Softerra LDAP Administrator HelpShow AllHide All

Modifying Server Profile

A server profile can be modified at any time after creation. In LDAP Administrator, basic profile modification is implemented as inplace editing.

To modify settings of a server profile:

  1. Select a server profile, or (if using the Manual mode for handling referrals) a referral entry you'd like to adjust settings for.

  2. Open its properties by clicking Properties on the Standard toolbar or by selecting Properties from the View menu.

Available for modification are the following server profile properties:

Profile Page

Used to modify profile names. The name will help you make further use of the profile and distinguish it from the others.

Host Information.  Host and port describe an LDAP server to connect to. Usually LDAP servers run on port 389 for regular connections and on port 636 for secure connections. You can either specify a server host/port manually, or perform a DNS lookup of LDAP servers registered in a DNS domain. Base DN is the starting point for you to browse the directory tree. The Fetch Base DNs command gets all the published naming contexts, but, if needed, you can always assign an alternative base DN further down the tree. Leave the base DN field blank to start browsing from RootDSE.

Note: When RootDSE is specified as the profile's base DN, all the published naming contexts will be displayed as profile sub-entries. If you don't wish to display naming contexts as profile sub-entries automatically, uncheck the Display naming contexts as profile sub-entries box in the profile's Advanced properties, using the Miscellaneous page.

Server Type.  Server type is a purely informational field. LDAP Administrator uses heuristic methods for determining server types. These methods are based on the fact that in most cases LDAP servers publish server specific RootDSE attributes. Since RootDSE is usually specified via a configuration file, there is a possibility of publishing non-standard RootDSE attributes thus making LDAP Administrator to treat the LDAP server as a server of a different type. If an LDAP server blocks access to its RootDSE, its type is defined as Not Available.

LDAP URL.  LDAP URL is an informational field that is automatically updated as soon as you apply the modified settings of the profile. LDAP URL holds complete information about the connection, server host and port, base DN, displayed attributes and search filter. LDAP URL can be copied to the clipboard and then used to provide just enough information for configuring all settings of a newly created server profile if appropriately entered inside the Profile Creation Wizard.

Secure Connection.  Checking the Use secure connection (SSL) box means that all data used to communicate with the server will get encrypted. This box automatically toggles server port between regular (port 389) and secure (port 636) values.

Read-only Mode.  If your credentials provide enough privileges to enable you to perform a potentially unsafe modification, you secure a profile by making it read-only via checking the Read-only profile box. This box will not allow any modifications to the directory structure.

Color.  Allows setting the color of the profile icon. If you have several profiles, you can set a specific color for each of them and thus make them easy to distinguish.

Credentials Page

Credentials provide information for authenticating a user when connected to the server. Available are the following authentication options:

Anonymous Bind.  Determines an anonymous authentication type for the given server.

Currently Logged On User.  Prompts a connection to use credentials of the currently logged on Windows user. This option is Active Directory-specific and works properly only when connecting to an Active Directory or ADAM server.

Other Credentials.  Used when it is required to specify custom credentials for a connection. The Mechanism option sets the way in which the client and the server will negotiate with each other when establishing the connection and checking the provided credentials. Currently LDAP Administrator supports the following authentication mechanisms:

MechanismDescription
Simple Standard LDAP authentication mechanism. The principal and the password are transmitted in plain text, which makes this mechanism potentially vulnerable to cyber attacks. This mechanism is not recommended for usage in an unsafe environment like the Internet. However, using this mechanism when you connect to an LDAP server over SSL or a protected VPN channel is quite secure.
Digest MD5 This is a SASL authentication mechanism that provides a much higher protection from cyber attacks. If your server supports this mechanism, it's recommended you always prefer Digest MD5 over Simple.
GSS Negotiate A SASL mechanism that allows both client and server to negotiate for and then use the best authentication mechanism they mutually support. It’s recommended you prefer GSS Negotiate over Simple or Digest MD5 whenever possible.

Basically, a Principal is a general term for a user name, while the actual form of the principal string is mechanism-specific. The following table lists the most widespread forms of 'principal':

Principal FormDescriptionExample
LDAP DN The principal string is an LDAP distinguished name string as described in RFC4514*. cn=JohnDoe,ou=People,dc=Example,dc=com
Kerberos principal The principal string is a Kerberos principal name. johndoe@example.com
NTLM name The principal is the a Windows NTLM authentication string. EXAMPLE\johndoe

Principal and Password are used to authenticate the client to the server. The unchecked Save password box will result in LDAP Administrator asking you for the password before granting access to the server. You won't have to bother entering your password more than once in any case during a session, meaning that LDAP Administrator will only discard it after you exit the application. But if you check the Save password box for a selected profile, you'll no longer need to enter the password at all unless the box is unchecked.

You can use the Select credentials command to choose from among the existing credentials for the host and port configuration.

The Try matching the credentials required for referral rebind box indicates whether the credentials will be automatically determined by the Credentials Manager when you follow LDAP referrals. If the Credentials Manager is unable to automatically determine the appropriate credentials for the LDAP referral, or if this box is unchecked, then the application will ask for credentials right after you attempt to follow a referral.

