the back room tech » edirectory

Assigning Netware rights via the command line

Julie — Wed, 10 Jun 2009 12:37:10 +0000

Here at the office we have a group in charge of assigning and maintain user and group rights and permissions to our various systems. It’s nice not having to worry about that aspect of server administration.

But I have an urgent need to have some eDirectoy group rights assigned to a specific directory on every Netware server in our Enterprise. The group that controls user access is saying that they can’t meet my timeframe for getting these rights assigned, so I had to come up with my own solution.

My solution was to use Wolfgang Schreiber’s lrights.exe utility to script assigning the rights command line style. The syntax is:

LRights /name=

For example, to assign read and file scan rights to the .mygroup.OU.O user:

lrights \\server\volume\directory R F /Name=.mygroup.OU.O

This utility was written to support long path/file names, unlike Novell’s rights.exe utility.

Howto: Authenticate to eDirectory via the Novell Client, command line style

Julie — Mon, 23 Feb 2009 18:52:18 +0000

I have a backup script that runs on a Windows 2003 server that requires Novell client authentication. Here’s how to authenticate to eDirectory via the command line, which means it’s scriptable! The syntax is:

c:\windows\system32\LOGINW32.EXE .user.ou.o /PWD password /CONT

Alternatively, you could map a drive to an eDirectory server (Netware, SLES Linux or Windows), which would force background authentication. Here’s that syntax:

net use x: \\server\vol /user:.user.ou.o password

Creating eDirectory SSL certificates with alternate names to use across round robin DNS load balanced web servers

Julie — Tue, 14 Oct 2008 15:23:16 +0000

We have three internal Apache web servers that we use for Groupwise webaccess 7.0.3. Each server will be accessed acrossed our intranet via round robin DNS at https://webaccess/gw/webacc for email. When users currently access this URL they are getting Internet Explorer Security Alerts, stating:

The name on the security cerrtificate is invalid or does not match the name of the site. Do you want to proceed?

In order to fix this issue, I need to install SSL certificates on each individual server and configure Apache to use the new certificates. I also needed to configure my web browser to trust the issuing Certificate Authority.

I chose to use our existing Novell Organizational CA to issue the certificates rather than purchase one from Verisign or other Trusted Root Certification Authority since these sites would only be accessed across the corporate intranet.

We had one additional requirement – each server still needed to be accessed via https at https://servername for Novell Remote Manager and iManager. This meant the three servers had to have valid SSL certificates for multiple host names, i.e. both their actual name and the webaccess name.

The Environment

Three Netware 6.5.5 server running Apache 2.0.54 for Netware. Servers are named web1, web2, and web3
ConsoleOne 1.3.6f
Novell Certificate Server Snapin version 2.21 Build 28
Internet Explorer 6 web browser

Creating the server SSL certificates

1. Launch ConsoleOne

2. Browse to the OU that holds the servers you wish to create certificates for.

3. Right click on the server OU

4. Select New – Object – NDSPKI:Key Material – OK

5. Select the server name you want to create the certificate for, and give the certificate a meaningful name. I named mine intwebaccessweb1

6. Under Creation Method, select Custom – Next

7. Select Organizational Certificate Authority will sign this certificate – Next

8. Accept the defaults of 2048 bit key size, SSL or TLS type, and allow the private key to be exported – Next

9. This is an important part – The subject name must match how you will be accessing your server over https for iManager and NRM. Click the Edit button, then click the double arrow button to the right of the subject name. This will move the .CN= portion of the name to the left side of the box.

Replace everything from .CN= to .OU= (or .O=) with the name you will be accessing your server with.

Since I will be accessing my server at https://web1, I used .CN=web1.O=myOrg.

If you will be accessing your server for iManager, NRM, or other non-shared services at https://www.yourdomain.com you would enter .CN=www.yourdomain.com.O=yourOrg

10. Press OK to accept the subject name.

11. Change the validity period to what ever duration you would like your certificate to be valid for. I selected maximum, which will make it good until the certificate for my Organizational CA expires.

