Active Directory Support
in GroupWise 2014
Flexibility and interoperability have always been
hallmarks for Novell. That’s why it should be no
surprise that Novell
®GroupWise
®2014 adds support
Collaboration White Paper
Taking Advantage of Active Directory Support in GroupWise 2014
Technical Overview
A key design attribute enabling this simplicity is that no schema modifications are neces sary to implement GroupWise on Active Direc tory. To accomplish this, GroupWise no longer writes any GroupWisespecific information back into the directory other than email addres ses. Additionally, all directory synchroni zation occurs via standard Lightweight Direc tory Ac cess Protocol (LDAP) access.
The GroupWise architectural components responsible for synchronizing users from Active Directory are essentially the same components required to synchronize users from eDirectory:
Message Transfer Agent (MTA)— The MTA performs the periodic user synchronization to keep both GroupWise and Active Directory up to date. Most of the modifications that enable Active Directory support occurred in the MTA.
These modifications were designed to ensure that the Active Directory schema and configuration communicate accurately with GroupWise.
Post Office Agent (POA)—The POA performs the LDAP authentication for GroupWise and did not require any modifications in terms of Active Directory support.
Administration Service—The adminis-tration service responsible for configuring the directory was enhanced to facilitate the importing of users and the re-association of eDirectory-based GroupWise users to Active Directory-based users.
MMC Plug-in—To facilitate management of Active Directory users in GroupWise, the MMC plug-in can be installed into the Microsoft Management Console. This allows you to create users in Active Directory and easily assign those new users to a GroupWise post office using the MMC user creation wizard.
One additional requirement of Active Directory support in GroupWise involves SSL authenti cation. You will need to configure and enable an SSL certificate to enable secure connec tion between GroupWise and Active Directory.
How to Implement Active Directory
Support in GroupWise
Implementing Active Directory support in GroupWise can be broken down into the fol lowing categories:
Best Practices for Implementing Active Directory Support
Configuring the Connection between GroupWise and Active Directory Importing Active Directory Users
Into GroupWise (Merger Scenario) or Migrating GroupWise Users from eDirectory to Active Directory (Directory Consolidation Scenario) Verifying Successful Implementation Enabling LDAP over SSL
Insight and Guidance for
Enabling Active Directory
Support in GroupWise
One of the main design goals of the new Active Directory
support in GroupWise was to make it easy to implement.
As a result, the steps for moving from eDirectory to
confirmed that the system is in a stable condi tion. Your eDirectory and Active Directory en vironments need to be stable as well. Making a directory change will not solve any directory problems you already have. Rather, it will likely complicate matters.
Configuring the Connection between
GroupWise and Active Directory
The steps for implementing Active Directory support vary depending on your particular en vironment. But regardless of scenario, your first step will be to create a connection between GroupWise and Active Directory by perform ing the following initial configuration steps:1. While logged into the GroupWise
Administration Console for your primary domain, navigate to System and then to
LDAP Servers.
2. Select the New Directory option.
b. To prevent recursive searching through the Active Directory forest, the base DN should be set to include at least the domain components for your Active Directory server.
5. If you are using SSL, you will also need
to provide the SSL certificate information for your Active Directory server. (Refer to the Enabling LDAP over SSL section of this paper.)
6. Mark Enable Synchronization and click OK.
Importing Active Directory Users
Into GroupWise or Migrating
GroupWise Users from eDirectory
to Active Directory
The remaining steps for implementing Active Directory support in GroupWise differ depend ing on whether you are introducing existing Active Directory users into a GroupWise envi ronment for the first time or if you are migrat ing existing GroupWise users from eDirectory to Active Directory. The first scenario usually occurs as a result of a merger and requires a simple import operation to bring the Active Directory users into GroupWise. The second scenario typically occurs as a result of a di rectory consolidation effort and requires the eDirectory users to be recreated in Active Directory and then reassociated in GroupWise to reflect their new directory environment. Merger Scenario —Importing Active Directory Users Into GroupWise
To import existing Active Directory users into
2. Select the directory you are importing
from and then select the GroupWise post office where you want your Active Directory users to be imported.
3. Enter any appropriate context information
for your directory and import action.
4. Enter any desired LDAP filter options and
mark the appropriate search options.
5. Select Preview to review the list of users
to be imported and make modifications to the list as needed, such as manually ex cluding users from the import operation.
6. Click Import Users to perform the
import of your Active Directory users. Note: If you want to distribute the directory users to multiple post offices, you need to run the import once for each post office. You can use the LDAP context or the search filter option to place a subset of the Active Directory users onto a given post office.
