integrating google apps for education into open directory · integrating google apps and open...

18
Integrating Google Apps and Open Directory v10.5 Randy Saeks [email protected]

Upload: others

Post on 28-May-2020

10 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

IntegratingGoogleAppsandOpenDirectoryv10.5RandySaeks

[email protected]

Page 2: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

2 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

TableofContents

INTRODUCTION 3

REQUIREMENTS 4

LDAPUSERIMPORT 5

WEB­BASEDSINGLE­SIGNON 10INSTALLINGSIMPLESAMLPHP 11CONFIGURINGSIMPLESAMLPHPFOROPENDIRECTORY 13CONFIGURINGSIMPLESAMLPHPFORGOOGLEAPPSFOREDUCATION 14CONFIGURINGGOOGLEAPPSFOREDUCATIONTOUSESSO 16

ADDITIONALRESOURCES 18GOOGLEAPPSPROVISIONINGTOOLKITWORKSHEET 18

Page 3: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 3

IntroductionGoogleApplicationsforEducationisonewayschoolsanduniversitiescanprovidean

onlinecollaborativesettingforusers.Modulesfordocuments,emailandcalendaringare

majordrawstothisenvironment.However,whenadding3rdpartysolutionstoanexisting

infrastructure,issuessurroundingseamlessuserprovisioningandconsolidatedpasswords

emergeaspotentialhurdlestodeployment,usage,andultimately,adoption.FromtheIT

standpointoneobstacleisuseraccountmanagementandmaintenance.Viewedfromthe

end‐userperspectiveindividualsarefacedwithaloginandpasswordforanothersystem.

Toresolvethesetwoissues,GoogleprovidesanAPIandvendorshavecreatedsolutionsto

leverageopentechnologies.OnetoolcreatesandmanagesuseraccountsinGoogleApps

fromOpenDirectory.Thesecondprovidesaweb‐basedSAMLSingleSignOnsolution.

Acurrentlimitationexistsforuserswhowillbeusinganemailapplication,suchas

Mail.app.SinceMail.appdoesnotuseSAMLauthentication,thepasswordforeMail

applicationswillbethepasswordcreatedoninitialaccountcreationinGoogleApps.To

workaroundthisdrawback,haveuserschangetheirGoogleAppspasswordtomatchtheir

OpenDirectorypassword.EnsurethisisdonepriortoenablingSSOoranypassword

changeswillbedirectedbacktoOpenDirectoryandnotGoogleApps.

Page 4: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

4 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

RequirementsBelowaretherequirementsneededforthesetupcoveredinthisguide:

• GoogleApplicationsforEducationDomainRegistration

• MacOSXServerv.10.5runningOpenDirectory

• VMwareVirtualMachinePlaybacksupport

• SADASystemsGoogleAppsProvisioningToolkitVirtualMachine(http://hosting.sadasystems.com/sadasystems/google_provisioning)

• SimpleSAMLphp(http://rnd.feide.no/simplesamlphp)

Thisguideisbasedonthemost‐recentreleaseofMacOSXServerasofpublication,version

10.5.6.

Page 5: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 5

LDAPUserImportTheLDAPUserimportprocessisaccomplishedviaSADASystemsVirtualMachine(VM)

availableattheprovidedURL.ThisVMallowsapreconfiguredsystemtobedownloaded

ontoacomputerandutilizedwithminimalmodifications,mainlyuser‐specific.Thistool

creates,modifies,deletes,orsuspendsaccountsanditscontinuousrunningisnotneeded.

Thatdoesmean,however,thatthetoolwillneedtobere‐runwhennewlycreatednetwork

accountsneedtobeaddedtoGoogleApps.

Atableisprovidedwithvaluesintheconfigurationfilethatwill/mayneedtobespecified

basedonyourenvironment.Additionally,ablankworksheetisincludedattheendofthis

documenttoallowyoutokeeptrackofyourvalues.

Attribute Value Details

$domain=‘DOMAIN’ YourGoogleAppsdomain

SetDOMAINtothedomainnameofyourGoogleAppsdomain.

$admin=‘USER’ Loginname SetUSERtoaloginnameforauserwithadminaccesstoyourGoogleAppsDomain.