12. Press the Add Name button – here is where we specify our secondary name we want the SSL certificate to be valid for.

13. Highlight the existing Directory name and press Delete.

14. Click Create – DNS Name

15. Specify the host name you will be sharing amongst your web servers. This is sometimes referred to as a DNS Subject Alternate Name

I specified webaccess – OK – OK – Next. Again, if you will be accessing your shared web server at https://www.yourdomain.com, specify www.yourdomain.com as the DNS name.

16. Select to associate this server certificate with Your organization’s certificate – Next – Finish

I then repeated these steps for my other two web servers, replacing in steps 5 and 9 ‘web1′ with ‘web2′ and ‘web3′, which are the real host names of my other web servers. Step 15 remains the same, since this is the common name I want all three web servers to respond to.

Configuring Apache to use the new SSL certificates

1. On the first web server edit the sys:\Apache2\conf\httpd.conf file.

2. Replace the line reading

SecureListen 443 “SSL CertificateDNS”

with

SecureListen 443 “intwebaccessweb1″

where intwebaccessweb1 is the name of the web server you created in the section above. Note that the certificate object will be displayed in ConsoleOne as ‘intwebaccessweb1 – web1′. Do not include the hyphen and server name, i.e. ‘ – web1‘ in the SecureListen statement.

3. Save the httpd.conf file

4. On the web server console, run ap2webdn to unload Apache

5. On the web server console run tc4stop to stop Tomcat

6. On the web server console, run tckeygen to update the keystore data. Switch to the logger screen to verify the process completes before proceeding to the next step.

7. On the web server console, run tomcat4 to load Tomcat. Switch to the logger screen to verify the process completes before proceeding to the next step.

8. On the web server console, run ap2webup to load Apache.

9. Browse to the shared name of your web server, https://webaccess/gw/webacc in my case. Note that you will still receive the Security Alert pop-up until you install the Organizational CA certificate into your Trusted Root Certification Authorities store, which I’ll document tomorrow.

10. On the Security Alert pop-up, you should see the message stating The security certificate has a valid name matching the name of the page you are trying to view.

This means your SSL certificate is valid for the host name shared by the web servers.

11. Browse to https://web1, which is the host name of one of your web servers defined in step 9 of Creating the server SSL certificates.

Again, you’ll still receive the Security Alert until you install the Organizational CA certificate into your Trusted Root Certification Authorities store, but you should see The security certificate has a valid name matching the name of the page you are trying to view. This means your SSL certificate is valid for the host name for this specific web server.

Here are the instructions for installing the Organizational CA certificate into your browser’s Trusted Root Certification Authorities store, which is the final thing we’ll need to do to rid ourselves of the Internet Explorer’s Security Alerts.

“Error -618 – The Server has detected an inconsistent database” when trying to view an eDirectory object’s properties in ConsoleOne

Julie — Fri, 10 Oct 2008 13:10:44 +0000

When trying to view a Groupwise Distribution List in ConsoleOne, I received the following error:

-618 The Server has detected an inconsistent database. Usually this means that the number of entries in a container does not match the number stored in the container’s entry

This message indicates an eDirectory problem. To repair this object, I did the following:

1) Launched a web browser and logged into iMonitor on the master replica server at:

https://nds-nw1:8009/nds/

2) Browsed to and selected the problematic .allstaff.groupwise.corp Distribution List object

3) Clicked the monkey wrench icon to perform a single object repair

4) Selected repair single object –> Start repair

After performing these steps the -618 error persisted, so I logged into iMonitor on the eDirectory R/W replica at:

https://ndsrw-nw1:8009/nds/

I performed steps 2-4 on the R/W replica and I was then able to view the Distribution List membership and verified C316 was listed as a member. The -618 error was gone.

