Installation and Configuration Guide

Local Navigation

BlackBerry Manuals & Help   Administrator Documentation   BlackBerry Enterprise Server 5   BlackBerry Enterprise Server for Microsoft Exchange   Installation and Configuration Guide BlackBerry Enterprise Server for Microsoft Exchange - 5.0

Configuring the LDAP information for the BlackBerry Administration Service

The BlackBerry® Administration Service requires access to the LDAP server so that the BlackBerry Administration Service can read user information in Microsoft® Active Directory® when it authenticates the BlackBerry® Web Desktop Manager users. To access the LDAP server, the BlackBerry Administration Service requires the URL of the LDAP server, the search base to find where the user accounts are stored, and the administrator's LDAP credentials.

During the installation process and upgrade process, the setup application populates the LDAP information automatically. You must verify this information to ensure that it reflects the requirements of the BlackBerry Administration Service.

Configure permissions for the administrator account on the LDAP server that the BlackBerry Administration Service uses

To authenticate a user account, you must configure permissions for an adminstrator account on the LDAP server so that the BlackBerry® Administration Service can read LDAP attributes in the Microsoft® Active Directory®.
Note: If the administrator account connects to a Windows Server® 2008 domain controller that is running at a Windows Server 2003 domain functional level, you must configure the administrator account to use DES encryption for Kerberos™ authentication. For more information, visit www.blackberry.com/btsc to read article KB18186.
Before you begin: Create an administrator account for the BlackBerry Administration Service.
  1. In Microsoft Active Directory, in the search-base container and all subcontainers that user accounts are located in, add the following permissions to the administrator account:
    • for containers, the List Contents permission
    • for user objects, the Read All Properties permission
  2. Configure the administrator account so that the account has the correct permission to read the attributes of the crossRef objects that represent domains in the Partitions container of the Microsoft Active Directory configuration partition.

Find the LDAP information that the BlackBerry Administration Service requires

You can use the ldp.exe utility to access the domain controller in your organization's environment and locate the LDAP information before you install the BlackBerry® Administration Service.
Before you begin:
  • Verify that you have a domain-administrator account.
  • Download and install the Windows® support tools. For more information about installing the support tools, visit www.microsoft.com to read articles 892777 and 301423.
  1. On the Start menu, click Run.
  2. Type ldp.
  3. Click OK.
  4. On the Connection menu, click Connect.
  5. Connect to the domain controller.
  6. On the Connection menu, click Bind.
  7. In the Bind dialog box, click OK.
  8. To set the LDAP search base to the BaseDN and permit the BlackBerry Administration Service to search the entire directory tree for user accounts, perform the following actions:
    1. In the ldp window, on the View menu, click Tree.
    2. In the drop-down list, select the first option.
    3. Copy the BaseDN to a text file (for example, DC=yourDepartment,DC=yourOrganization,DC=net).
  9. To permit the BlackBerry Administration Service to access only the part of the directory tree that includes current and prospective BlackBerry device users in your organization, specify a specific area in the directory tree as the LDAP search base (for example, OU=Users,DC=yourDepartment,DC=yourOrganization,DC=net).
  10. To locate the administrator account information, in the Microsoft® Active Directory® Users and Computers console, find the user name for the administrator account. If you use Windows Server® 2003, verify that the administrator account has a password.
  11. Transfer the text file to the computer that you want to install the BlackBerry Administration Service on.

Configure the BlackBerry Administration Service to authenticate user accounts from multiple Microsoft Active Directory domains

During the installation process, the setup application prompts you to specify the LDAP server URL, search base, and the credentials for an LDAP administrator so that the BlackBerry® Administration Service can access the LDAP server and authenticate user accounts.

If the user accounts in your organization's environment are stored in more than one domain in a Microsoft® Active Directory® forest, you must configure the LDAP settings that the BlackBerry Administration Service uses so that the BlackBerry Administration Service can search the global catalog.

  1. During the installation process, specify the DNS host name of a global catalog server as the LDAP server name that is included in the LDAP server URL.
  2. Specify the LDAP port number to be 3268.
  3. Specify the LDAP user name and password to be the user name and password of an administrator account that has permission to read user attributes from the global catalog.
Next topic: Install the SNMP service for monitoring by the BlackBerry Monitoring Service
Previous topic: BESMgmt.cfg properties

Was this information helpful? Send us your comments.