Directory Server (LDAP)

Publishing

i5/OS provides the ability to have the system publish certain kinds of information to an LDAP directory. That is, the system will create and update LDAP entries representing various types of data.

i5/OS has built-in support for publishing the following information to a LDAP server:

Users

When you configure the operating system to publish the information type Users to the Directory Server, it automatically exports entries from the system distribution directory to the Directory Server. It uses the QGLDSSDD application program interface (API) to do this. This also keeps the LDAP directory synchronized with changes that are made in the system distribution directory. For information about the QGLDSSDD API, see "Directory Server APIs" in the Programming topic.

Publishing users is useful for providing LDAP search access to information from the system distribution directory (for example to provide LDAP address book access to LDAP-enabled POP3 mail clients like Netscape Communicator or Microsoft Outlook Express).

Published users can also be used to support LDAP authentication with some users published from the system distribution directory, and other users added to the directory by other means. A published user has a uid attribute that names the user profile, and has no userPassword attribute. When a bind request is received for an entry like this, the server calls the operating system security to validate the uid and password as a valid user profile and password for that profile. If you want to use LDAP authentication, and would like existing users to be able to authenticate using their operating system passwords, while non-i5/OS users are added to the directory manually, you should consider this function.

Start of change Another way to publish users is to take entries from an existing HTTP validation list and create corresponding LDAP entries in the directory server. This is done through the QGLDPUBVL application program interface (API). This API creates inetOrgPerson directory entries with passwords that are linked to the original validation list entry. The API can be run once or scheduled to run periodically to check for new entries to add to the directory server.

Note:

Only validation list entries created for use with the HTTP Server (powered by Apache) are supported by this API. Existing entries in the directory server will not be updated. Users that are deleted from the validation list are not detected.

Once users are added to the directory they can authenticate to applications that use the validation as well as applications that support LDAP authentication. For more information about the QGLDPUBVL API, see "Directory Server APIs" in the Programming topic. End of change

System information

When you configure the operating system to publish the information type System to the Directory Server, the following types of information are published:

Basic information about this machine and the operating system release.
Optionally, you can select one or more printers to publish, in which case the system will automatically keep the LDAP directory synchronized with changes that are made to those printers on the system.

Printer information that can be published includes:

Location
Speed in pages per minutes
Support for duplex and color
Type and model
Description

This information comes from the device description on the system being published. In a network environment, users can use this information to help select a printer. The information is first published when a printer is selected to be published, and it is updated when a printer writer is stopped or started, or the printer device description is changed.

Printer shares

When you configure the operating system to publish printer shares, information about the selected iSeries NetServer printer shares are published to the configured Active Directory server. Publishing print shares to an Active Directory allows users to add iSeries printers to their Windows 2000 desktop with the Windows 2000's Add Printer wizard. In order to do this in the Add Printer wizard, specify that you want to find a printer in the Windows 2000 Active Directory. You must publish print shares to a directory server which supports Microsoft's Active Directory schema.

TCP/IP Quality of Service

The TCP/IP Quality of Service (QOS) server can be configured to use a shared QOS policy defined in an LDAP directory using an IBM defined schema. The TCP/IP QOS publishing agent is used by the QOS server to read the policy information; it defines the server, authentication information, and where in the directory the policy information is stored.

You can also create an application to publish or search for other kinds of information in a LDAP directory using this framework by defining additional publishing agents and making use of the directory publishing APIs. For more information, see Publish information to the Directory Server and Directory Server APIs in the Programming topic.