New Connection wizard

This wizard helps you to create a new connection to a LDAP directory.

To start the wizard choose one of the following options:

The creation of a new LDAP connection is a four-step process:

  1. Define network parameters.

  2. Define authentication parameters.

  3. Define additional browser options (optional).

  4. Define additional edit options (optional).

Page 1

The first page allows you to enter a connnection name and the network parameters.

OptionDescriptionDefault
Connection name The name of the connection. In the Connections view the connection is listed with this name. The name must be unique. empty
Hostname The hostname or IP address of the LDAP server. A history of recently used hostnames is available through the drop-down list. empty
Port The port of the LDAP server. The default port for non-encyrpted connections is 389. The default port for ldaps:// connections is 636. A history of recently used ports is available through the drop-down list. 389
Encryption method The encryption to use. Possible values are 'No encrypton', 'ldaps://' and 'StartTLS extension'. No encryption
Check network parameter Use this function if you want validate that the entered information is correct and the server is reachable. -

Page 2

On the second page you could specify the authentication parameters.

OptionDescriptionDefault
Authentication Method Select your authentication method between:
  • Anonymous Authentication: connects to the directory without authentication.
  • Simple Authentication: uses simple authentication using a bind DN and password, the credentials are transmitted in clear-text over the network.
  • CRAM-MD5 (SASL): authenticates to the directory using a challenge-response authentication mechanism, the credentials are not transmitted in clear-text over the network.
  • DIGEST-MD5 (SASL): another challenge-response authentication mechanism, additionally you could define your realm and QoP parameters.
  • GSSAPI (Kerberos): users Kerberos based authentication, additional parameters could be defined.
Simple Authentication
Bind DN or user The distinguished name or user ID used to bind. Previously entered DNs could be selected from drop-down list. empty
Bind PasswordThe password used to bind.empty
Save password If checked the password will be saved in configuration. If not checked you have to enter the password whenever you connect to the server. Warning: The password is saved as plain text! checked
Check Authentication Use this function if you want to attempt a connection plus a bind to the host upon completion of the wizard to validate that the entered information is correct. -

Additional authentication parameters for SASL and Kerberos:

OptionDescriptionDefault
SASL RealmThe SASL Relam used to bind, only applicaple if DIGEST-MD5 is choosen.empty
Quality of ProtectionThe QoP to use: authentication only, with integrity protection, and with privacy protectionAuthentication only
Protection StrengthThe protection strength to useHigh
Mutual AuthenticationIf checked mutual authentication is used, that means the server has to authenticate itself to the client. If unchecked only the client authenticates itself to the server.unchecked
Use native TGTIf checked the native credential cache is used, thus no additional authentication is necessary. Note that on Windows systems that requires a modification of the registry.checked
Object TGT from KDCIf checked a new TGT is obtained from the KDC. Username and password must be provided.unchecked
Use native system configurationIf checked the native Kerberos configuration is used (e.g. /etc/krb5.conf).checked
Use configuration fileIf checked a custom configuration file could be used.unchecked
Use following configurationIf checked the Kerberos configuration parameters (realm, host, port) could be set in the dialog.unchecked

Page 3

On the third page you could enter additional browser options .

OptionDescriptionDefault
Get base DNs from Root DSE If checked the base DNs are fetched from namingContexts attribute of the Root DSE. checked
Fetch Base DNs Use this function to get the namingContext values from the Root DSE. The returned values will appear in the 'Base DN' drop-down list. -
Base DN The base DN to use. You may enter a DN manually or you may select one from the drop-down list. This field is only enabled if the option 'Get base DNs from root DSE' is off. empty
Count Limit Maximum number of entries returned from server when browsing the directory, it is also used as default value when searching the directory. A value of 0 means no count limit. Note that this value is a client-side value, its possible that also a server-side limit is used. 1000
Time Limit The maximum time in seconds the server searches for results. This is used as default value when browsing or searching the directory. A value of 0 means no limit. Note that this value is a client-side value, its possible that also a server-side limit is used. 0
Alias Dereferencing Specifies whether aliases should be dereferenced while finding the search base entry or when performing the search or both. To manage (create, modify, delete) alias objects you have to uncheck both options. Both finding and searching
Referrals Handling Specifies the referral handling.
  • Follow Referrals manually: Received referrals and search continuations are just displayed in the Browser. As soon as you open or expand such an search continuation the search is continued. You are asked which connection you want to use to follow a specific referral URL, this way you have full control regarding encryption and authentication options when following referrals.
  • Follow Referrals automatically: Follows referrals and search continuations immediately if they are received from the directory server. You are asked which connection you want to use to follow a specific referral URL, this way you have full control regarding encryption and authentication options when following referrals.
  • Ignore Referrals: Any referral or search continuation received from the directory server is silently ignored. No error is logged, no dialog appears, no special entry is displayed in the DIT, no ManageDsaIT control is sent to the server.
Follow Referrals manually
Use ManageDsaIT control while browsing If enabled the ManageDsaIT control is sent to the server in each request. This signals the directory server to not send referrals and search continuations, but return the special referral objects. This only works if the directory server supports the ManageDsaIT control. unchecked
Fetch subentries while browsing If enabled enabled both, normal and subentries according to RFC 3672 are fetched. This causes additional search requests while browsing the directory. unchecked
Paged Search If enabled the simple paged result control is used while browsing the directory. With the page size you could define how many entries should be retrieved in one request. If Scroll Mode is enabled only one page is fetched from the server at once while browsing, you could 'scroll' through the pages by using the 'next page' and 'top page' items. If disabled all entries are fetched from the server, the paged result control is only used in background to avoid server-side limits. unchecked
Fetch operational attributes while browsing If enabled enabled both, user attributes and operational attributes are retrieved while browsing. If the server supports the feature 'All Operational Attributes' then a '+' is used to retrieve operational attributes, otherwise all operational attributes defined in the schema are requested. unchecked

Page 4

On the fourth page you could enter additional edit options.

OptionDescriptionDefault
Modify Mode Specify the modify mode for attributes with an equality matching rule. Description of options:
  • Optimized Modify Operations: uses add/delete by default, uses replace if operation count is less
  • Always REPLACE: always uses replace operations to perform entry modifications
  • Always ADD/DELETE: always uses add and/or delete operations to perform entry modifications
Optimized Modify Operations
Modify Mode (no equality matching rule) Specify the modify mode for attributes with *no* equality matching rule. Description of options:
  • Optimized Modify Operations: uses add/delete by default, uses replace if operation count is less
  • Always REPLACE: always uses replace operations to perform entry modifications
  • Always ADD/DELETE: always uses add and/or delete operations to perform entry modifications
Recommended values for various LDAP servers:
  • ApacheDS: Optimized Modify Operations or REPLACE
  • OpenLDAP: REPLACE
  • OpenDS / SunDSEE: Optimized Modify Operations or REPLACE
  • FedoraDS / 389DS: Optimized Modify Operations (missing equality matching rules for many standard attribute types)
  • Active Directory: Optimized Modify Operations (exposes no equality matching rules at all)
  • eDirectory: Optimized Modify Operations (exposes no equality matching rules at all)
Optimized Modify Operations
Modify Order Specify the modify order when using add and delete operations. Delete first