Back to Blog Home
May 07, 2009

Authentication and Single Sign-on Integration

This article focuses on the integration between the AXIGEN messaging solution and the eDirectory Services product developed by Novell.
The actual level of interaction between the solutions is limited to the user authentication process. Specifically, by following the steps described herein, you will be able to allow the authentication process, that AXIGEN usually performs using the internal database, to be outsourced into eDirectory. This simplifies credential management and ensures password consistency across multiple applications and network services.

AXIGEN Configuration

Prior to proceeding with the AXIGEN / eDirectory Services authentication configuration, you need to enable the LDAP interface for the Novell eDirectory service. Please consult the eDirectory user manual provided by the product vendor on how to achieve this if not already enabled.

Figure no. 1 
Figure no. 1

Before the AXIGEN server can authenticate account credentials using eDirectory, you need to create an LDAP connector suited for this process:
  • Log in with an administrative user that has sufficient privileges in the AXIGEN WebAdmin interface;
  • Go to the LDAP Connectors tab in the Clustering Setup context;
  • Add a new LDAP connector or edit an already existing one;
  • Enter the IP / Hostname and Port values that reflect the eDirectory configuration;
  • Specify the server type as OpenLDAP, as it closely resembles the eDirectory setup;
  • Select the Use anonymous bind radio button;
  • Enter the Account base DN value. Should look similar to dc=novell, dc=local;
  • Leave the other options unchanged (should be set to defaults if already modified) and save the new configuration.

Figure no. 2
Figure no. 2

Next, the authentication method has to be changed in the AXIGEN configuration. Note that this setting is global and affect all services that interact with account login processes:
  • Go to the Routing and Authentication tab in the Clustering Setup context.
  • In the Authentication Type section, select LDAP Password from the drop down box.
  • Select the Novell eDirectory connector you configured in the second drop-down box.
  • Click the Save Configuration button at the bottom of the page.

Figure no. 3
Figure no. 3

After these two procedures are complete, the AXIGEN Mail Server services will perform a LDAP lookup for the uid attribute of each eDirectory entry and match it against the AXIGEN account name. This enables all accounts to log in using their eDirectory credentials and perform a bound lookup after being correctly authenticated.

Final Considerations

If two or more eDirectory entries have the same UID, none of them will be able to authenticate. To prevent this, make sure the eDirectory configuration is Posix compliant and all UID values are unique. By default the Novell eDirectory Services configuration does not allow the addition of entries with non-unique UID attributes, so in most of the standard installations this should not be an issue.

The AXIGEN LDAP synchronization feature is impossible to integrate with eDirectory as many of the attributes that need to be constantly updated by the server on change detection (i.e. configuration updates) are read-only. Unfortunately this behavior can only be changed with heavy administrative overhead and potential data loss and is not recommended.