By Girish Mutt
The main objective of this AppNote is to give you an overview of how you can configure and use the eDirectory with SecureLogin in a LDAP Failover deployment. As most of the deployments of NSL are deployed like this, this AppNote will help you to understand the detailed procedure to be followed for deploying NSL with eDirectory in LDAP Failover scenario.
Table of Contents
- eDirectory Configuration for LDAP Failover with NSL
- SecureLogin Configuration for LDAP Failover
- Glossary of Terms
This AppNote covers all those aspects that allow you to configure and use eDirectory in LDAP Failover scenario with Novell SecureLogin (NSL). Novell SecureLogin is a Single Sign-On product that can be used with numerous Directory servers like Novell eDirectory, Microsoft AD and other LDAP Complaint directories. In a Customer deployment of NSL with eDirectory, it is very common to provide High Availability for eDirectory in a Failover scenario. This can be achieved by configuring eDirectory for LDAP Failover deployment. The most common of such deployments include having a Single Tree of Novell eDirectory with two servers under same tree. In this case when the master server goes down, the Failover server can be used with NSL to have High Availability. This AppNote is intended to cover all those aspects in terms of eDirectory configuration, NSL configuration for LDAP Failover.
This article covers the following:
- eDirectory Configuration for LDAP Failover with NSL.
- SecureLogin Configuration for LDAP Failover.
2. eDirectory Configuration for LDAP Failover with NSL
In a typical customer deployment, eDirectory is used with High Availability where in under a Single Tree will have multiple servers to support failover. When the primary server goes down, the secondary failover server will take up the load and provide High Availability for eDirectory service dependent applications. This feature of eDirectory can be utilized with the NSL in a simple and easy manner. For NSL to work in a Failover scenario, eDirectory should be configured with the following steps:
- Setup one eDirectory Server with a Single Tree.
- Add the Failover server into existing tree.
- Perform all eDirectory administration activities required for NSL like adding Users, Groups, Universal Password policy setting and assignment for users etc.
- Perform NSL Schema extensions using NDSSCHEMA on Primary Server.
- Perform NSL Schema extensions using LDAPSCHEMA on Primary Server and Failover Server.
Note: If you are not performing LDAP schema extension on Failover server in addition to Primary server, NSL will fail to work in Failover scenario with error.
3. SecureLogin Configuration for LDAP Failover
NSL can be used with eDirectory in Failover deployment only when you use it in LDAP modes. When you are using NSL in LDAP Mode, you will be specifying the LDAP Server IP-address and the LDAP port for the secured connection to eDirectory during installation. When deployment of eDirectory has a LDAP Failover server configured , we need to take care of providing the LDAP Failover server details to NSL to be able to have High Availability for eDirectory server. This can be easily achieved by adding the details of LDAP Failover server IP-Address along with secure port details to a location which NSL can read and use.
NSL always stores the LDAP Server details in Windows registry : My Computer\ HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\Servers. When you install NSL in any LDAP Modes, NSL will create registry entry “server1” of type multi string value ( MULTI_REG_SZ) which will have the default value which is IP-Address of eDirectory server along with port provided during installation.
Click to view.
Figure 1: LDAP Server IP-Address of Primary eDirectory Server provided during installation.
For NSL to work in LDAP Failover scenario, you should add one more registry “server2” entry of type multi string value ( MULTI_REG_SZ) along with IP-Address of Failover server and the secure port configured for secure LDAP connection on that server. Once you are done with this when you use NSL in LDAP Modes when primary LDAP server is not accessible , NSL will automatically pick the IP-address of Failover server to authenticate with eDirectory and access credentials of NSL for that user. In this way user will be able to experience High Availability of eDirectory server when primary server goes down by authenticating against Failover LDAP Server in that same tree.
Click to view.
Figure 2: Failover server eDirectory Server IP-Address added to have High Availability with NSL.
NSL can be used with eDirectory in LDAP Failover scenario in following modes:
While using NSL in all LDAP Modes with eDirectory.(GINA Mode, Credential Manager Mode and Application Mode)
While using NSL in LDAP Credential Manager Mode and Application Mode when Novell Client is present on the workstation.
4.Glossary of Terms
NSL - Novell SecureLogin
SSO- Single Sign On
LDAP- Lightweight Directory Access Protocol
GINA- Graphical Identification aNd Authentication
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.