$password=‘PASS’ Password SetPASStothepasswordforauserwithadminaccesstoyourGoogleAppsDomain.

$allow_account_deletion=‘yes,no’ yes,noSettingthisvaluetonowillsuspend

accountsnotfoundintheimport.Settingtoyeswilldeleteaccounts.

DEFINE(‘DB_TYPE’,‘TYPE’) ldap SettingTYPEtoldapwillconfigurethetoolkittoutilizeLDAPconnectivity.

DEFINE(‘LDAP_SERVER’,’IP’)AddressofanOpenDirectory

Server

SetIPtoavalidIPorDNSnameofanOpenDirectoryservertoretrieveusers.

DEFINE(‘LDAP_PORT’‘PORT’) PortofLDAPServer

SetPORTtotheportLDAPislisteningon.IfasecureLDAPconnection,setthisto636

andchangeIPintheabovefieldto‘ldaps://IP/’

DEFINE(‘LDAP_BIND_RDN’,’DN’)

FullyqualifiednameofausertobindtoyourLDAPserver

SetDNtothefullyqualifiednameofausertobindtoLDAP.Ex:

uid=someuser,cn=users,dc=your,dc=domain

Page 6: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

6 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

DEFINE(‘LDAP_BIND_PASSWORD’,’LP’)Passwordforuserspecified

above

SetLPtothepasswordoftheLDAPuseryouareusingabove.

DEFINE(‘LDAP_BASE_DN’,’BASE’)Directory

locationofusersinLDAP

SetBASEtotheLDAPbaselocationofusers.Ex:

cn=users,dc=your,dc=domain

DEFINE(‘LDAP_FILTER’,‘FILTER’) Afiltertorestrictobjectsreturned

SetFILTERtoavalidLDAPfiltercriteria.Totestsetup,youmaywishtorestrict

importingtospecificusers.Youcanlimittheseviausing

(&(objectclass=person)(uidNumber=XX))withXXcorrespondingtotheuidofa

SPECIFICuser.

DEFINE(‘LDAP_USERNAME’,’NAME’)

LDAPattributecorrespondingtowhatwillbetheusersGoogleAppslogin.

SetNAMEtotheLDAPattributetheuserwillusetologinastoGoogleApps.Typically,thiswillbeuid.Ifyouuse

anothervalue,enterthatvalueintoNAME.

DEFINE(‘LDAP_DEFAULT_PASSWORD’,’P’) DefaultLDAPpassword.

SetPtothedefaultpasswordgiventoallaccounts.SincewewilllateraddinstepstoconnectusernamesandOpenDirectorypasswords,thisstepisnotimportant,butnecessary.However,toprotectaccountswhilesettingup,usesomethingsecure.

OnceyouhavedownloadedandexpandedtheVM,openitinVMware.

1. Changeintothedirectorycontainingtheconfigurationfilestobeedited.The

commandtochangeintothisdirectoryandedittheconfigurationfileisdisplayed

below.Feelfreetouseyourfavoritetexteditingapplication.

2. Enterinyoursite‐specificvaluesasoutlinedinthetableabove.

3. Restartapache.

4. ObtaintheIPaddressofthemachine.

Page 7: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 7

5. EnableprovisioningAPIAccessinyourGoogleAppsDomain.Todoso,gotoyour

DomainAdministrationSettingsthentoUsersandGroups,andfinallytosettings.

EnablethecheckboxfortheprovisioningAPI,andclickSaveChanges.

6. ConnecttothemachineviatheIPaddressobtainedinstep4.TheURLwillbeinthe

format:

http://IPADDRESS/GoogleAppsToolKit/admin/

7. Iftheconfigurationiscorrect,youwillseeascreensimilartotheonebelow:

8. Noteintheabovescreenshottheinformationprovided.Thissummarizesthe

locationinLDAPbeingsearched(BaseDN)andtheappliedfilter.Also,the

informationtobeaddedwillbedisplayed.Intheabovecase,aspecificuserwas

selectedbasedontheiruidNumberbeingequalto1091.

Page 8: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

8 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

9. Steptwooftheprocessistoselectanactiontoperformwiththeuserimport.At

thispoint,clickingnextwillpreviewandcreateyourbatchjobbutnotactuallyrun

it.Asummaryoftheactionsisprovidedbelow.Selecttheoptionbestsuitedfor

yourspecificoperation.

