Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

2.  User Authentication

3.  Publishing Applications to Users

Organizations and Objects

Organizational Hierarchies

User Profiles Tab

Applications Tab

Application Servers Tab

The System Objects Organization

SGD Object Types

Directory Object: Organization

Directory (Light) Object: Domain Component

Directory Object: Organizational Unit

Directory (Light) Object: Active Directory Container

User Profile Object

Group Object

Windows Application Object

X Application Object

Character Application Object

Document Object

3270 Application Object

5250 Application Object

Dynamic Application Object

Application Server Object

Dynamic Application Server Object

Designing the Organizational Hierarchy

Naming Objects in the Organizational Hierarchy

Populating the SGD Organizational Hierarchy Using a Batch Script

LDAP Mirroring

An Example of LDAP Mirroring

Oracle Directory Server Enterprise Edition

Microsoft Active Directory

SGD Administrators

How To Add an SGD Administrator

How To Remove an SGD Administrator

Publishing Applications

Local Assignments

How to Assign Application Servers to Applications

How to Assign Applications to Users

LDAP Assignments

How to Assign Applications to LDAP Users

How to Assign Applications to Members of LDAP Groups

How to Assign Applications Using LDAP Searches

Using LDAP Searches

Using the Simple Search

Using the Advanced Search

Reviewing Assignments

Tuning LDAP Group Searches

Increasing the Group Search Depth

Group Membership Attributes

Short Attributes

Managing the Directory Services Cache

Troubleshooting LDAP Assignments

4.  Configuring Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

Publishing Applications

Creating objects to represent the applications, application servers, and users in your organization does not, by itself, give users to access applications through SGD. Applications must be published. You publish applications by creating relationships between the objects in the organizational hierarchy. SGD calls these relationships assignments. You publish applications as follows:

Assignments can be either of the following types:

Assigning applications to application servers is done by using local assignments.

Assigning applications to users is done by using local assignments, LDAP assignments, or a combination of both.

The Administration Console provides several ways for reviewing assignments, see Reviewing Assignments.

Local Assignments

Local assignments are relationships between objects in the local repository.

In the Administration Console, you assign applications on the Applications tab as follows:

SGD uses inheritance to make local assignments easier to manage and more efficient. OU and user profile objects can inherit the assignments and settings of their parent objects in the organizational hierarchy. Inheritance is enabled by default. To use inheritance, create user profile objects within OU objects, and then assign applications to the OUs.

The Administration Console provides several ways for reviewing assignments, see Reviewing Assignments.

How to Assign Application Servers to Applications

  1. In the Administration Console, go to the Applications tab and select an application object or a group object.

    If you select a group of applications, you can assign application servers to all the applications in the group.

    The General tab is displayed.

  2. Go to the Hosting Application Servers tab.
  3. In the Editable Assignments table, click Add.

    The Add Application Server Assignment window is displayed.

  4. Locate application server or group objects.

    Use the Search field or the navigation tree to find the objects you want.

  5. Select the check box next to the application server or group objects and click Add

    If you select more than one application server, or a group of application servers, SGD load balances between application servers. See Load Balancing.

    If you select a group of application servers, you select all the application servers in the group.

    The Effective Application Servers table is updated with the selected application servers.

How to Assign Applications to Users

  1. In the Administration Console, go to the Applications tab and select an application object or a group object.

    If you select a group of applications, you can assign all the applications in the group to users.

    The General tab is displayed.

  2. Click the Assigned User Profiles Tab.
  3. In the Editable Assignments table, click Add.

    The Add User Assignment window is displayed.

  4. Locate user profile or directory objects.

    Use the Search field or the navigation tree to find the objects you want.

    You can assign an application to user profile or directory objects.

    If you assign an application to a directory object, all the user profiles contained in that directory object automatically receive the application. This is called inheritance. Assigning an application to directory objects is more efficient.

  5. Select the check box next to the user profile or directory objects and click Add.

    The Effective User Profiles table is updated with the selected users.

LDAP Assignments

LDAP assignments make use of SGD’s Directory Services Integration feature. With Directory Services Integration, you use an LDAP directory instead of the local repository for holding user information. This means you do not need to create user profile objects in the local repository.

You can only use Directory Services Integration for users who have their user identity established by searching an LDAP directory or Active Directory. This means users must be authenticated by one of the following authentication mechanisms:

LDAP assignments are relationships between objects in the SGD repository and objects in an LDAP directory. With LDAP assignments, instead of assigning applications to users, you assign users to applications. In the Administration Console, you do this on the Assigned User Profiles tab for application, document, and group objects. You can assign users as follows:

When working with LDAP assignments in the Administration Console, it is useful to display the naming attribute for the objects you work with. By default the Administration Console does not display naming attributes. You enable the display of naming attributes in the Preferences for the Administration Console.

If you want more control over the SGD-specific settings for LDAP users, such as the ability to use copy and paste, or to edit client profiles, see LDAP Mirroring.

The Administration Console shows you which users are configured to receive an application using LDAP assignments, see Reviewing Assignments.

SGD caches the directory data it obtains, see Managing the Directory Services Cache for more details.

