The BlackBerry® Administration Service requires access to the LDAP server so that the BlackBerry Administration Service can read user information in Microsoft® Active Directory® when it authenticates the BlackBerry® Web Desktop Manager users. To access the LDAP server, the BlackBerry Administration Service requires the URL of the LDAP server, the search base to find where the user accounts are stored, and the administrator's LDAP credentials.
During the installation process and upgrade process, the setup application populates the LDAP information automatically. You must verify this information to ensure that it reflects the requirements of the BlackBerry Administration Service.
Configure permissions for the administrator account on the LDAP server that the BlackBerry Administration Service uses
- In Microsoft Active Directory, in the search-base container and all subcontainers that user accounts are located in, add the following permissions to the administrator account:
- Configure the administrator account so that the account has the correct permission to read the attributes of the crossRef objects that represent domains in the Partitions container of the Microsoft Active Directory configuration partition.
- Verify that you have a domain-administrator account.
- Download and install the Windows® support tools. For more information about installing the support tools, visit www.microsoft.com to read articles 892777 and 301423.
- On the Start menu, click Run.
- Type ldp.
- Click OK.
- On the Connection menu, click Connect.
- Connect to the domain controller.
- On the Connection menu, click Bind.
- In the Bind dialog box, click OK.
- To set the LDAP search base to the BaseDN and permit the BlackBerry Administration Service to search the entire directory tree for user accounts, perform the following actions:
- To permit the BlackBerry Administration Service to access only the part of the directory tree that includes current and prospective BlackBerry device users in your organization, specify a specific area in the directory tree as the LDAP search base (for example, OU=Users,DC=yourDepartment,DC=yourOrganization,DC=net).
- To locate the administrator account information, in the Microsoft® Active Directory® Users and Computers console, find the user name for the administrator account. If you use Windows Server® 2003, verify that the administrator account has a password.
- Transfer the text file to the computer that you want to install the BlackBerry Administration Service on.
Configure the BlackBerry Administration Service to authenticate user accounts from multiple Microsoft Active Directory domains
During the installation process, the setup application prompts you to specify the LDAP server URL, search base, and the credentials for an LDAP administrator so that the BlackBerry® Administration Service can access the LDAP server and authenticate user accounts.
If the user accounts in your organization's environment are stored in more than one domain in a Microsoft® Active Directory® forest, you must configure the LDAP settings that the BlackBerry Administration Service uses so that the BlackBerry Administration Service can search the global catalog.
- During the installation process, specify the DNS host name of a global catalog server as the LDAP server name that is included in the LDAP server URL.
- Specify the LDAP port number to be 3268.
- Specify the LDAP user name and password to be the user name and password of an administrator account that has permission to read user attributes from the global catalog.