Collaboration White Paper
Taking Advantage of Active Directory Support in GroupWise 2014
into a new GroupWise post office you will need to do the following to configure LDAP authentication:
1. From the GroupWise Administration
Console, view the details of the GroupWise post office for your Active Directory users.
2. Navigate to the Security tab.
3. Enable LDAP authentication.
Directory Consolidation Scenario— Migrating eDirectory Users to Active Directory
A directory consolidation scenario can involve migrating existing eDirectory users to Active Directory. This type of migration requires that you recreate these users in Active Directory, making sure that all the user objects for your GroupWise users exist in Active Directory before switching from eDirectory to Active Directory in GroupWise.
The steps for creating the Active Directory user objects are beyond the scope of this paper. However, for a successful switch over, it’s critical that the value stored in the sAM AccountName (account logon name/ user object) you establish in Active Directory for your individual users exactly matches their corresponding uniqueID (UID) value in eDirectory.
Making sure these user account names match precisely enables you to seamlessly and accurately form the new associations between your Active Directory users and GroupWise. For example, if user Joe Johnson has an eDirectory UID of joe_ johnson, and the corresponding sAMAccountName in Active Directory is joe_ johnson, when you perform the bulk reassociation task in GroupWise, it will be able to recognize and match the
user objects and then automatically shift the GroupWise association from eDirectory to Active Directory. Any users that do not have matching UID and sAMAccountName(s) will have to be reassociated manually.
Once you have your users properly set up in Active Directory, configuring GroupWise to be associated with those Active Directory user objects rather than the user objects in your eDirectory system involves the following steps:
1. From the System menu in the GroupWise
Administration Console, navigate to
Directory Associations.
2. From the Directory pulldown options
in the Directory Associations dialog, choose the Active Directory server and context that contain the users that need to be reassociated with GroupWise.
3. Enter any desired LDAP filter options
and mark the appropriate search options.
4. Be sure to mark the Override existing
association option.The default behavior
in GroupWise is to match only unasso ciated users. So, unless the Override
existing association option is marked,
users previously associated with eDirectory will remain associated with eDirectory instead of being re associated with Active Directory.
5. Select Preview to review the list of the
users to be reassociated and make any needed modifications to the list. a. Note: As a best practice, it’s recom
mended that you reassociate one or two test users before reassociating all users in your organization. You can use the Preview menu to filter out all the users except the test users. Once the test users have been re associated using the remaining steps in this section, execute the steps in the
Verifying Successful Implementation
section to ensure that the process completed successfully. If the test users reassociated properly, return to the steps in this section to re associate all the remaining users.
6. Click Associate.
Verifying Successful Implementation
Regardless of whether you are importing ex isting Active Directory users into GroupWise, migrating eDirectory users to Active Directory, or a combination of both, you need to verify the success of those operations. Ver ifying a successful implementation of Active Directory support in Novell GroupWise 2014 can be bro ken down into three main areas:I. Verifying successful association of Active Directory users with GroupWise II. Verifying successful authentication III. Verifying complete user migration Figure 3. Once you have user objects created in
within Active Directory.
3. In the GroupWise Administration
Console, connect to the MTA of the domain responsible for synchronizing the directory objects.
4. Ensure that an HTTP username and
password is set.
5. Click Launch MTA Web Console and
enter the appropriate username and password when prompted.
6. From the Configuration tab, select
Directory user synchronization.
7. Mark the Perform GroupWise Directory
Synchronization Now button and click Submit.
8. To verify that the user phone number
was properly applied to the user object in GroupWise, do the following:
a. Navigate to the most recent log file and search for directory synchroni zation events. You will be able to identify them as a cluster of log entries that begin with something to the effect of “Synchronizing Directory XXX.” The entries will show all of the users that were checked or updated by the synchronization process. b. Log into the GroupWise Administration
Console and verify that the user’s details, such as phone number, were updated there as well.
to GroupWise and can access email. III—Verifying Complete User Migration You can use the user list search capability in the GroupWise Administration Console to determine if all your users have actually been associated with your Active Directory environ ment and confirm that you have no remaining eDirectory users associated with GroupWise. To perform this verification, click on Users in the left column and enter a search expres sion that looks for any users associated with a directory that is not equal to your Active Directory server. The search expression might look similar to the following:
directory = null or directory != MyActiveDirectory
Such a search will return the list of users that have no directory association or have a di rectory association different from the Active Directory identified in the search expression. If desired, you can choose to search just for unassociated users or just for nonActive Directory users by executing only half of the above search expression, including either the parameter set before or after the “or”. Some unassociated users that appear in the returned search list might be orphan users that no longer belong to your organization; thus, you did not create user objects for them in Active Directory. In these instances, you can choose to disable their GroupWise accounts.
for the individual GroupWise user.
