3.2. Publishing Applications

Creating objects to represent the applications, application servers, and users in your organization does not, by itself, give users to access applications through SGD. Applications must be published. You publish applications by creating relationships between the objects in the organizational hierarchy. SGD calls these relationships assignments. You publish applications as follows:

Assignments can be either of the following types:

Assigning applications to application servers is done by using local assignments.

Assigning applications to users is done by using local assignments, LDAP assignments, or a combination of both.

The Administration Console provides several ways for reviewing assignments, see Section 3.2.3, “Reviewing Assignments”.

3.2.1. Local Assignments

Local assignments are relationships between objects in the local repository.

In the Administration Console, you assign applications on the Applications tab as follows:

SGD uses inheritance to make local assignments easier to manage and more efficient. OU and user profile objects can inherit the assignments and settings of their parent objects in the organizational hierarchy. Inheritance is enabled by default. To use inheritance, create user profile objects within OU objects, and then assign applications to the OUs.

The Administration Console provides several ways for reviewing assignments, see Section 3.2.3, “Reviewing Assignments”.

3.2.1.1. How to Assign Application Servers to Applications

  1. In the Administration Console, go to the Applications tab and select an application object or a group object.

    If you select a group of applications, you can assign application servers to all the applications in the group.

    The General tab is displayed.

  2. Go to the Hosting Application Servers tab.

  3. In the Editable Assignments table, click Add.

    The Add Application Server Assignment window is displayed.

  4. Locate application server or group objects.

    Use the Search field or the navigation tree to find the objects you want.

  5. Select the check box next to the application server or group objects and click Add

    If you select more than one application server, or a group of application servers, SGD load balances between application servers. See Section 7.2, “Load Balancing”.

    If you select a group of application servers, you select all the application servers in the group.

    The Effective Application Servers table is updated with the selected application servers.

3.2.1.2. How to Assign Applications to Users

  1. In the Administration Console, go to the Applications tab and select an application object, OU object, or a group object.

    If you select a group of applications or an OU, you can assign all the applications in the group or OU to users.

    The General tab is displayed.

  2. Click the Assigned User Profiles Tab.

  3. In the Editable Assignments table, click Add.

    The Add User Assignment window is displayed.

  4. Locate user profile or directory objects.

    Use the Search field or the navigation tree to find the objects you want.

    You can assign an application to user profile or directory objects.

    If you assign an application to a directory object, all the user profiles contained in that directory object automatically receive the application. This is called inheritance. Assigning an application to directory objects is more efficient.

  5. Select the check box next to the user profile or directory objects and click Add.

    The Effective User Profiles table is updated with the selected users.

3.2.2. LDAP Assignments

LDAP assignments make use of SGD's Directory Services Integration feature. With Directory Services Integration, you use an LDAP directory instead of the local repository for holding user information. This means you do not need to create user profile objects in the local repository.

You can only use Directory Services Integration for users who have their user identity established by searching an LDAP directory or Active Directory. This means users must be authenticated by one of the following authentication mechanisms:

LDAP assignments are relationships between objects in the SGD repository and objects in an LDAP directory. With LDAP assignments, instead of assigning applications to users, you assign users to applications. In the Administration Console, you do this on the Assigned User Profiles tab for application, document, and group objects. You can assign users as follows:

When working with LDAP assignments in the Administration Console, it is useful to display the naming attribute for the objects you work with. By default the Administration Console does not display naming attributes. You enable the display of naming attributes in the Preferences for the Administration Console.

If you want more control over the SGD-specific settings for LDAP users, such as the ability to use copy and paste, or to edit client profiles, see Section 3.1.6, “LDAP Mirroring”.

The Administration Console shows you which users are configured to receive an application using LDAP assignments, see Section 3.2.3, “Reviewing Assignments”.

SGD caches the directory data it obtains, see Section 3.2.5, “Managing the Directory Services Cache” for more details.

See Section 3.2.6, “Troubleshooting LDAP Assignments” for tips on working with LDAP assignments.

