Administration Guide > LDAP Domain Administration > LDAP Domain Administration > Adding an LDAP Domain
 
Adding an LDAP Domain
You can add more than one LDAP domain to TDV Server, provided each of those domains has a unique name. The names “dynamic” and “composite” are reserved domain names in the TDV system.
To add an LDAP domain
1. Launch Manager.
2. From the SECURITY tab, choose Domain Management.
3. Click Add Domain.
4. Enter the Domain Name. The domain name will be part of the login.
When the process of adding the domain is complete, this name is displayed in the Domain Name column and as part of the login (lower case only).
5. Specify the LDAP directory type.
When using Novell eDirectory or Oracle Directory Server as the authentication source, select Other as the LDAP directory type and make changes in the ldap.properties file.
6. Type the path to the LDAP server in the Server URL field using the format:
ldap://<hostname:port>/<directory suffix>
ldaps://<hostname:port>/<directory suffix> (for secured LDAP)
 
Example:
<port> = 389 and <directory suffix> is dc=composite,dc=com
<port> = 686 and <directory suffix> is dc=composite,dc=com
 
Note: To use secured LDAP (LDAPS; default port 686), the TDV Server must have the keystore from the LDAP server placed in the trusted store.
Example for Windows Active Directory:
<directory suffix> is dc=composite,dc=com
 
7. Enter an administrative LDAP user name and password. The fully-qualified name always works, because it is unambiguous, but you can also use the common name.
Example for Windows Active Directory:
cn=Administrator,cn=Users,dc=composite,dc=com
 
8. Select Simple, Digest, or Kerberos authentication.
Option
Description
Simple
The client sends the LDAP server its fully qualified domain name and a clear-text password. This authentication mechanism can be used within an encrypted channel such as SSL, if it is supported by the LDAP server.
Digest
Sets the security authentication mechanism to DIGEST-MD5.
Kerberos
Enables authentication against a LDAP service that has Kerberos authentication, such as Microsoft Active Directory, without transmitting passwords, encrypted or otherwise, over the network. The authentication is done by obtaining a cached ticket-granting ticket from the system's underlying Kerberos implementation, and using it to obtain service tickets from the ticket-granting service for the other services in use.
Required configuration:
a. TDV JRE installation must be 1.6.0_44 or higher.
b. Update the krb5.conf or krb5.ini file to include details of the Kerberos realm that the LDAP domain with Kerberos authentication belongs to with the following information:
A new realm tag, containing the Key Distribution Center (KDC) hostname, default domain name, KDC admin server hostname, KDC password server hostname, supported encryption types and principal name to user name mappings (if necessary). Other properties might be necessary, based on your unique Kerberos realm configuration. Cross-realm authentication is not supported.
A single or multiple entries in the domain_realms section to specify local domain name to Kerberos realm mappings.
Only if necessary, modify the libdefaults section of your configuration file.
After this option is enabled, the behavior of TDV is modified in a way that will be unique to your location. It is recommended that you make your users aware that when logging into TDV as a user on an LDAP domain with Kerberos authentication, the password field is non-editable. For some additional information on how TDV user name and passwords are managed, see About Kerberos Configuration Files and LDAP Login Credentials.
9. Click OK.
10. Designate the LDAP groups (and users in those groups) who can access to TDV resources.