A.2. Service Objects Tab

The Service Objects tab is where you can view, create, edit, and manage service objects. A service object is a group of configuration settings used for the following SGD authentication mechanisms:

Use the buttons in the Service Objects List table to manage service objects for the SGD array.

Use the Repository Type option to enable either Section A.1.18, “LDAP” or Section A.1.17, “Active Directory” authentication. The Repository Type option is only available if both LDAP and Active Directory service objects have been created.

From the command line, use the tarantella service commands to create, delete, edit, and list service objects. See Section D.97, “tarantella service”.

For more information about service objects, see Section 2.8.4, “Using Service Objects”.

A.2.1. The Service Objects List Table

The Service Objects List table displays the service objects configured for the SGD array.

When you enable LDAP or Active Directory authentication using the Secure Global Desktop Authentication Wizard, a service object called generated is created automatically and the Service Objects List table is shown.

The Service Objects List table includes the following information for each service object:

  • Position. Position of the service object in the table. The highest position is 1. SGD uses the enabled service objects in the order shown.

  • Name. Name of the service object.

  • Enabled/Disabled. Whether the service object is enabled or disabled.

  • Type. Service object type, either LDAP or Active Directory.

  • URL. URL of the LDAP server or Active Directory forest. Where multiple LDAP servers have been specified, multiple URLs are shown.

The New button is used to create a new service object. The new service object is added at the end of the Service Objects List table in last position.

The Edit button is used to edit the selected service object.

The Delete button removes the selected service object.

The Duplicate button makes a copy of the selected service object.

The Enable and Disable buttons switches the enabled state of the selected service object.

The Move Up and Move Down buttons are used to change the position of the selected service object in the table.

You update the Service Objects List table by clicking the Reload button.

When you create, duplicate, or edit a service object, a new window is displayed that enables you to configure the service object. In this window, you can configure only the following commonly-used settings for service objects:

There are also some advanced service object settings that can be configured only from the command line with the tarantella service new or the tarantella service edit commands, see Section 2.8.4, “Using Service Objects” for more details.

A.2.2. Name

Usage: Type the name of the service object in the field.

The name of the service object.

Once you have created a service object, you cannot rename it. Use the Duplicate button in the Service Objects List table to create a copy of the service object with a different name.

The name can only contain lowercase characters, digits, or the characters _ and -.

A.2.3. Type

Usage: Select either the LDAP or Active Directory option.

The Type setting controls which SGD authentication mechanism can use the service object.

Select the LDAP option even if you are using a Microsoft Active Directory server for LDAP authentication.

Active Directory service objects are used only for Active Directory authentication.

Once you have created a service object, you cannot change the type.

A.2.4. Enabled

Usage: Select or deselect the check box.

Whether to enable the service object. A service object must be enabled before SGD can use it.

A.2.5. URLs

Usage: Type one or more uniform resource locators (URLs) in the field. Separate each URL with a semicolon.

For LDAP service objects, type one or more URLs of LDAP directories. The URLs are used in the order they are listed. If the first LDAP directory server listed is unavailable, SGD tries the next one in the list. Alternatively, you can create separate service objects for each URL. SGD uses each service object in their position order. Each LDAP URL has the form ldap://server:port/searchroot. Each of these options is defined as follows:

  • Server. The Domain Name System (DNS) name of the LDAP directory server.

  • Port. The TCP port that the LDAP directory server listens on for connections. You can omit this, and the preceding ":" character, to use the default port.

  • Searchroot. The distinguished name (DN) to use as the search base, for example, dc=example,dc=com. This specifies the part of the LDAP directory used to search for the user identity.

Use an ldaps:// URL if your LDAP directory server uses Secure Sockets Layer (SSL) connections. Extra configuration might be required for SSL connections, see Section 2.4.3.2, “Network Requirements for LDAP Authentication”.

The URLS configured for an LDAP service object must all be of the same type, either ldap:// or ldaps://. You cannot use a mixture of ldap:// and ldaps:// URLs.

For Active Directory service objects, type a the URL of an Active Directory forest. For example, ad://example.com. The URL must start ad://. Only type one URL.

Use the Test button to test the connection to the URLs.

A.2.6. User Name and Password

Usage: Type the user name and password in the fields.

The user name and password of a user that has privileges to search the directory server.

For security reasons, the password is not displayed, even if it has been previously set.

For LDAP service objects, type the DN of the user, for example cn=sgd-user,cn=Users,dc=example,dc=com. This is the administrator bind DN, see Section 2.4.3.3, “LDAP Bind DN and Password Change” for more details. As you can only enter one user name and password, this user must be able to search all LDAP directory servers listed in the URL field. If you need to use different user names and password, create separate service objects. If the directory server supports anonymous binds, you can omit the user name and password. To use anonymous binds, you must be able to perform LDAP queries for user data.

For Active Directory service objects, the user name has the form user@example.com. If you omit the domain name from the user name. SGD uses the information in the URL, Base Domain, and Default Domain fields to obtain a domain. The user must have privileges to search Active Directory for user information.

To configure the user name and password for the directory server on the command line, use the tarantella passcache command. See Section D.54, “tarantella passcache” for more details.

A.2.7. Connection Security

Usage: Select the required option. If the SSL option is selected, an option for using client certificates is enabled.

The mechanism used to secure the connection to an Active Directory server.

  • To use only the Kerberos protocol for secure connections – Select the Kerberos option for Connection Security, and type a user name and password in the User Name and Password fields. This option is selected by default.

  • To use Kerberos and SSL for secure connections – Select the SSL option for Connection Security, and type a user name and password in the User Name and Password fields.

  • To use Kerberos, SSL, and client certificates for secure connections – Select the SSL option for Connection Security, and select the Use Certificates check box.

See Section 2.2.3.5, “SSL Connections to Active Directory” for details of the additional configuration required to use SSL connections.

A.2.8. Active Directory Base Domain

Usage: Type a domain name in the field.

The domain that SGD uses for Active Directory authentication, if users only supply a partial domain when they log in.

For example, if the base domain is set to example.com and a user logs in with the user name rouge@west, SGD authenticates the user as rouge@west.example.com.

A.2.9. Active Directory Default Domain

Usage: Type a domain name in the field.

The domain that SGD uses for Active Directory authentication, if users do not supply a domain when they log in.

For example, if the default domain is set to east.example.com and a user logs in with the user name rouge, SGD authenticates the user as rouge@east.example.com.