3.2.2.1. How to Assign Applications to LDAP Users

  1. In the SGD Administration Console, go to the Applications tab.

  2. Select an application or group object and go the Assigned User Profiles tab.

    Use the Search field or the navigation tree to find the object you want.

    If you select a group object, LDAP users receive all the applications in the group.

  3. In the Editable Assignments table, click the Add button.

    The Add User Assignment window is displayed.

  4. From the Repository list, select Local + LDAP.

  5. (Optional) Select a service object from the View list.

    By default, the first enabled service object in the list of service objects is selected. Only enabled service objects are available in the View list. See Section 2.8.4, “Using Service Objects”.

  6. Locate the LDAP users you want to assign to the object.

    Use the Search field or the navigation tree to find users in the LDAP directory.

  7. Select the check box next to the LDAP users and click the Add button.

    If you assign several LDAP users to an object, it is more efficient to use an LDAP search.

    Tip

    On the command line, you can use the --ldapusers option to assign LDAP users.

    The Add User Assignment window closes and the Editable Assignments table is updated with the LDAP users.

3.2.2.2. How to Assign Applications to Members of LDAP Groups

  1. In the Administration Console, go to the Applications tab.

  2. Select an application, document, or group object and go to the Assigned User Profiles tab.

    Use the Search field or the navigation tree to find the object you want.

    If you select a group object, all members of the LDAP group receive all the applications in the group.

  3. In the Editable Assignments table, click the Add button.

    The Add User Assignment window is displayed.

  4. From the Repository list, select Local + LDAP.

  5. (Optional) Select a service object from the View list.

    By default, the first enabled service object in the list of service objects is selected. Only enabled service objects are available in the View list. See Section 2.8.4, “Using Service Objects”.

  6. Locate the LDAP groups you want to assign to the object.

    Use the Search field or the navigation tree to find groups in the LDAP directory.

  7. Select the check box next to the LDAP groups and click the Add button.

    If you assign several groups to an object, it is more efficient to use LDAP searches instead.

    Tip

    On the command line, you can use the --ldapgroups option to assign the members of LDAP groups.

    The Add User Assignment window closes and the Editable Assignments table is updated with the LDAP groups.

3.2.2.3. How to Assign Applications Using LDAP Searches

  1. In the Administration Console, go to the Applications tab.

  2. Select an application, document, or group object and go to the Assigned User Profiles tab.

  3. In the LDAP Searches section configure the LDAP search.

    Do either of the following:

    • Select the Simple Search option and use the LDAP query builder to construct the LDAP search.

    • Select the Advanced Search option and enter the LDAP search string in the LDAP URL or Filter field.

    See Section 3.2.2.4, “Using LDAP Searches” for details.

    Use the Preview button to check whether the configured search returns the expected results.

    Tip

    On the command line, you can use the --ldapsearch option to configure LDAP searches.

  4. Click Save.

3.2.2.4. Using LDAP Searches

LDAP searches can be either of the following:

The Administration Console provides a Simple Search and an Advanced Search for configuring LDAP searches.

Note

The Administration Console does not automatically escape the special characters specified in RFC2254. To use a special character in the Administration Console, you must manually type the escape sequence. For example, to search for a user with the common name "John Doe (123456)", type the following cn=John Doe\0x28123456\0x29 in the search field.

SGD supports the use of extensible matching search filters as specified in RFC2254. This enables you to look up information from components that make up an object's DN. For example, to assign an application to a user that is contained within any OU called managers (ou=managers), you can use a (&(ou:dn:=managers)) search filter. Active Directory does not support extensible search filters.

As you configure LDAP searches, use the Preview button to check that the search returns the expected results.

3.2.2.4.1. Using the Simple Search

The Simple Search enables you to construct an LDAP search using the following commonly-used LDAP and Active Directory attributes.