Howto: Find eDirectory SSL certificates and determine when they expire

Julie — Tue, 30 Sep 2008 19:04:27 +0000

I’ve recently experienced some challenges releated to expired eDirectory SSL certificated on my Netware and OES servers. I came across TIDs 10098567 and 3814248, which describe methods of querying eDirectory via LDAP to find expired or soon to be expired certificates.

I was going to give these methods a try until I realized they required adding attributes to eDirectory by extending the schema. I’m not wanting to rock the boat right now, so doing anything that could potentially have a negative impact on network availability is something I want to avoid.

Here’s the manual way I searched for eDirectory certificates. I verified their expiration dates manually, which is a boring and repetative (but safe) procedure.

Launch ConsoleOne
Highlight the NDS tree to search
From the Edit menu select Find
Check the Search Subcontainers check box
Set Find Type: Advanced
Select [Object Type] = NDSPKI:Key Material
Press Find
Right click on a certificate object and select Properties
On the Certificates tab, Select Public Key Certificate. Note the expiration date.

Also see TID 7000075, which states OES SSL certificates expire two years after installation by default.

novell-scrub.sh – use when you really, really, really want to get rid of eDirectory

Julie — Tue, 09 Sep 2008 16:21:25 +0000

Earlier I detailed a method for re-installing eDirectory from a difficult SLES 10 SP2 server. Sometimes even this method doesn’t work, and you have to resort to using novell-scrub.sh to totally remove eDirectory from the server before it can be reinstalled.

WARNING: THIS SCRIPT WILL REMOVE EDIRECTORY AND ALL IT’S COMPONENTS (CONSOLEONE, GROUPWISE, ETC) SO USE WITH EXTREME CAUTION. YOU NEED TO UNDERSTAND THE RAMIFICATIONS OF USING THIS SCRIPT IN FULL.

The script will remove all packages and configuration for Novell products. It does NOT deconfigure anything. In the case of eDirectory, you will want to remove the NCP Server object from the tree, once eDirectory has been removed from the UNIX system

TID 2969195 explains how to install and use novell-scrub.sh:

Installation Procedure:

1) Download the tarred compressed file to your UNIX system.

2) Extract the file using the following command:

gzip -dc ./scrub_1_2_12.tgz | tar xvf -

3) Change to the ./scrub_1_2_12 directory where the ./novell-scrub.sh script was extracted.

4) Type ./novell-scrub.sh [options] as the root user.

The script can take the following options:

-s –show
Show which hardcoded Novell packages are installed and not installed on the system.

-d –dyn-show
This is the same as –show but Novell packages are found dynamically.

-i –dibsonly
Removes only DIB files and does not remove packages.

-n –noansi
Disable the use of ANSI colours.

–IAgreeToTheTermsAndConditions
Accepts the agreement and does not prompt for “I Agree”.

-h –help
Displays this command line help.

Error reinstalling eDirectory on SLES 10: Installing NDSserv… Unable to install

Julie — Thu, 04 Sep 2008 09:48:22 +0000

Error received when I was reinstalling eDirectory on SLES 10:

Installing NDSserv… Unable to install NDSserv-8-7-3-37.i386.rpm, exiting

To fix this error:

1) Rename the /usr/lib/nds-modules directory /usr/lib/nds-modules.old:

mv /usr/lib/nds-modules /usr/lib/nds-modules.bad

2) re-run ./nds-install

3) copy original /usr/lib/nds-modules.old files back to /usr/lib/nds-modules after installation

completes:

cp /usr/lib/nds-modules.bad/* /usr/lib/nds-modules/

Free Dell Server and Storage Stencils, including EMC

Julie — Thu, 14 Aug 2008 15:55:29 +0000

I’m working on a Visio drawing of our proposed Groupwise upgrade environment, and needed some better stencils to represents servers and SAN storage than the ones that come with Visio 2003.