Action Summary

Createuseraccountsonly ThiswilladdlisteduserstoGoogleApps.Anyexistingaccountswillberetainedandleftuntouched.

Createuseraccountsandupdateexistingaccounts

ThiswilladdnewaccountstoGoogleApps.Existingaccountswillbeupdatedwithdisplayedinformation.

Updateaccountsonly Updatingtheaccountswillonlychangeorresetsettingsonexistingaccounts.Nonewaccountswillbecreated.

Synchronize‐createuseraccounts,updateexistingaccountsand

delete/suspendaccountsthatarenotpresentinthefile

Synchronizewillcreatenewaccountsbasedondisplayedinformationandupdateanyexistingaccountsanddelete

orsuspendaccountsnotlistedintheimportfile.

Delete/suspenduseraccountsonlyIf$allow_account_deletion=‘yes,no’issettoyes,thiswilldeleteaccountsfromyourGoogleAppsuserlistthatarenotlistedintheimportfile.Ifsettono,theaccountwillbesuspendedand

existinglogininformationretained.

10. Afterselectingtheactiontobeperformedandclickingnext,theProvisioningtoolkit

willscanOpenDirectoryandgenerateapreviewoftheactionstobeperformed.

Thisisthelocationwhereyoucanpreviewchangesbeforetheyareapplied.A

samplesummaryscreenisprovided.Thisscreendisplaysasummaryofaccountsto

becreated,deleted,ormodified,

aswellastheuserdata

correspondingtotheaccount.

Notethepasswordbeingusedis

setbythedirective

DEFINE(‘LDAP_DEFAULT_

PASSWORD’,’P’)fromtheprevious

configuration,withPbasedonbeingsettochangeme.

Page 9: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 9

11. Onceyouhavecompletedyourbatchoperations,youcanpowerdowntheVMand

disableprovisioningAPIaccessinGoogleApps.

AtthispointyourGoogleAppsdomainwillhaveuseraccountsfromOpenDirectory.To

verifyanewaccountwassuccessfullycreated,logintoyourGoogleAppsdomainwiththe

newlycreateduser.Remember,atthispointthepasswordfortheuserissettothedefault

providedintheconfiguration.ThenextstepwillbetoinstallandconfigureaWeb‐based

SAMLIdentityProvider.ThiswilllinkGoogleAppsuseraccounttoyourOpenDirectory

systemandallowforOpenDirectorypasswordstobeusedonGoogleApps.

Page 10: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

10 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

Web‐basedSingle‐SignOnGoogleAppsallowsforaSingle‐SignOn(SSO)systemtobeleveragedsimplifyinguser

authenticationtotheGoogleservices.Web‐basedSSOthroughSAMLallowsfora3rdparty

ServiceProvider(GoogleApps)totalktoanin‐houseIdentityProvider(inthiscase

simpleSAMLphp)whichwillprovideauthenticationservices.simpleSAMLphpinturnis

configuredtoauthenticateuserstoaspecificLDAPdirectory.Forthescopeofthispaper,

thefocusisonOpenDirectory.Below,theprocessisillustrated.

GoogleApps Webbrowser simpleSAMLphp

UserrequestsaGoogleApppage

GoogleApps,configuredforSSO,needstoauthenticate

userviaSAML.

Presentuserloginscreen.

LoginverifiedagainstSAML.Thisis

configuredtopointtoOpenDir.

SAMLrequestverified

GoogleAppsresourcepresented

UserredirectedtoSAMLapplication.

Page 11: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 11

InstallingsimplesamlphpOnceyouhavedownloadedsimpleSAMLphp,extractittoyourdesktop.

1. Renamethefolderto“simplesaml”

2. Openaterminalwindowandchangetotherootuser.Onceyouhavedonethis,

createasimplesamlphpfolderin/var.

cd /var mkdir simplesamlphp

3. Copythecontentsofthesimplesamlphpfolderonyourdesktopto

/var/simplesamlphp.

cp -R /Users/USER/Desktop/simplesamlphp/* /var/simplesamlphp/

4. Copytheincludedsampleconfigurationandmeta‐datatemplatesintothe

productionfolder.

cd /var/simplesamlphp cp -r config-templates/*.php config/ cp –r metadata-templates/*.php metadata/

5. CreateawebAliasto/var/simplesamlphp/www.ThiscanbedoneinServer

Admin.Todoso,open

ServerAdminandselect

thewebservice,then

sites.Tocreatethealias,

clicktheplussignunder

“URLAliasesand

Redirects”andenterin

thepathabove.You

shouldconsider

allowingonlyhttps

traffictothismachine,asitwillbeworkingwithusersandpasswords.

