“Novell Security” – Please Don’t Use This
Confession time: We have very few customers using Novell, and this option only exists for legacy compatibility with older systems. Hyland even states in the Authentication MRG that:
“Novell Security is not currently supported. Security must be configured using one of the other available Source of Security Information configurations.”
If you’re already using this, you can however it is not being tested for compatibility and therefore not supported. If you aren’t currently using this (and this should be all of you), please don’t check this box. It’s not supported, and if you had to connect to eDirectory, you would be better served with LDAP Security.
“LDAP Security” – Generic and compatible
LDAP Security is sort of the catch-all security option: In my experience, I’ve used it to connect to UNIX LDAP servers, bind to Novell eDirectory resources, and even as an alternative way to connect to Active Directory.
This is the option you should use if no other option works, or if you are using a unique setup. You can (and should) configure this option to authenticate against multiple servers, for failover reasons. OnBase uses LDAP version 3 to query directory services, so make sure that you are using a compatible LDAPv3 server implementation to use this option.
Let’s take a look at building our first connection. As you can see from the following dialog box, LDAP security looks quite a bit more complex than Windows NT Security, but once OnBase is speaking your LDAP server’s language, it works like a charm.
You fill in the Host, Port, and Server Bind Method, so a connection to the server is established. You then map attributes. In other words, OnBase concepts are mapped to your LDAP server’s versions of the same things.
For example, the “LDAP Class Name” is really mapping to what we would call an “OnBase user”. For Active Directory, you might enter an LDAP Class Name of “user”; for a typical Novell LDAP server, you might need inetOrgPerson. Different LDAP servers use different terms for the same things, and here is where you create these relationships.
Once you map OnBase User: LDAP User, you then map the attributes as well (Username, Full Name, Email, etc). Finally, you tell OnBase what groups are called in the LDAP server, so it can map those to its own groups. Once this is configured, it uses the same general pattern as Windows NT Security, in that it enumerates all groups that the user is part of, and looks for OnBase groups of the same name for a match.
“Active Directory” – Newer, More Advanced, More Granular
If you’re using Active Directory, we’ve saved the best for last. Only available in OnBase 12 and above, the new Active Directory option allows all the ease-of-use that “Windows NT Security” has, while taking away some of the more annoying factors. Active Directory security allows you to map groups easily, is more powerful than NT Security, opens up some really nice features listed below, and generally makes everyone’s life easier.
Once the groups are mapped, rights are assigned exactly as described in Windows NT Security above.
- You can more easily authenticate across domains in a given forest without queries to all domains in the forest. Tell OnBase what to search for and where!
- Your group names no longer have to match. You map AD groups to OnBase groups using the GUI. No longer does your Active Directory have to have 40 different user groups all starting with “OB…”
- No Access to a domain controller or an Active Directory snap-in required! Just configure everything from OnBase Configuration!
- You can test from the OnBase interface to see what user groups are coming back from Active Directory. No longer do you have to troubleshoot from the diagnostics console or a verbose log!
- You can Auto-Create an OnBase group based on a domain group.
- You can Auto-Create an OnBase user based on a domain user.
- Finally, if coming from Windows NT Security, you can Auto-Configure a domain to match up domain and OnBase groups. Easy.
OnBase Security – Summary
Let’s summarize the pros and cons of each security option:
- OnBase Authentication – Easy to understand and troubleshoot, no special configuration needed.
- Windows NT Security – Old reliable, all groups have to be named the same. Managed in Active Directory.
- Novell Security – Nope Nope Nope.
- LDAP Security – Complex but powerful. Can connect to many types of systems. Good choice for multiple domains.
- Active Directory – You need OnBase 12+. Good choice for multiple domains. Good migration point from NT Security. Able to manage almost everything from the interface.
I hope that I was able to de-mystify the choices available for OnBase security, and I really hope we can make the OnBase experience a little bit nicer for you and your end users. As a reminder, we’re always happy to answer any questions that you have at firstname.lastname@example.org regarding this topic, or any topic! Drop us a line and let us know what you think!