I found some very nice stencils at visiocafe.com for Dell servers and storage and EMC storage, including Dell branded EMC storage and EqualLogic.

I can use these along with my eDirectory, clustering and Groupwise stencils to detail everything the administrators will need to know to build my design.

Howto: Export Novell Netware users using LDAP

Julie — Wed, 16 Jul 2008 11:05:54 +0000

Right before leaving my previous job I was helping a school migrate from Novell Netware 6.5 to Microsoft Windows Server 2008. They had many users they wanted to export from eDirectory and import into Active Directory.

To perform this task, I used the ldifde utility. The single command I used to dump the users follows below. Because of line wrapping, it may appear as multiple lines.

ldifde -f export.ldif -s 10.1.1.53 -r “(|(objectClass=organizationalUnit)(objectClass=inetOrgPerson))” -p Subtree -l “o,ou,objectClass,member,cn,dn,description,uid,givenName,sn,fullName” -a “” *

Details on what this command is doing:

-f export.ldif is the file I want the users dumped into

-s 10.1.1.53 is the LDAP server to export the users from

-r specifies the LDAP search filter

-p is the search scope, the entire subtree in my case

-l lists the attributes to search for

-a Sets the command to run using the supplied user distinguished name and password

See KB 237677 for details on how to use ldifde.

Thanks to Brad for writing his post that helped me construct my LDAP query.

802.1x Network Authentication – FreeRADIUS with the Novell Client Resources

Julie — Tue, 08 Apr 2008 09:55:33 +0000

One of my educational clients is going to be implementing a fairly significantly sized wireless network this summer. The are an all Cisco shop – all Cisco data electronics, VoIP system, firewall, etc. The wireless access points will be Cisco, probably 1252s, which are wireless-G and support the draft specifications for wireless-N.

Their dilemma is this – Should they spend the money (~$9K per box) on the Cisco Secure Access Control Server Solution, or should they try to integrate FreeRadius into their Novell Netware 6.5 network and use the Novell client with Windows XP’s built-in 802.1x supplicant. They are balking at the cost of the Cisco Secure Access Control Server Solution because they don’t have the need (or desire) to implement any of it’s advanced functionality at this time – they just want the 802.1x authentication for the wireless clients.

I’m in the information gathering phase of this project right now, determining if the FreeRadius/Novell Client is a feasible option for their environment. I’m going to collect some information, and will post what I find out here in the upcoming weeks.

Links and Technical Reference Documents

Novell TID 3003857: Integrating FreeRADIUS and eDirectory

Novell TID 3009668: Setting up FreeRADIUS and eDirectory for 802.1X Authentication

Novell TID 3557425: Integrating FreeRADIUS authentication and eDirectory

Novell TID 10100693: 802.1x Authentication and the Novell Client for Windows

Novell TID 3218399: 802.1x Authentication and the Novell Client for Windows

Novell TID 3356920: Does the Novell Client support 802.1x?

Novell TID 3038019: Errors when logging in with 802.1x protocol

Novell TID 3777876: Registry settings related 802.1x support in the Novell Client 4.91 SP4

Novell TID 3950357: Unable to login using Cisco 802.1x implementation

Novell TID 3714126: FreeRADIUS, NMAS, and wireless (802.1x) Networks

Novell TID 10100993: Debugging FreeRADIUS with radtest

Novell TID 5008620: Novell Client 4.91 Post-SP4 802.1x Fixes (FTF)

Configuring FreeRADIUS on Open Enterprise Server for Linux by Eric Champagne

Enabling 802.1x in Client 4.91 SP4

Integrating Novell eDirectory with FreeRADIUS Quick Start Guide

Integrating Novell eDirectory with FreeRADIUS Administration Guide

Addendum to the FreeRADIUS Administration Guide

Configuring Novell eDirectory for 802.11 Wireless Authentication – Novell BrainShare 2005. Discusses using OES or SLES, FreeRADIUS or Cisco ACS with verification against eDirectory.

