Contents

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Deploying Logon Manager with Microsoft Active Directory

• 1.1 Logon Manager and Active Directory Environments
  • 1.1.1 How Logon Manager Extends Your Active Directory Schema
  • 1.1.2 How Logon Manager Synchronizes with Active Directory
  • 1.1.3 How Logon Manager Handles and Stores Application Credentials
  • 1.1.4 Further Reading
• 1.2 Designing the Logon Manager Active Directory Sub-Tree
  • 1.2.1 Guidelines for Structuring the Sub-Tree
  • 1.2.2 Version Control and Pre-Flight Testing of Templates and Policies
  • 1.2.3 Precautions for Configuring Object Access Control Lists Using the Console
  • 1.2.4 Precautions for Upgrading the Agent and Console
• 1.3 Global Agent Settings vs. Administrative Overrides
• 1.4 Recommended Global Agent Settings
  • 1.4.1 Data Storage Settings
    • 1.4.1.1 Use Configuration Objects
    • 1.4.1.2 Specify the Path to the Logon Manager Configuration Objects
    • 1.4.1.3 Store User Credentials Under Respective User Objects
  • 1.4.2 Repository Connection Settings
    • 1.4.2.1 Let Logon Manager Find the Nearest Domain Controller
    • 1.4.2.2 SSL Support
    • 1.4.2.3 Select the Credentials to Use when Authenticating to the Directory
    • 1.4.2.4 Decide Whether to Prompt the User when Disconnected from the Directory
    • 1.4.2.5 Let Logon Manager Search for User Accounts
    • 1.4.2.6 Add the Active Directory Synchronizer to the Synchronizer Order List
    • 1.4.2.7 Make the Logon Manager Agent Wait for Synchronization on Startup
    • 1.4.2.8 Use Optimized Synchronization
  • 1.4.3 Restrict Disconnected Operation
• 1.5 Recommended Administrative Overrides
• 1.6 Overview of the Deployment Process
• 1.7 Preparing Active Directory for Logon Manager
  • 1.7.1 Extending the Schema
  • 1.7.2 Enabling the Storage of User Credentials under User Objects
  • 1.7.3 Creating the Configuration Object Container and Sub-Tree Structure
• 1.8 Configuring the Active Directory Synchronizer
• 1.9 Testing the Logon Manager Configuration

2 Deploying Logon Manager
with Microsoft AD LDS (ADAM)

• 2.1 Logon Manager and AD LDS (ADAM) Environments
  • 2.1.1 Benefits of AD LDS (ADAM)-Based Deployments
  • 2.1.2 Active Directory vs. AD LDS (ADAM)
  • 2.1.3 How Logon Manager Extends the AD LDS (ADAM) Schema
  • 2.1.4 How Logon Manager Synchronizes with AD LDS (ADAM)
  • 2.1.5 How Logon Manager Handles and Stores Application Credentials
  • 2.1.6 Benefits of Load-Balancing an Logon Manager Deployment
  • 2.1.7 Further Reading
• 2.2 Designing the AD LDS (ADAM) Directory Sub-Tree
  • 2.2.1 Guidelines for Structuring the AD LDS (ADAM) Sub-Tree for Logon Manager
  • 2.2.2 Version Control and Pre-Flight Testing of Templates and Policies
  • 2.2.3 Precautions for Configuring Object Access Control Lists Using the Console
  • 2.2.4 Precautions for Upgrading the Agent and Console
• 2.3 Global Agent Settings vs. Administrative Overrides
• 2.4 Recommended Global Agent Settings
  • 2.4.1 Use Configuration Objects
  • 2.4.2 Configure a Server List with Desired Failover Order
  • 2.4.3 Specify the Path to the Logon Manager Configuration Objects
  • 2.4.4 SSL Support
  • 2.4.5 Select the Credentials to Use when Authenticating to the Repository
  • 2.4.6 Configure Logon Manager to Use a Specific People OU
  • 2.4.7 Choose Whether to Prompt the User when Disconnected from the Repository
  • 2.4.8 Add the AD LDS (ADAM) Synchronizer to the Synchronizer Order List
  • 2.4.9 Make the Logon Manager Agent Wait for Synchronization on Startup
  • 2.4.10 Use Optimized Synchronization
  • 2.4.11 Restrict Disconnected Operation
• 2.5 Recommended Administrative Overrides
• 2.6 Overview of the Deployment Process
• 2.7 Creating an AD LDS (ADAM) Instance
• 2.8 Preparing the AD LDS (ADAM) Instance for Logon Manager
  • 2.8.1 Extending the Schema
  • 2.8.2 Creating the People OU
  • 2.8.3 Creating the Configuration Object Container and Sub-Tree Structure
  • 2.8.4 Granting Required Permissions to Logon Manager Users
• 2.9 Configuring the AD LDS (ADAM) Synchronizer