Displayed Attributes

This property specifies which attributes will be fetched from server as entry content. Operational and non-operational attributes are configured separately. Well-known operational attributes are displayed in the lower list. If your server supports other operational attributes, you can add them to the list. When creating a profile with the default advanced settings, all non-operational attributes are fetched with the ones operational disabled. If you decide to fetch operational attributes, the required operational attributes will get automatically selected for fetching in a manner that depends on the base DN of the profile. Then you can adjust sets of operational attributes to fetch as you think fit.

For your convenience, LDAP Administrator offers three possible ways to add attributes:

  1. Type a new attribute name manually or choose it from the server schema. To add the attribute manually, click the Add button, and then enter an attribute name to the edit box provided, or use the drop-down list to choose an attribute from the list.

  2. Add a list of attributes from a file by clicking the arrow next to the Add button and then choose the Add from file command from the popup menu.

  3. Add attribute list from the clipboard. To add attributes list from a file click the arrow next to the Add button, add then choose Add from clipboard command from the popup menu.

To remove attributes:

  1. Select one or more attributes from the list.

  2. Click Remove or press the Delete key.

Finally, both operational and non-operational attribute lists offer a context menu that contains the following commands and keyboard shortcuts:

Command Shortcut Description
Copy Ctrl+C Copies currently selected attributes to the clipboard.
Paste Ctrl+V Pastes attributes from the clipboard to the list.
Delete Delete Removes currently selected attributes.
Select All Ctrl+A Selects the entire set of listed attributes.
Load from file   Loads a list of attributes from a file
Save to file   Saves currently selected attributes to a file.

To be able to propagate the attributes displayed, make sure that the Propagate displayed attributes box is checked.

LDAP Settings Page

Referral Handling.  Configures the referral handling modes for viewing or following LDAP referrals.

Dereference aliases.  Configures whether aliases are dereferenced when locating the base object of search and in subordinates of the base object being searched.

Timeout.  The Timeout parameter specifies the maximum time in seconds during which LDAP Administrator will wait for the search or browse operations to complete on an LDAP connection. A 0 value means no timeout, i.e. LDAP Administrator will wait for as long as it takes for an operation to complete.

Sizelimit.  Sizelimit is a server-side setting that specifies the maximum number of entries to be returned in a search result or while browsing on an LDAP connection. A 0 value means no sizelimit, i.e. the server will return the full results of the query. However, some servers may have internal sizelimits that can't be controlled by this setting.

Advanced LDAP Settings.  Configuring displayed attributes, viewing Server Monitor, modifying Server Monitor DN, adjusting modify policy and establishing miscellaneous LDAP settings can be done on the following advanced LDAP settings pages.

Server Monitor

Server Monitor is a virtual entry that maintains real-time information about the LDAP server. Most servers mark Server Monitor as CN=Monitor, but you can customize this DN if your server keeps its Server Monitor under another entry. The Server Monitor entry must have objectClass=monitor as one of its object classes.

If Server Monitor holds references to other entries, these entries are also fetched and represented as expandable items in the Server Monitor content list.

To refresh Server Monitor, use the Refresh command.

Miscellaneous

Some servers are not fully compatible with the LDAP v.3 protocol and LDAP requests require certain adjustments for correct communication with such servers. Checking the Force compatibility with the LDAP v.2 protocol box will make sure the server requests are adjusted according to the LDAP v.2 protocol requirements.

When a base DN of your profile is empty, naming contexts can be obtained from RootDSE and displayed as profile sub-entries. Checking the Display naming contexts as profile sub-entries box will display naming contexts as profile sub-entries.

By default, naming contexts are displayed as profile sub-entries. However, some servers may experience problems with an empty naming context being one of the reasons. If this feature does not work as expected, or if your server experiences this sort of problems, then it is recommended you either specify a valid non-empty base DN, or uncheck the Display naming contexts as profile sub-entries box.

You can preserve your old RDN values while renaming entries in order to maintain the RDN values history. Checking the Keep old RDN values while renaming entries box will instruct an LDAP server to keep the old RDN values.

Most LDAP servers support a special LDAP Rename operation that provides for an extremely efficient 'rename and move' performance within a single server. By default, LDAP Administrator will use LDAP Rename if it is supported by the server. However, some servers may identify themselves as supporting this operation, but then still behave incorrectly when interacting with LDAP Administrator. So, if you encounter problems moving or renaming entries on such servers, check the Supress LDAP Rename operation box.

Some servers supporting collective attributes do not allow copying or moving such attributes. This means that copying or moving an entry with collective attributes on such servers should only include the ones non-collective with the collective attributes omitted. So, since it becomes the responsibility of LDAP Administrator to skip collective attributes, which significantly slows down the performance while copying or moving entries, it's recommended that you keep the Skip collective attributes on copy/move box unchecked for servers not supporting collective attributes, and activate it for servers with the collective attributes support.

Although some LDAP servers declare support of the 'Tree Delete' control, they, in fact, may prove unable to properly handle a delete operation via this control due to bugs or an incorrect configuration. By default, LDAP Administrator attaches the 'Tree Delete' control to every LDAP Delete request sent to a server that declares its support. So, in case LDAP Administrator has problems deleting entries, while other LDAP clients don't, you can try toggling the Never use Tree Delete control option.

A server profile is also treated as an LDAP entry specified by the profile's base DN. This implies that all properties available for an LDAP entry are also available for a server profile.

See Also