Attribute Name

Description

c

The countryName attribute containing a two-letter ISO 3166 country code.

cn

The commonName attribute containing the name of the object. For person objects, this is usually the person's full name.

departmentNumber

The attribute containing the code for a department. The code can be numeric or alphanumeric.

l

The localityName attribute containing the name of a locality such as a city or country.

memberOf

The commonly-used attribute for managing users in Active Directory. Contains a list of groups to which the user belongs.

sn

The surname attribute containing the family name of a person.

Click the Browse button to display the Select Root for LDAP Search window. This window enables you to select an LDAP object to use as the search root. If you have configured more than one service object, use the View list to select a service object to use for the search root. Only enabled service objects are available in the View list. If you specify a search root, the search is formatted as an LDAP URL. If you do not specify a search root, the search is formatted as an LDAP filter. The filter is applied to all the enabled service objects.

When you save a Simple Search, the search string is displayed in the Advanced Search field.

3.2.2.4.2. Using the Advanced Search

The Advanced Search field enables you to enter your own LDAP search filter or URL, or to paste in a search from another tool.

If you enter an LDAP URL, use the format ldap:///search. If you include the host, port, and return attribute specification in the URL they are ignored.

You can use the Simple Search to construct a basic search and save it. This loads the simple search into the Advanced Search field. Then select the Advanced Search option to fine tune the search.

Note

If you fine tune a Simple Search in the Advanced Search field and edit it in a way that is not compatible with a Simple Search, you might not be able to edit the search again as a Simple Search. If this happens, you must clear the Advanced Search field and save the change. Then rebuild the Simple Search.

3.2.3. Reviewing Assignments

The Administration Console enables you to review assignments as follows:

  • Assigned User Profiles tab for application, document, group, and OU objects – The Effective User Profiles table shows you the users that are assigned the application

  • Assigned Applications tab for user profile, OU, and organization objects – The Effective Applications table shows you the applications that are assigned to users

  • Hosting Application Servers tab on application and group objects – The Effective Application Servers table shows you the application servers that can run an application

  • The Hosted Applications tab on application server and group objects – The Effective Applications table shows you the applications that can run on the application servers

  • The Members tab on group objects – The Effective Members table shows you the members of the group

By default, LDAP assignments are not displayed. To display LDAP assignments, click the Load LDAP link in the effective assignment tables.

The effective assignment tables enable you to trace the origin of assignments, where the assignment is the result of inheritance, group membership, or an LDAP search.

3.2.4. Tuning LDAP Group Searches

The following topics show how you can tune LDAP group searches to return the users you require for LDAP assignments.

3.2.4.1. Increasing the Group Search Depth

By default, the LDAP group search does not search nested groups or sub-groups. If your organization uses nested groups or sub-groups, you can increase the depth of the search. Increasing the depth might have a negative effect on performance.

To increase the depth of group searches, use the following command:

$ tarantella config edit \
--tarantella-config-ldap-nested-group-depth depth

The default depth is 0. Increase the value of depth to match the depth of the nested groups.

3.2.4.2. Group Membership Attributes

SGD establishes group membership by searching for attributes on LDAP user objects and LDAP group objects. LDAP user objects are checked before LDAP group objects.

User group membership attributes are attributes on LDAP user objects that list the groups to which the users belong. By default, SGD searches for groups in the isMemberOf, nsroledn, memberOf attributes on LDAP user objects. To configure the user group membership attributes, use the following command:

$ tarantella config edit \
--tarantella-config-ldap-object-member-attributes attribute ...

You can list more than one attribute. Each attribute must be separated by a space. Remember to include the default attributes isMemberOf, nsroledn, memberOf in the list.

Group user membership attributes are attributes on LDAP group objects that list the users that belong to the group. By default, SGD searches for users in the uniquemember and member attributes on LDAP group objects. To configure the group user membership attributes, use the following command:

$ tarantella config edit \
--tarantella-config-ldap-group-member-attributes attribute ...

You can list more than one attribute. Each attribute must be separated by a space. Remember to include the default attributes uniquemember and member in the list.