EDirectory integration with FreeRADIUS wiki on developer.novell.com

NTRadPing – free RADIUS testing utility

FreeRADIUS wiki

Client Updates

Microsoft KB 885453: XP SP2 PEAP authentication is not successful when you connect to a third-party RADIUS server (hotfix)

Microsoft KB 893357: The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available

Microsoft KB 918997: Developers cannot create wireless client programs that manage wireless profiles and connections over the Wireless Zero Configuration service in Microsoft Windows XP Service Pack 2 (SP2)

Microsoft KB 931856: A Windows XP-based wired client computer will not obtain a valid IP address from a guest VLAN or from an “Authentication failed-VLAN”

Microsoft KB 917021: Description of the Wireless Client Update for Windows XP with Service Pack 2

Microsoft KB 923154: FIX: EAP reauthentication may not occur and the Wireless Zero Configuration service may not work correctly when you try to use a third-party application in Windows XP

Implementation Hints and Gotchas

Verified that the Universal Password setup is correct on my test user with the Universal Password utility.
An interesting discussion on 802.1x, EAP and LDAP configurations
eDirectory and FreeRadius HowTo version 0
If 802.1X authentication succeeds after the desktop is up and you are log in from the Red N but fails on the initial boot login, check to see if the Authenticate as computer when computer information is available check box on the Authentication tab of your Local Area Connection Properties dialog box is selected. This option must be selected for the initial login to succeed.
Try toggling the “Use 802.1x authentication during subsequent eDir-only logins” setting
Try changing supplicant mode to 3
Configure a DA and scope in the client properties
The Novell Client 4.91 SP4 for Windows XP/2003 includes an Extensible Authentication Protocol (EAP) plug-in to the Microsoft Windows XP supplicant, which lets users authenticate through RADIUS to wireless access points and wired switches for added network security. Using FreeRADIUS as the RADIUS server, users can authenticate to their local machines, to eDirectory, and to 802.1X with the same set of credentials for a single sign-on experience.

When 802.1X authentication is enabled, the username and password entered in the Novell Login dialog box are first passed to the EAP plug-in module. An exchange of messages (PEAP/MSCHAPv2) between the Windows supplicant, the wireless access point/wired switch, and the RADIUS server allows network access if the correct credentials were entered. After the 802.1X authentication has succeeded, both the eDirectory and local logins take place just as they have in previous versions of the Novell Clients. If the 802.1X authentication fails, no access to the network is given, and the user will not be able to access the network.

The 802.1x authentication feature supports both wired and wireless connections. Only password-based authentication is supported (the Novell Client 4.91 SP4 for Windows XP/2003 supports only PEAP with MSCHAPv2). Biometrics (non-password-based) authentication types are not supported with this release. If you want certificate support, the Microsoft EAP plug-ins are sufficient and no Novell-specific EAP support is required.

The ability to browse for trees and servers in the Novell Login dialog box is not supported because the 802.1X port blocks all network access.
If the authentication times out, check to see if the radius server is getting queried for the authentication. Also check to make sure the Validate server certificate check box on the Protected EAP Properties tab on the Local Area Connection Properties dialog box is not selected.
If you think debug or trace logs will help, start Regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing and enable tracing for Noveap. This causes Windows to create a Noveap.log file in the windows\tracing directory.
Utilities installed with many NIC cards can cause odd behavior. Make sure the user has only installed the drivers for the NIC card and none of the other utilities.
If you still cannot get 802.1X to work, remove the Novell Client and try to get the Microsoft authentication working first. Pre-desktop authentication will not likely work in this case, but after the desktop is up, Microsoft uses the Windows username and password for 802.1X authentication.

For this to work, the username and password for Windows must match the username and password in eDirectory.

[updated 2008-11-17]
Check out Jeremy’s cheat sheet, a good general reference for 802.1x.