KB16411 - What is Lightweight Directory Access Protocol configuration for the BAS

hdawg · #1 (**permalink**) 05-26-2009, 09:41 AM

KB16411 - What is Lightweight Directory Access Protocol configuration for the BlackBerry Administration Service

Environment

BlackBerry® Administration Service
BlackBerry® Enterprise Server software version 5.0

Overview

When installing the BlackBerry Administration Service for BlackBerry Enterprise Server software version 5.0, you must configure the following four settings so that the BlackBerry Administration Service can look up information about Windows® user accounts:

LDAP server URL
LDAP search base
LDAP user name
LDAP password

These settings are described below.
LDAP server URL
The LDAP server URL is a standard notation for describing the computer and port that the Lightweight Directory Access Protocol (LDAP) connection is made to. This standard notation has the following three components:

where:
URL scheme is always set to ldap:// to indicate an LDAP network connection.
LDAP server name is the name of the Windows domain controller that LDAP queries will be made to. You can set the LDAP server name to the fully qualified domain name (FQDN) of the domain controller. For example, <computername>..com.
LDAP port number is the Transmission Control Protocol (TCP) port number that the LDAP connection is made over, typically 389. You can set the LDAP port number to 3268 if the LDAP server is also a Global Catalog Server. You must separate the LDAP server name and the LDAP port number with a colon.
LDAP search base
The information in an LDAP directory server is organized in a tree structure. The root container contains directory objects and any number of sub-containers that can contain objects and further sub-containers. The LDAP search base establishes the starting point from which the BlackBerry Administration Service searches down through the directory tree for BlackBerry smartphone user accounts.
The location of an object in the directory store is described by its distinguished name (DN). The distinguished name is a comma-separated set of pairs (name=value) that uniquely identify the object and its location in the directory tree. Reading from right to left, the name=value pairs describe the exact location of the object in the directory tree beginning at the root.
For example, suppose that Clyde Warren (cwarren) works in the Test Engineering department of Arizan Corporation. The diagram below illustrates how the company has organized its Microsoft® Active Directory® tree structure. In this structure, test users are contained in an organizational unit (OU) called Testing, which is contained in the Engineering OU. The Engineering OU is contained in the root of the domain. Based on this structure, the distinguished name for Clyde Warren (cwarren) would be cn=cwarren, ou=test, ou=engineering, dc=arizan, dc=com.

You must set the LDAP search base value to the distinguished name of the Microsoft Active Directory container that holds all possible BlackBerry smartphone user accounts and Microsoft Active Directory accounts of BlackBerry® Enterprise Server administrators. Using the example above, if the Marketing department is the only department that has BlackBerry smartphones, then the LDAP search base can be set to ou=marketing, dc=arizan, dc=com. If the Microsoft Active Directory accounts for BlackBerry smartphone users can be located anywhere in the domain, then you must set the LDAP search base to the root of the domain. For example, dc=arizan, dc=com.
LDAP user name and LDAP password
Microsoft Active Directory is a secure service and proper authentication and authorization is required to access the information in its directory store. The LDAP user name and password are the credentials of a Windows account that is a domain user and that you have granted the appropriate rights to read user attributes in the Microsoft Active Directory domain. The BlackBerry Administration Service authenticates to Microsoft Active Directory and performs all LDAP queries using the user name and password provided in these fields.
The LDAP user account must belong to the domain of the LDAP server. You must type the LDAP user name as the user’s login name, also known as the Security Accounts Manager (SAM) account name. For example, BESAdmin.

Using the Microsoft Active Directory global catalog (optional)

If you must configure the BlackBerry Administration Service to authenticate BlackBerry smartphone users from more than one domain in a Microsoft Active Directory forest, then you must configure the LDAP settings to search the global catalog in the following manner:

In the LDAP server URL field, set the LDAP server name to the FQDN name of a global catalog server and set the LDAP port number to 3268.
Set the LDAP search base field to the DN of the common naming context for the Microsoft Active Directory forest. For example, if the forest contains the following three domains:
- arizan1.com
- arizan2.com
- arizan3.com
then you must set the LDAP search base to dc=com.
Set the LDAP user name and password to the credentials of an account that has permission to read user attributes from the global catalog.

Additional Information

What is LDAP?
LDAP is an industry standard network protocol for accessing and updating information stored in a directory service. Microsoft Active Directory is the directory service for a Windows domain that stores all the information about user accounts, groups, computers, and other important shared resources. Any client program that needs information about user accounts or groups can look it up in Microsoft Active Directory using the LDAP protocol.

Why does the BlackBerry Administration Service use LDAP?
When an administrator user account is created for the BlackBerry Administration Service, you can configure the account to use Microsoft Active Directory authentication. The administrator can log in to the BlackBerry Administration Service by typing the credentials (domain, name, and password) of a Microsoft Active Directory account. During the authentication process, the BlackBerry Administration Service looks up information about the user in Microsoft Active Directory using the LDAP protocol.
Similarly, every BlackBerry smartphone user account with a Microsoft® Exchange mailbox has a user account in Microsoft Active Directory. When BlackBerry smartphone users log in to BlackBerry® Web Desktop Manager, the BlackBerry Administration Service authenticates them using Microsoft Active Directory. The BlackBerry Administration Service uses the LDAP protocol to look up information about the user account in Microsoft Active Directory.
Why do you need to configure the BlackBerry Administration Server to use LDAP?
To look up Windows user information in Microsoft Active Directory using LDAP, the BlackBerry Administration Service needs to know the following information:

The name of the Windows domain controller (the LDAP server) that the LDAP queries will be made to
The network port number that the LDAP connection will take place over
The location in the directory tree that the search for user accounts will begin at
The account credentials required to make the LDAP connection to Microsoft Active Directory

Follow Us On

Forum Sponsors

Google Advertisements