See Troubleshooting LDAP Assignments for tips on working with LDAP assignments.

How to Assign Applications to LDAP Users

  1. In the SGD Administration Console, go to the Applications tab.
  2. Select an application or group object and go the Assigned User Profiles tab.

    Use the Search field or the navigation tree to find the object you want.

    If you select a group object, LDAP users receive all the applications in the group.

  3. In the Editable Assignments table, click the Add button.

    The Add User Assignment window is displayed.

  4. From the Repository list, select Local + LDAP.
  5. (Optional) Select a service object from the View list.

    By default, the first enabled service object in the list of service objects is selected. Only enabled service objects are available in the View list. See Using Service Objects.

  6. Locate the LDAP users you want to assign to the object.

    Use the Search field or the navigation tree to find users in the LDAP directory.

  7. Select the check box next to the LDAP users and click the Add button.

    If you assign several LDAP users to an object, it is more efficient to use an LDAP search.


    Tip - On the command line, you can use the --ldapusers option to assign LDAP users.


    The Add User Assignment window closes and the Editable Assignments table is updated with the LDAP users.

How to Assign Applications to Members of LDAP Groups

  1. In the Administration Console, go to the Applications tab.
  2. Select an application, document, or group object and go to the Assigned User Profiles tab.

    Use the Search field or the navigation tree to find the object you want.

    If you select a group object, all members of the LDAP group receive all the applications in the group.

  3. In the Editable Assignments table, click the Add button.

    The Add User Assignment window is displayed.

  4. From the Repository list, select Local + LDAP.
  5. (Optional) Select a service object from the View list.

    By default, the first enabled service object in the list of service objects is selected. Only enabled service objects are available in the View list. See Using Service Objects.

  6. Locate the LDAP groups you want to assign to the object.

    Use the Search field or the navigation tree to find groups in the LDAP directory.

  7. Select the check box next to the LDAP groups and click the Add button.

    If you assign several groups to an object, it is more efficient to use LDAP searches instead.


    Tip - On the command line, you can use the --ldapgroups option to assign the members of LDAP groups.


    The Add User Assignment window closes and the Editable Assignments table is updated with the LDAP groups.

How to Assign Applications Using LDAP Searches

  1. In the Administration Console, go to the Applications tab.
  2. Select an application, document, or group object and go to the Assigned User Profiles tab.
  3. In the LDAP Searches section configure the LDAP search.

    Do either of the following:

    • Select the Simple Search option and use the LDAP query builder to construct the LDAP search.
    • Select the Advanced Search option and enter the LDAP search string in the LDAP URL or Filter field.

    See Using LDAP Searches for details.

    Use the Preview button to check whether the configured search returns the expected results.


    Tip - On the command line, you can use the --ldapsearch option to configure LDAP searches.


  4. Click Save.
Using LDAP Searches

LDAP searches can be either of the following:

The Administration Console provides a Simple Search and an Advanced Search for configuring LDAP searches.


Note - The Administration Console does not automatically escape the special characters specified in RFC2254. To use a special character in the Administration Console, you must manually type the escape sequence. For example, to search for a user with the common name “John Doe (123456)”, type the following cn=John Doe\0x28123456\0x29 in the search field.


SGD supports the use of extensible matching search filters as specified in RFC2254. This enables you to look up information from components that make up an object’s DN. For example, to assign an application to a user that is contained within any OU called managers (ou=managers), you can use a (&(ou:dn:=managers)) search filter. Active Directory does not support extensible search filters.

As you configure LDAP searches, use the Preview button to check that the search returns the expected results.

Using the Simple Search

The Simple Search enables you to construct an LDAP search using the following commonly-used LDAP and Active Directory attributes.

Attribute Name
Description
c
The countryName attribute containing a two-letter ISO 3166 country code.
cn
The commonName attribute containing the name of the object. For person objects, this is usually the person’s full name.
departmentNumber
The attribute containing the code for a department. The code can be numeric or alphanumeric.
l
The localityName attribute containing the name of a locality such as a city or country.
memberOf
The commonly-used attribute for managing users in Active Directory. Contains a list of groups to which the user belongs.
sn
The surname attribute containing the family name of a person.

Click the Browse button to display the Select Root for LDAP Search window. This window enables you to select an LDAP object to use as the search root. If you have configured more than one service object, use the View list to select a service object to use for the search root. Only enabled service objects are available in the View list. If you specify a search root, the search is formatted as an LDAP URL. If you do not specify a search root, the search is formatted as an LDAP filter. The filter is applied to all the enabled service objects.

When you save a Simple Search, the search string is displayed in the Advanced Search field.

Using the Advanced Search

The Advanced Search field enables you to enter your own LDAP search filter or URL, or to paste in a search from another tool.

If you enter an LDAP URL, use the format ldap:///search. If you include the host, port, and return attribute specification in the URL they are ignored.

You can use the Simple Search to construct a basic search and save it. This loads the simple search into the Advanced Search field. Then select the Advanced Search option to fine tune the search.