Page 12: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

12 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

6. Enabletheincludedphpmodule.Thiscanbeaccomplishedinthewebservice

settingsofServerAdmin,undermodules.Placeacheckboxinphp5_modulethen

saveyoursettingsandrestartthewebservice.

7. Edittheprovidedconfig.phpfileandspecifyanadministrativepassword.Open

/var/simplesamlphp/config/config.phpandchangeauth.adminpasswordto

somethingyouwouldliketouse.

8. Edittheconfig.phpfileandspecifyavalueforsecretsalt.Thiscanbeanyrandom

stringandwillbeusedtogeneratesecurehashes.Youcanenterinarandomstring

oflettersandnumbers.

9. Specifycontactinformationinthefieldstechnicalcontact_nameand

technicalcontact_email.

10. Disableusingsimplesamlphpasaserviceproviderandenableusingitasanidentity

provider.Tomakethesechanges,changethevalueofenable.saml20‐sptofalseand

saml20‐idptotrue.

11. Savethechangestoyourfile.

12. EnableLDAPsupportforsimpleSAMLphpbyrunningthefollowingcommands:

cd /var/simplesamlphp/modules/ldap touch enable

Atthispoint,youmaytestyourinstallbynavigatingto

http(s)://your.server.com/simplesaml.Ifthesystemisproperlysetup,youwillseea

screenforthewebapplication.Additionally,theonlyitemthatshouldhaveagreencheck

nexttoitisSAML2.0IdP.Ifyouareabletoviewyourpage,youcannowmoveonto

configuringLDAP.

Page 13: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

ConfiguringsimpleSAMLphpforOpenDirectory

1. Opentheldap.conffilelocatedin/var/simplesamlphp/config.

2. Editthevalueofauth.ldap.dnpatterntospecifythelocationinOpenDirectoryto

searchforusers.Ifyou

don’tknowthisvalue,you

canfinditbyusingServer

Adminandviewingthe

statusofOpenDirectory.

Itwillbelocatedthe

Overviewtab.Thisvalue

shouldbeintheformat

uid=%username%,cn=use

rs,dc=your,dc=domain.TheportionunderlinediswhatisshownintheOverview

TabofOpenDirectoryastheLDAPSearchBase.

3. Changethevalueofauth.ldap.hostnametomatchthehostnameofyourOpen

DirectoryServer.

4. Intheeventyourequirebinding,changeauth.ldap.search.usernameand

auth.ldap.search.passwordtoavaliduserhavingaccessrightstoperformanLDAP

search.

5. Savethefile.

Page 14: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

14 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

ConfiguringsimplesamlphpforGoogleAppsforEducationThisprocesswillconfigureGoogleAppsforEducationtousea3rdPartyIdentityProvider;

inthiscase,simplesamlphp.

1. GenerateSSLcertificatesforGoogleAppsinterminaltousewithsimplesaml.Note:

thecommandsareenteredwithaspacebetweentoreduceconfusion.Thefinal

commandiswrappedaroundlinesandthe“\”isnotneededtobeinputtothe

commandline.

cd /var/simplesamlphp/cert/ openssl genrsa –des3 –out googleappsidp.key 1024 openssl rsa -in googleappsidp.key -out googleappsidp.pem openssl req -new -key googleappsidp.key -out googleappsidp.csr openssl x509 -req -days 1095 -in googleappsidp.csr –signkey \ googleappsidp.key -out googleappsidp.crt

2. Editthehostedmetadataidentityproviderfiletopermityourservertohonor

GoogleAppauthenticationrequests.Open/var/simplesamlphp/metadata/saml20‐

idp‐hosted.phpandchange:

o __DYNAMIC:1__tothehostnameofyourmachine

o hosttothehostnameofyourmachine

o privatekeytogoogleappsidp.pem

o certificatetogoogleappsidp.crt

3. Addacommatotheendofthelinestartingwith‘auth’locatednearthebottomof

thefile(showninthenextpage).

