,DC=internetName,DC=com

Be sure to leave all information of the user in the distinguished name. Do not omit such information as a CN or UID as you would with a search base. Leave blank if binding anonymously.

Note

Active Directory normally does not support anonymous binding. If you have Active Directory, you may need to fill in the distinguished name and password.

Password (Optional)

Place the password of the binding user here. This is the password of the Administrator specified in the distinguished name above. Leave blank if binding anonymously.

After all of the information is entered, click GO. FootPrints attempts to connect to your LDAP/Active Directory server and search for the contact specified above using the search base and other information entered. If you are creating a new Address Book, if the connection is successful then the configuration is complete. If you are converting an existing Address Book to LDAP and the connection is successful, the Address Book Field Mapping page is displayed.  If FootPrints is not able to connect to your LDAP server, an error is displayed or the browser times out.  You can contact your LDAP administrator or BMC support if you need assistance.