Note - If you fine tune a Simple Search in the Advanced Search field and edit it in a way that is not compatible with a Simple Search, you might not be able to edit the search again as a Simple Search. If this happens, you must clear the Advanced Search field and save the change. Then rebuild the Simple Search.


Reviewing Assignments

The Administration Console enables you to review assignments as follows:

By default, LDAP assignments are not displayed. To display LDAP assignments, click the Load LDAP link in the effective assignment tables.

The effective assignment tables enable you to trace the origin of assignments, where the assignment is the result of inheritance, group membership, or an LDAP search.

Tuning LDAP Group Searches

You can tune the LDAP group searches to return the users you require for LDAP assignments by configuring how SGD identifies the users in a group and whether SGD can search nested groups or sub-groups.

Increasing the Group Search Depth

By default, the LDAP group search does not search nested groups or sub–groups. If your organization uses nested groups or sub-groups, you can increase the depth of the search. Increasing the depth might have a negative effect on performance.

To increase the depth of group searches, use the following command:

$ tarantella config edit \
--tarantella-config-ldap-nested-group-depth depth

The default depth is 0. Increase the value of depth to match the depth of the nested groups.

Group Membership Attributes

SGD establishes group membership by searching for attributes on LDAP user objects and LDAP group objects. LDAP user objects are checked before LDAP group objects.

User group membership attributes are attributes on LDAP user objects that list the groups to which the users belong. By default, SGD searches for groups in the isMemberOf, nsroledn, memberOf attributes on LDAP user objects. To configure the user group membership attributes, use the following command:

$ tarantella config edit \
--tarantella-config-ldap-object-member-attributes attribute ...

You can list more than one attribute. Each attribute must be separated by a space. Remember to include the default attributes isMemberOf, nsroledn, memberOf in the list.

Group user membership attributes are attributes on LDAP group objects that list the users that belong to the group. By default, SGD searches for users in the uniquemember and member attributes on LDAP group objects. To configure the group user membership attributes, use the following command:

$ tarantella config edit \
--tarantella-config-ldap-group-member-attributes attribute ...

You can list more than one attribute. Each attribute must be separated by a space. Remember to include the default attributes uniquemember and member in the list.

Short Attributes

If the group membership attributes do not contain the DNs of users, then the group search fails.

You can configure SGD to search short attributes that can be used to identify users. For short attributes to work, they must contain unique values. Short attributes attributes can be on LDAP user objects or LDAP group objects.

To configure SGD to search short attributes on LDAP user objects, use the following command:

$ tarantella config edit \
--tarantella-config-ldap-object-short-attributes attribute ...

You can list more than one attribute. Each attribute must be separated by a space.

To configure SGD to search short attributes on LDAP group objects, use the following command

# tarantella config edit \
--tarantella-config-ldap-group-short-attributes attribute ...

You can list more than one attribute. Each attribute must be separated by a space.

Managing the Directory Services Cache

SGD caches the directory services data it obtains.

If you find that SGD is not detecting changes, you can flush, refresh, or populate the cache manually with the tarantella cache command.

To update the cache of group data, use the following command:

$ tarantella cache --refresh ldapgroups

When you run this command, SGD searches the cache for LDAP groups, queries the directory for the membership of each LDAP group, and then adds the list of users to the cache.

To add group data to the cache, use the following command:

$ tarantella cache --populate ldapgroups

When you run this command, SGD searches the local repository for objects with LDAP group assignments and adds the LDAP groups to the cache. SGD then queries the directory for the membership of each LDAP group and adds the list of users to the cache.

To remove group data from the cache, use the following command:

$ tarantella cache --flush ldapgroups

To remove the LDAP search data from the cache, use the following command:

$ tarantella cache --flush ldapconn-lookups

To reset all LDAP connections, use the following command:

$ tarantella cache --flush ldapconn

To remove all LDAP data from the cache, use the following command:

$ tarantella cache --flush all

By default SGD keeps group data in the cache for 4300 seconds (12 hours). You might want to change how long SGD keeps group data depending on how frequently your LDAP data changes. You do this with the following command:

# tarantella config edit \
--tarantella-config-ldap-ldapgroups-timeout secs

Troubleshooting LDAP Assignments

If LDAP group searches are not returning the expected results, see Tuning LDAP Group Searches.

SGD caches the data it collects from an LDAP directory. If you find that SGD is not detecting changes, you can flush the cached data manually. See Managing the Directory Services Cache.

You can configure an LDAP timeout in the event that the LDAP searches of an LDAP directory fail. See LDAP Operation Timeout.

To help diagnose problems with LDAP assignments, set the following log filters:

server/webtop/*:ldapwebtop%%PID%%.log
server/webtop/*:ldapwebtop%%PID%%.jsl
server/directoryservices/*:ldapwebtop%%PID%%.log
server/directoryservices/*:ldapwebtop%%PID%%.jsl

See Using Log Filters to Troubleshoot Problems With an SGD Server for more information on configuring and using log filters.

The Administration Console has some configuration settings that affect the display of LDAP data, for example the attributes that are used to identify users. If you find that LDAP operations in the Administration Console do not work as you expect, you might have to adjust the settings. See Administration Console Configuration Settings for details.