3 Deploying Logon Manager with an LDAP Directory

• 3.1 Logon Manager and LDAP Environments
  • 3.1.1 How Logon Manager Extends Your Directory Schema
  • 3.1.2 How Logon Manager Synchronizes with Your Directory
  • 3.1.3 Benefits of Load-Balancing a Logon Manager Deployment
  • 3.1.4 How Logon Manager Handles and Stores Application Credentials
  • 3.1.5 Further Reading
• 3.2 Designing the Logon Manager Directory Sub-Tree
  • 3.2.1 Guidelines for Structuring the Logon Manager Sub-Tree
  • 3.2.2 Special Directory Objects Required by Logon Manager
  • 3.2.3 Version Control and Pre-Flight Testing of Templates and Policies
  • 3.2.4 Precautions for Configuring Object Access Control Lists Using the Console
  • 3.2.5 Precautions for Upgrading the Agent and Console
• 3.3 Global Agent Settings vs. Administrative Overrides
• 3.4 Recommended Global Agent Settings
  • 3.4.1 Select the Correct Repository Type
  • 3.4.2 Configure a Server List with Desired Failover Order
  • 3.4.3 Specify the Path to the Logon Manager Configuration Objects
  • 3.4.4 Use Configuration Objects
  • 3.4.5 SSL Support
  • 3.4.6 Specify the Path(s) to User Accounts
  • 3.4.7 Enable Directory Search for Users
  • 3.4.8 Set the Naming Attribute String
  • 3.4.9 Decide Whether to Prompt the User when Disconnected from the Directory
  • 3.4.10 Share LDAP Synchronizer Credentials with Authenticators
  • 3.4.11 Add the LDAP Synchronizer to the Synchronizer Order List
  • 3.4.12 Set the Authentication Prompt Window Title
  • 3.4.13 Make the Logon Manager Agent Wait for Synchronization on Startup
  • 3.4.14 Use Optimized Synchronization
  • 3.4.15 Restrict Disconnected Operation
• 3.5 Recommended Administrative Overrides
• 3.6 Overview of the Deployment Process
• 3.7 Preparing the Directory for Logon Manager
  • 3.7.1 Extending the Schema
  • 3.7.2 Creating the Sub-Tree Root and the Configuration Object Container
  • 3.7.3 Creating the People OU
  • 3.7.4 Creating the vGOLocator Pointer Object
• 3.8 Selecting and Configuring an Authenticator
• 3.9 Configuring the LDAP Synchronizer

4 Appendix A: Minimum Administrative Rights for Logon Manager Repository Objects

• 4.1 Minimum Administrative Rights Required by Logon Manager Containers
• 4.2 Minimum Administrative Rights Required for Credential Auditing
• 4.3 Minimum Administrative Rights Required for Credential Deletion

5 Appendix B: Logon Manager Repository Object Classes and Attributes

• 5.1 vGOUserData
• 5.2 vGOSecret
• 5.3 vGOConfig
• 5.4 vGOLocatorClass

6 Appendix C: Troubleshooting Logon Manager on Microsoft Active Directory

• 6.1 Active Directory Schema Extension Failures
• 6.2 All Users Unable to Store Credentials Under User Objects
• 6.3 Select Users Unable to Store Credentials Under User Objects

7 Troubleshooting Logon Manager
on Microsoft AD LDS (ADAM)

• 7.1 The Target AD LDS (ADAM) Instance is Not Running
• 7.2 AD LDS (ADAM) Instance is Running on Non-Default Ports
• 7.3 Account Used to Connect to AD LDS (ADAM) Does Not Have the Required Privileges

8 Appendix E: Creating the Required User Groups on AD LDS (ADAM)

9 Appendix F: Configuring Oracle Internet Directory

10 Appendix G: Configuring Oracle Virtual Directory