Tech Tip (LISTSERV) – Issue 4 – 2007
Q: Why is it important that LISTSERV can now work with LDAP?
Answer by John Harlan
Vice President, Computer Services, L-Soft
As a means of organizing directory data elements and making them available through fully authenticated queries, the Lightweight Directory Access Protocol (LDAP) has been steadily growing in popularity since its introduction more than a decade ago. Organizations worldwide have adopted LDAP as the basis for their directory services, more often than not in an effort to implement a point "single sign-on" (SSO) allowing users to log in once for access to networked resources distributed across multiple systems, often in multiple locations.
As institutions have worked toward single sign-on, standalone services, which historically maintained their own authentication mechanisms (including LISTSERV) have presented something of a challenge. No more! With the inclusion of LDAP support, LISTSERV can now fully participate in SSO as well as offer other advantages, including mail-merge based on LDAP data and dynamic queries.
Configuring LISTSERV for LDAP
The first step in working with LDAP is to add its information to LISTSERV's site configuration. The preferred method for doing so is to use LISTSERV's web interface. After successfully authenticating to the web interface with a Postmaster= defined email address and password, click on "Server Administration" in the toolbar and select "Site Administration" from the drop down menu. Select "Site Administration" a second time and you will be presented with a screen titled "Site Administration," containing tabs for various subsets of the configuration, with the basic "My Configuration" settings tab displayed by default. Select the tab for "LDAP."
It is possible to add multiple LDAP servers to LISTSERV's configuration. We recommend definition of a nickname for each LDAP server connection added. Each connection's information consists of the following settings:
Nickname: This is your chosen nickname, which is automatically added to the end of each of the following settings, when stored to SITE.CFG or go.
LDAP_SERVER_nickname= This is the hostname (and optionally, the IP port number) of the LDAP server.
LDAP_UID_nickname= This is the userid (UID) used to authenticate to the LDAP server.
LDAP_AUTH_nickname= This is the authentication password used with the userid above.
LDAP_PW_BASE_nickname= This is the "distinguished name" (DN) that should serve as the 'base' for user searches when LISTSERV queries a user in LDAP. This can be used to open the search to an entire organization or limit it to a certain level or even a specific unit within the organization.
LDAP_PW_FILTER_nickname= This is the LDAP 'filter' LISTSERV should use when looking up user accounts in LDAP.
The following two settings are optional:
LDAP_DEFAULT_EMAIL_nickname= This is the LDAP attribute that ordinarily specifies a user's email address in the LDAP directory.
LDAP_DEFAULT_NAME_nickname= This is the LDAP attribute that ordinarily contains a user's full name in the LDAP directory.
Configuring LISTSERV for LDAP Authentication
If LISTSERV will be using LDAP for authentication purposes, the following settings must be defined:
LDAP_PW_SERVERS= These values are the nicknames (not the hostnames) of the already defined LDAP servers to be queried (in the order listed) for user account lookups.
LDAP_PW_ONLY= This value determines if only users with LDAP accounts are allowed to log into LISTSERV (1) or not (0).
LDAP_PW_REQUIRE_SSL= If LISTSERV queries for, and finds, an LDAP account for a particular user, this value mandates whether the connection to LISTSERV requires Secure Sockets Layer (SSL). If so (1), and the connection did not come across an SSL connection, LISTSERV rejects the connection without attempting to verify the LDAP password; if not (2), LDAP password verification is attempted, and if successful, the connection to LISTSERV is accepted.
This is simply an indication of how painless it should be to get your LISTSERV server "playing nicely" with your LDAP server(s).
L-Soft already offers two white papers with further details and instructions on LDAP-related topics: LISTSERV LDAP Documentation, and Dynamic Query Documentation.
Dynamic Queries can be executed by LISTSERV either against an LDAP server or against a traditional database management system (DBMS), and the results can be used for access control and mail delivery.
L-Soft's world class support, training and consulting staff are available to assist you with the particulars of LISTSERV configuration for LDAP and DBMS use. Please contact your L-Soft sales representative, L-Soft Sales, firstname.lastname@example.org, or L-Soft Customer Support, email@example.com, for details.