The Service Objects tab is where you can view, create, edit, and manage service objects. A service object is a group of configuration settings used for the following SGD authentication mechanisms:
Active Directory authentication, see Section 2.2, “Active Directory Authentication”
LDAP authentication, see Section 2.4, “LDAP Authentication”
Third-party authentication using the LDAP repository search, see Section 2.6, “Third-Party Authentication and Web Authentication”
Use the buttons in the Service Objects List table to manage service objects for the SGD array.
Use the Repository Type option to enable either Section A.1.18, “LDAP” or Section A.1.17, “Active Directory” authentication. The Repository Type option is only available if both LDAP and Active Directory service objects have been created.
From the command line, use the tarantella service commands to create, delete, edit, and list service objects. See Section D.97, “tarantella service”.
For more information about service objects, see Section 2.8.4, “Using Service Objects”.
The Service Objects List table displays the service objects configured for the SGD array.
When you enable LDAP or Active Directory authentication using
the Secure Global Desktop Authentication Wizard, a service object
called generated
is created automatically and
the Service Objects List table is shown.
The Service Objects List table includes the following information for each service object:
Position. Position of the service object in the table. The highest position is 1. SGD uses the enabled service objects in the order shown.
Name. Name of the service object.
Enabled/Disabled. Whether the service object is enabled or disabled.
Type. Service object type, either LDAP or Active Directory.
URL. URL of the LDAP server or Active Directory forest. Where multiple LDAP servers have been specified, multiple URLs are shown.
The New button is used to create a new service object. The new service object is added at the end of the Service Objects List table in last position.
The Edit button is used to edit the selected service object.
The Delete button removes the selected service object.
The Duplicate button makes a copy of the selected service object.
The Enable and Disable buttons switches the enabled state of the selected service object.
The Move Up and Move Down buttons are used to change the position of the selected service object in the table.
You update the Service Objects List table by clicking the Reload button.
When you create, duplicate, or edit a service object, a new window is displayed that enables you to configure the service object. In this window, you can configure only the following commonly-used settings for service objects:
There are also some advanced service object settings that can be configured only from the command line with the tarantella service new or the tarantella service edit commands, see Section 2.8.4, “Using Service Objects” for more details.
Usage: Type the name of the service object in the field.
The name of the service object.
Once you have created a service object, you cannot rename it. Use the Duplicate button in the Service Objects List table to create a copy of the service object with a different name.
The name can only contain lowercase characters, digits, or the
characters _
and -
.
Usage: Select either the LDAP or Active Directory option.
The Type setting controls which SGD authentication mechanism can use the service object.
Select the LDAP option even if you are using a Microsoft Active Directory server for LDAP authentication.
Active Directory service objects are used only for Active Directory authentication.
Once you have created a service object, you cannot change the type.
Usage: Select or deselect the check box.
Whether to enable the service object. A service object must be enabled before SGD can use it.
Usage: Type one or more uniform resource locators (URLs) in the field. Separate each URL with a semicolon.
For LDAP service objects, type one or more
URLs of LDAP directories. The URLs are used in the order they
are listed. If the first LDAP directory server listed is
unavailable, SGD tries the next one in the list.
Alternatively, you can create separate service objects for each
URL. SGD uses each service object in their position
order. Each LDAP URL has the form
ldap://
.
Each of these options is defined as follows:
server
:port
/searchroot
Server. The Domain Name System (DNS) name of the LDAP directory server.
Port. The TCP port that the LDAP directory server listens on for connections. You can omit this, and the preceding ":" character, to use the default port.
Searchroot. The
distinguished name (DN) to use as the search base, for
example, dc=example,dc=com
. This
specifies the part of the LDAP directory used to search for
the user identity.
Use an ldaps://
URL if your LDAP directory
server uses Secure Sockets Layer (SSL) connections. Extra
configuration might be required for SSL connections, see
Section 2.4.3.2, “Network Requirements for LDAP Authentication”.
The URLS configured for an LDAP service object must all be of
the same type, either ldap://
or
ldaps://
. You cannot use a mixture of
ldap://
and ldaps://
URLs.
For Active Directory service objects, type
a the URL of an Active Directory forest. For example,
ad://example.com
. The URL
must start ad://
. Only
type one URL.
Use the Test button to test the connection to the URLs.
Usage: Type the user name and password in the fields.
The user name and password of a user that has privileges to search the directory server.
For security reasons, the password is not displayed, even if it has been previously set.
For LDAP service objects, type the DN of
the user, for example
cn=sgd-user,cn=Users,dc=example,dc=com
.
This is the administrator bind DN, see
Section 2.4.3.3, “LDAP Bind DN and Password Change” for more
details. As you can only enter one user name and password, this
user must be able to search all LDAP directory servers listed in
the URL field. If you need to use different user names and
password, create separate service objects. If the directory
server supports anonymous binds, you can omit the user name and
password. To use anonymous binds, you must be able to perform
LDAP queries for user data.
For Active Directory service objects, the
user name has the form user@example.com
. If
you omit the domain name from the user name. SGD
uses the information in the URL, Base Domain, and Default Domain
fields to obtain a domain. The user must have privileges to
search Active Directory for user information.
To configure the user name and password for the directory server on the command line, use the tarantella passcache command. See Section D.54, “tarantella passcache” for more details.
Usage: Select the required option. If the SSL option is selected, an option for using client certificates is enabled.
The mechanism used to secure the connection to an Active Directory server.
To use only the Kerberos protocol for secure connections – Select the Kerberos option for Connection Security, and type a user name and password in the User Name and Password fields. This option is selected by default.
To use Kerberos and SSL for secure connections – Select the SSL option for Connection Security, and type a user name and password in the User Name and Password fields.
To use Kerberos, SSL, and client certificates for secure connections – Select the SSL option for Connection Security, and select the Use Certificates check box.
See Section 2.2.3.5, “SSL Connections to Active Directory” for details of the additional configuration required to use SSL connections.
Usage: Type a domain name in the field.
The domain that SGD uses for Active Directory authentication, if users only supply a partial domain when they log in.
For example, if the base domain is set to
example.com
and a user logs in with the user
name rouge@west
, SGD
authenticates the user as
rouge@west.example.com
.
Usage: Type a domain name in the field.
The domain that SGD uses for Active Directory authentication, if users do not supply a domain when they log in.
For example, if the default domain is set to
east.example.com
and a user logs in with the
user name rouge
, SGD
authenticates the user as
rouge@east.example.com
.