Novell Home

NMAS Java LCM on Linux

Novell Cool Solutions: Feature
By Gordon Mathis

Digg This - Slashdot This

Posted: 16 Nov 2004 		 

Novell Modular Authentication Service (NMAS) allows you to authenticate to eDirectory using a third party login method such as a Biometric or Token device. Each NMAS method contains a Login Server Module (LSM), Login Client Module (LCM), and a Method Management GUI (MMG) which is typically a ConsoleOne snap-in or an iManager plug-in.

Currently there is no support for NMAS Client methods on Linux. That may change in the near future as work is underway to developer a NCP client for Linux. However, today it is possible to use a Java LCM on Linux to achieve authentication from a Linux client. Also a Java LCM makes it possible to authenticate from a servlet or portlet.

This document outlines the steps needed to configure and test the example Clear Text Password method in the NMAS NDK on Linux using a Java LCM and a test application.

Note: The easiest way to complete this exercise is to open two Linux Command Prompt windows. In one window switch to the root user by typing su -- which you will use for installing and compiling. The other Window will be used for running ConsoleOne and Java applications.

Installing eDirectory and NMAS

If you have not already installed Novell Linux Services (NLS) or eDirectory on your Linux system you can download the latest version of eDirectory from here and then follow the instructions to complete the installation. Make sure you complete the configuring NMAS step to create required NMAS objects in the directory.

  1. Download eDir_873_linux_full.tar.gz


  2. Uncompress eDirectory
    tar -zxvf eDir_873_linux_full.tar.gz

  3. Change directories to install directory and install (Requires a license file .nfk)
    cd Linux/setup
    ./nds-install -c server
    ndsconfig new -t corp-tree -n o=novell -a cn=admin.o=novell

  4. Create required NMAS objects in eDirectory
    nmasinst -i admin.novell corp-tree


  5. Install ConsoleOne
    cd ../ConsoleOne
    ./c1-install
Installing the Clear Text Password LSM

NMAS has a Novell Developer Kit (NDK) that third parties can use to create new NMAS methods. The NMAS product ships with a number of Novell supported methods and the NDK also includes an example Clear Text Password method as well as other samples. For the purpose of this document we would like to use the Clear Text Password sample method from the NDK. The NMAS NDK can be downloaded here. This sample method has a small problem in that it tries to compare a null terminated string against a non-null terminated string which causes the method to fail. To fix this problem and install the method complete the following steps. Please note that we will be using the debug version of NMAS which looks for the LSM on the file system as opposed to the release version of NMAS which looks for the LSM in eDirectory stored as an Login Method Object (LMO). This is why we extend the directory structure in the following instructions. To create an LMO the LSM executable (.so, .DLL, or .NLM) has to be digitally signed using a signing tool kit included with the NMAS NDK.

Also this Java LCM example does not support MAF protocol encryption with the current NMAS server. This has been fixed and will be supported in the next release of NMAS. Because the Java LCM does not support the encryption it is necessary to change all MAF_XRead calls to just MAF_Read calls which means we would have to change the MAF_XWrite calls in the C LCM if we wanted it to work from Novell Client of a Windows client.

  1. Uncompress the NMAS NDK to a Novell products system level directory structure. If the directory structure /opt/novell does not exist create it.
    tar -zxvf nmas_all.2004.10.04.tar.gz --directory=/opt/novell


    2. Fix the problem in the LSM source file by making the following change on line 133 of the following file:
    /opt/novell/nmas_all.2004.10.04/samples/methodExample/lsm/common/src/cpwdlsm.c

    Change:
if (storedPwdLen != pwdLen || strcmp(storedPwd, pwd) != 0)
To: 
//Currently the C LCM null terminates password and includes null in length
if(pwd[pwdLen-1] == 0) 
pwdLen--;

if (storedPwdLen != pwdLen || strncmp(storedPwd, pwd, storedPwdLen) != 0)