4. Addalineafterthe‘auth’linetoread:

‘authority’ =>‘login’

Page 15: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 15

5. Saveyourchanges.

6. Edittheremote

serverprovider

metadatafiletoallow

yourserverto

respondtoGoogle

Appauthentication

requests.Open

/var/simplesamlphp

/metadata/saml20‐sp‐remote.php.Nearthebottomofthefile,youwillseeanarray

forgoogle.com.UnderthefieldAssertionConsumerServicechangethedefaultvalue

ofg.feide.notoyourhosteddomain.

Page 16: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

16 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

ConfiguringGoogleAppsforEducationtouseSSO

Nowthateverythingisconfigured,thefinalprocessistoenableGoogleAppsforEducation

toutilizeyourweb‐basedSingle‐SignOnSolution.

1. LogintoyourGoogleAppsDomain,andselectadvancedtools.Fromthere,select

“SingleSignon”

2. Placea

checkmarkinthe

box“Enable

SingleSignOn”.

3. EnterintheURL

ofyoursign‐in

page.Itshould

beintheformat:

https://host.your.domain/simplesaml/saml2/idp/SSOService.php

4. EnterintheURLofyoursign‐outpage.Itshouldbeintheformat:

https://host.your.domain/simplesaml/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.php

5. EnterintheURLofyourpasswordchangeURL.Ifyoudonothaveone,youcan

enterinafakeURL.

6. Under“VerificationCertificate”,selectthegoogleappsidp.crtcertificatecreated

earlier.Itwillbelocatedin/var/simplesamlphp/cert/.Tocopythefiletoafolder

viewabletothewebbrowser,choose“Go”fromtheFindermenuandthen“To

Page 17: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 17

Folder”.Enterintheabovepathandcopythe.crtfiletoyourdesktop.Selectthefile

andclickUpload.

7. ClickSaveChanges.

IMPORTANT:TotestyourSSOimplementation,therearetwowaystoaccomplishthis:

1. EnableGoogleAppsSingle‐SignonfromatestblockofIPsbyspecifyingarangein

thefield“NetworkMask”.

­or­

2. UseadifferenttestmachinetologintoyourGoogleAppsDomainandstayloggedin

withyourcurrentsession.

Ifyoudonotperformoneofthesetwoactions,youruntheriskofbeingunabletologinto

youGoogleAppsdomainandwillneedtocontactGooglesupporttoturnoffSingleSignOn.

ThiscanoccurduetotheLDAPservernotbeingreachableoranincorrectconfigurationof

LDAPattributemappings.

Page 18: Integrating Google Apps for Education into Open Directory · INTEGRATING GOOGLE APPS AND OPEN DIRECTORY 7 5. Enable provisioning API Access in your Google Apps Domain. To do so, go

18 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY

AdditionalResources

GoogleAppsProvisioningToolkitWorksheet

string value YourValue

$domain=‘DOMAIN’ YourGoogleAppsdomain

$admin=‘USER’ Loginname $password=‘PASS’ Password

$allow_account_deletion=‘yes,no’ yes,no DEFINE(‘DB_TYPE’,‘TYPE’) ldap

DEFINE(‘LDAP_SERVER’,’IP’)AddressofanOpenDirectory

Server

DEFINE(‘LDAP_PORT’‘PORT’) PortofLDAPServer

DEFINE(‘LDAP_BIND_RDN’,’DN’)

FullyqualifiednameofausertobindtoyourLDAPserver.

DEFINE(‘LDAP_BIND_PASSWORD’,’LP’)Passwordforuserspecified

above

DEFINE(‘LDAP_BASE_DN’,’BASE’)Directory

locationofusersinLDAP

DEFINE(‘LDAP_FILTER’,‘FILTER’) Afiltertorestrictobjectsreturned.

DEFINE(‘LDAP_USERNAME’,’NAME’)

LDAPattributecorrespondingtowhatwillbetheusersGoogleAppslogin.

DEFINE(‘LDAP_DEFAULT_PASSWORD’,’P’) DefaultLDAPpassword.