Tarantella Administration Guide > Users and authentication > Defining webtops for LDAP users using LDAP webtop searches

Defining webtops for LDAP users using LDAP webtop searches

Once a user has been authenticated using either the LDAP login authority or web server authentication, Tarantella can use an LDAP directory server to determine the webtop the user should receive. The content of the webtop is controlled by:

• the user's LDAP user login profile; plus
• the result of any LDAP webtop searches.

LDAP webtop searches allow you to assign an application or a group of applications to users based on information held in your LDAP directory server.

Note If you are using web server authentication, you can only use the webtop searches if the user's login profile is determined using either of the LDAP search methods (Search LDAP and use closest ENS match or Search LDAP and use LDAP User Profile).

Currently the LDAP webtop searches are only supported on Sun™ ONE (formerly Netscape or iPlanet) version 4.1+ directory servers.

Using LDAP webtop searches

In Object Manager the following object types have a Directory Services Integration panel:

• Character application;
• Document;
• Group;
• Windows application;
• X application;
• 3270 character application;
• 3270 X application; and
• 5250 application.

This panel allows you to assign an application or a group of applications to users based on:

• LDAP search strings or URLs - the LDAP Searches (--ldapsearch) attribute;
• a search for the DNs of LDAP groups - the LDAP Groups (--ldapgroups) attribute; and
• a search for the distinguished names (DNs) of individual LDAP users - the LDAP Users (--ldapusers) attribute.

Note These attributes are only available if you have installed a Directory Services Integration license key.

You can combine the LDAP searches to aggregate webtop content. This means a user can receive applications based on:

• their LDAP user name; plus
• their membership of LDAP groups; plus
• their match to LDAP searches; plus
• their LDAP user login profile.

LDAP webtop search examples

Indigo Insurance has five departments: IT, Sales, Marketing, Finance, and Administration and a flat organizational hierarchy.

Giving applications to users in particular department

To give a set of applications to everyone in the Finance and Marketing departments, you could:

1. Create a group object in Object Manager.
2. Click the Links tab for the group.
3. Drop application and document objects onto the Links tab.
4. Click the Directory Services Integration panel.
5. In the LDAP Groups box, type:
   ou=Finance,o=indigo-insurance.com ou=Marketing,o=indigo-insurance.com

Note If you assign several groups to an application or group object, it is more efficient to use the LDAP Search attribute instead.

Giving an application to an individual user

To give Sid Cerise in the Finance department access to the Cust-o-dat application, you could:

1. Edit the Cust-o-dat application object in Object Manager.
2. Click the Directory Services Integration panel.
3. In the LDAP Users box, type:
   uid=Sid Cerise,ou=Finance,o=indigo-insurance.com

Note If you assign several individual users to an application or group object, it is more efficient to use the LDAP Search attribute instead.

Giving an application to a selection of users

To give an application to all managers in the Sales department, you could:

1. Edit the application object in Object Manager.
2. Click the Directory Services Integration panel.
3. In the LDAP Search box, type:
   "(&(job=manager)(dept=Sales))"

Note You can also use an LDAP search URL for the LDAP Search attribute, for example:
"ldap:///ou=Sales,dc=indigo-insurance,dc=com??sub?job=manager".

Performance effects of using LDAP searches

The number of LDAP searches added to an application or group object can affect performance as Tarantella may have to gather a large amount of information from the LDAP server in order to establish whether a user should receive an application. For example, if an application is linked to 1000 different LDAP groups and each of those groups has 1000 members, this will require 1000 round trips to the LDAP directory server. This will give very poor performance and generate a lot of network traffic.

We recommend you use the LDAP Search attribute as this is more efficient on the LDAP directory server both in terms of its sophistication and its ability to identify many users. We recommend that you use the LDAP Users attribute very sparingly.