3.2.4.3. Short Attributes

If the group membership attributes do not contain the DNs of users, then the group search fails.

You can configure SGD to search short attributes that can be used to identify users. For short attributes to work, they must contain unique values. Short attributes attributes can be on LDAP user objects or LDAP group objects.

To configure SGD to search short attributes on LDAP user objects, use the following command:

$ tarantella config edit \
--tarantella-config-ldap-object-short-attributes attribute ...

You can list more than one attribute. Each attribute must be separated by a space.

To configure SGD to search short attributes on LDAP group objects, use the following command

# tarantella config edit \
--tarantella-config-ldap-group-short-attributes attribute ...

You can list more than one attribute. Each attribute must be separated by a space.

3.2.4.4. Speeding Up Active Directory Group Searches

To speed up group searches for Active Directory users, you can configure SGD to search using the tokenGroups property of the Active Directory user object. Using tokenGroups can reduce webtop generation time for Active Directory environments that have heavily nested group membership and no membership attributes.

To configure SGD to use the tokenGroups property, use the following command:

# tarantella config edit \
--tarantella-config-ad-support-token-groups 1

Searching using tokenGroups is done in addition to using LDAP group user membership attributes, as described in Section 3.2.4.2, “Group Membership Attributes”. To speed up group searches even more, you can disable searching using group user membership attributes. Use the following command:

$ tarantella config edit \
--tarantella-config-ldap-group-member-attributes ""

Note that this command will disable any group searches that do not use tokenGroups.

3.2.5. Managing the Directory Services Cache

SGD caches the directory services data it obtains.

If you find that SGD is not detecting changes, you can flush, refresh, or populate the cache manually with the tarantella cache command.

To update the cache of group data, use the following command:

$ tarantella cache --refresh ldapgroups

When you run this command, SGD searches the cache for LDAP groups, queries the directory for the membership of each LDAP group, and then adds the list of users to the cache.

To add group data to the cache, use the following command:

$ tarantella cache --populate ldapgroups

When you run this command, SGD searches the local repository for objects with LDAP group assignments and adds the LDAP groups to the cache. SGD then queries the directory for the membership of each LDAP group and adds the list of users to the cache.

To remove group data from the cache, use the following command:

$ tarantella cache --flush ldapgroups

To remove the LDAP search data from the cache, use the following command:

$ tarantella cache --flush ldapconn-lookups

To reset all LDAP connections, use the following command:

$ tarantella cache --flush ldapconn

To remove all LDAP data from the cache, use the following command:

$ tarantella cache --flush all

By default SGD keeps group data in the cache for 4300 seconds (12 hours). You might want to change how long SGD keeps group data depending on how frequently your LDAP data changes. You do this with the following command:

# tarantella config edit \
--tarantella-config-ldap-ldapgroups-timeout secs

3.2.6. Troubleshooting LDAP Assignments

If LDAP group searches are not returning the expected results, see Section 3.2.4, “Tuning LDAP Group Searches”.

SGD caches the data it collects from an LDAP directory. If you find that SGD is not detecting changes, you can flush the cached data manually. See Section 3.2.5, “Managing the Directory Services Cache”.

You can configure an LDAP timeout in the event that the LDAP searches of an LDAP directory fail. See Section 2.8.14, “LDAP Operation Timeout”.

To help diagnose problems with LDAP assignments, set the following log filters:

server/webtop/*:ldapwebtop%%PID%%.log
server/webtop/*:ldapwebtop%%PID%%.jsl
server/directoryservices/*:ldapwebtop%%PID%%.log
server/directoryservices/*:ldapwebtop%%PID%%.jsl

See Section 7.4.3, “Using Log Filters to Troubleshoot Problems With an SGD Server” for more information on configuring and using log filters.

The Administration Console has some configuration settings that affect the display of LDAP data, for example the attributes that are used to identify users. If you find that LDAP operations in the Administration Console do not work as you expect, you might have to adjust the settings. See Section 7.3.4, “Administration Console Configuration Settings” for details.