2. Select Associate Item under the More
menu option.
3. Browse the Active Directory server for the
corresponding user object and link the GroupWise user to that Active Directory user object.
Once you are certain that you have success fully associated all your GroupWise users with Active Directory, you can choose to delete your eDirectory directory object in GroupWise if desired. However, caution should be used if you are considering decommissioning your eDirectory server once the migration is complete. If you are using any other Novell services, they might depend on the user information stored in eDirectory. You might even have thirdparty or internally developed services that leverage your eDirectory server. Make sure that no other services or appli cations used within your organization rely on eDirectory before you consider shutting it down.
Enabling LDAP Over SSL
Collaboration White Paper
Taking Advantage of Active Directory Support in GroupWise 2014
To secure your LDAP communications be tween GroupWise and Active Directory, you can use Secure Sockets Layer (SSL) / Trans port Layer Security (TLS) by installing a prop erly formatted certificate from either a Microsoft certificate authority (CA) or a thirdparty CA. When setting up a trusted root certificate in an Active Directory environment using the Microsoft CA, it’s recommended that you always follow published best practices from Microsoft. You should consult with your Active Directory administrator on whether to enable LDAP SSL or export the SSL certificate from your production environment. Microsoft pro vides various resources on how to enable LDAP over SSL, such as the online resource found at: social.technet.microsoft.com/
wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
While not a recommended best practice for production environments, you can use the fol lowing procedure to familiarize yourself with the process of creating and configuring a cer tificate in a lab environment.
1. From the Add Roles and Features
Wizard within the Microsoft Management
Console (MMC), install an AD Certificate Service Role on one of your AD Domain Controllers.
a. Note: Installing an Active Directory Certificate Service Role on an Active Directory Domain Controller is a practice that Microsoft does not recommended. However, in a lab environment with a simple Active Directory forest with one domain controller, it’s a convenient way of creating and configuring a certificate.
2. Highlight Server Roles and select
Active Directory Certificate Services
under Roles, and then click Next.
3. When prompted to add features required
for Active Directory Certificate Services, mark Include management tools and click Add Features.
4. Accept the defaults on the subsequent
steps until you’re presented with the
Select role services screen. Mark the Certificate Authority option and click Next
to install the role. Other options can be installed if desired, but are not necessary.
5. After the role installs, configure the
certificate services by clicking on the option Configure Active Directory
Services on th…
6. On the Credentials screen for the AD
CS Configuration, verify that the correct
credentials are listed and then click Next. a. Note: The user needs to be a domain
administrator.
7. On the Setup Type screen, select
Certificate Authority as the role to config
ure and then select Enterprise CA as the type. Using the Enterprise CA type will configure the LDAP service to use SSL without requiring any further steps. a. Note: Typically, you would next select
a Root CA, but if you already have a CA configured, you don’t necessarily need to install a new one.
8. For the remaining steps in the wizard,
you can select the default settings. Once the configuration completes, you need to restart the server.
9. After the server reboots, you need to
export the certificate so it can be used with GroupWise. From within MMC, highlight Add/Remove Snapin under the File menu and select Certificates.
10. In the subsequent screens, select
Computer Account and then select Local Computer.
11. At the Console Root folder, expand the
folders to the path Certificates (Local
Computer)\Personal\Certificates) and
then rightclick the certificate that was issued to the local server (not the CA certificate).
12. Select Export under All Tasks and
click Next.
13. Click Next again until presented with
the Export Private Key dialog. Mark the
No, do not export the private key option
and click Next.
14. For the Export File Format, mark
DER encoded binary X.509 (.CER)
and click Next.
15. Enter a path and filename with a
.cer extension and click Finish.
16. Now that the certificate is ready to
be used by GroupWise, open the GroupWise Administration Console on that Windows server, navigate to LDAP
Servers under the System menu, select
your Active Directory server to edit, and from the General tab browse to your ex ported certificate file by clicking on the pencil icon by the SSL Certificate field. Selecting your certificate file will upload it to the domain.db file.
17. On the General tab, reenter the
LDAP user password and click Test
Connection. If you’re presented with a Connection Successful message, then
www.novell.com
By engaging Novell Services for Premium Support, Consulting or Training, we can help you get the most of your product investment to suit your business needs. Please contact us today, or contact your local Novell Solutions Provider:
Premium Support and Consulting: 1 800 714 3400 U.S./Canada 1 801 861 4272 Worldwide [email protected] Training: 1 800 233 3382 U.S./Canada 1 801 861 3381 Worldwide [email protected] Novell, Inc.
