Security

Use the Security page to determine the type of security provided for those users in the post office who have not set GroupWise^® passwords on their mailboxes. Other authentication methods besides GroupWise passwords can be employed to protect mailboxes:

• Network Authentication: When users log in to the network, they typically provide a password. GroupWise can allow such users to access their passwordless mailboxes based on successful network authentication.
• Novell^® eDirectory^TM Authentication: On networks where eDirectory is in use, users must authenticate to eDirectory in order to gain access to the network. GroupWise can allow such users to access their passwordless mailboxes based on successful eDirectory authentication.
• LDAP Authentication: LDAP directories can be used to store password information. GroupWise can require users' LDAP passwords in place of GroupWise passwords or any other authentication method.

After users set their GroupWise passwords, the post office security options no longer apply (unless you are using LDAP authentication). The users who have set GroupWise passwords are always prompted for their passwords unless Allow Password Caching, Allow eDirectory Authentication instead of Password, Enable Single Sign-On, or Use Collaboration Single Sign-On (CASA) is turned on under Client Security Options in ConsoleOne^®.

Low Security
With low security, passwordless mailboxes are unprotected. Users can access other users' passwordless mailboxes using the @u-userID client startup switch.

High Security
With high security, users must be successfully logged in to a network before they can access their own passwordless mailboxes. They cannot access other users' passwordless mailboxes. This is the default security setting.

To provide security for mailboxes beyond network authentication, you can enable eDirectory authentication, LDAP authentication, or both.

eDirectory Authentication
Select eDirectory Authentication to require that GroupWise users be logged into eDirectory before they can access their passwordless mailboxes.

LDAP Authentication
Select LDAP authentication to require that users' LDAP passwords be used to access their mailboxes.

The POA typically performs the LDAP authentication. The GroupWise client, Internet Agent, and WebAccess Agent can authenticate users through the POA when they are configured in client/server mode. The GroupWise 6.x and later Internet Agent and WebAccess Agent can perform LDAP authentication themselves when connecting to the post office in direct access mode. Older GroupWise clients and agents cannot perform LDAP authentication in direct access mode.

Before you provide LDAP server information specific to this post office, you should provide general configuration information for all of the LDAP servers that are available in your system. Use Tools > GroupWise System Operations > LDAP Servers to provide configuration information about your LDAP servers, then configure this post office for LDAP authentication.

LDAP User Name
If you want the POA that services this post office to access the LDAP server with specific rights to the LDAP directory, specify a user name that has the desired rights.

If you are using a Novell LDAP server, you can browse for an eDirectory User object. The information returned from eDirectory uses the following format:

cn=username,ou=orgunit,o=organization

If you are using another LDAP server, you must type the information in the format used by that LDAP server.

If you do not provide an LDAP user name, the POA accesses the LDAP server with a public or anonymous connection for a Compare connection or with the GroupWise user's user name for a Bind connection, as configured for the LDAP server using Tools > GroupWise System Operations > LDAP Servers.

LDAP Password
If the LDAP user name requires a password, click Set Password, specify the password, retype the password for verification, then click Set Password.

Disable LDAP Password Changing
Select this option to prevent GroupWise users that belong to this post office from changing their LDAP passwords by using the Password dialog box in the GroupWise client.

When this option is deselected, if users change their passwords using Tools > Options > Security > Password in the GroupWise client, their LDAP passwords are changed to match the new passwords provided in the GroupWise client.

Inactive Connection Timeout
Specify the number of seconds the POA should maintain an inactive connection to the LDAP server. The default is 30 seconds.

LDAP Pool Server Reset Timeout
If you have multiple LDAP servers configured into a pool for this post office, specify the number of minutes the POA should wait before trying to contact an LDAP server in the pool that failed to respond to the previous contact. The default is 5 minutes.

LDAP Server Quarantine Threshold
Specify the number of consecutive failed contacts after which the POA no longer attempts to contact the unavailable LDAP server. The default is 2. After you restart the quarantined LDAP server, it is reinstated into the LDAP server pool and the POA resumes contact.

Select Servers
Click Select Servers to specify which LDAP servers the POA should contact when authenticating GroupWise users that belong to this post office.

By selecting multiple LDAP servers for this post office, you create a pool of LDAP servers that can authenticate GroupWise users. Whenever the POA needs to access an LDAP server, it contacts a different one. This provides load balancing and fault tolerance, so that GroupWise users can authenticate quickly and reliably to their GroupWise mailboxes.

When GroupWise agents other than the POA connect to the post office in direct access mode, the LDAP server pooling functionality is not available. These direct access agents contact the first LDAP server in the server list. If that server is unavailable, they are unable to authenticate.

A trademark symbol (^®, ^TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For more information, see Legal Notices.