  2. Replace all MAF_XRead calls with MAF_Read calls in the following file /opt/novell/nmas_all.2004.10.04/samples/methodExample/lsm/common/src/cpwdlsm.c


  3. Compile the changes
    1. Change directories to the debug directory to compile the debug version of the Clear Text Password
      cd /opt/novell/nmas_all.2004.10.04/samples/methodExample/lsm/unix/Linux
    2. Edit the Linux.mak and remove one ../ from ../../../../../../../nwsdk/include form the -I on the INCLUDE environment variable on line 32. Also change the lsmcpwdlin.map to cpwdlin.map on line 53
    3. Run make from the debug directory
      cd debug make -f ../Linux.mak


  4. Copy the LSM file to the following directory structure required by the debug version of NMAS
    1. Create the following directory structure
      /var/nds/nmas-methods/NMAS/LSM
    2. Copy the LSM to the debug directory
      cp /opt/novell/nmas_all.2004.10.04/samples/methodExample/lsm/unix/Linux/debug/lsmcpwdlin.so
      /var/nds/nmas-methods/NMAS/LSM


  5. Create IDLIST.TXT required by the debug version of NMAS in the /var/nds/nmas-methods/NMAS/LSM directory with the following line
    1 lsmcpwdlin.so LSM00000001


  6. Create a /opt/novell/nmas_all.2004.10.04/samples/methodExample/config.txt file used to install the method that contains the following
    name=lsmcpwdlin
    Vendor=Novell,Inc.
    grade=Logged in
    methodid =1


  7. Install the Clear Text Password method using the following command
    nmasinst -addmethod <admin.context> <treeName> configFile>
    Example:
    nmasinst -addmethod admin.novell corp-tree ./config.txt


  8. Save the release version of NMAS and switch to the debug version
    mv /usr/lib/nds-modules/libnmas.so /usr/lib/nds-modules/libnmas.so.rel
    cp /opt/novell/nmas_all.2004.10.04/nwsdk/nmas/debug/unix/Linux/libnmas.so /usr/lib/nds-modules


  9. Restart eDirectory
    /etc/init.d/ndsd restart
Installing the Clear Text Password Java LCM
  1. Download the sample code (methodExample.zip) from Novell Forge and add it to the existing method example in the NDK.
    unzip -d /opt/novell/nmas_all.2004.10.04/samples/methodExample methodExample.zip


  2. Build the Java LCM by executing
    /opt/novell/nmas_all.2004.10.04/samples/methodExample/lcm/java/build.sh


  3. Build the LCM test application by executing
    /opt/novell/nmas_all.2004.10.04/samples/methodExample/LCMTestApp/build.sh


  4. Build the Set Clear Password application by executing
    /opt/novell/nmas_all.2004.10.04/samples/methodExample/SetClrPwdApp/build.sh
Assign a Clear Text Password to a user object

We need a way to assign a Clear Text Password to a user object. Using ConsoleOne is the easiest way to do this, but the NMAS snap-ins for ConsoleOne only work on Windows because they rely on some native .dlls. The Clear Password method ConsoleOne snap-ins are included in the methodExample, but they must be installed and run from a Windows system.

For a Linux solution you will have to run a Java application that takes advantage of the classes contained in the NMASToolkit.jar file. These classes require you to establish an SSL connection to eDirectory. The next few steps will instruct you on how to export a Trusted Root Certificate from eDirectory, store it in a Java key store, and then use the Sun KeyStore to establish an SSL connection to the server and assign the Clear Text password.

  1. Login into ConsoleOne as admin.
    ConsoleOne start command
    /usr/ConsoleOne/bin/ConsoleOne
    Select the NDS object and then click on the tree in the tool bar and enter the following login credentials
    Login name: admin
    Password: <admin's NDS password>
    Tree: 127.0.0.1
    Context: novell


  2. Export the server's Trusted Root Certificate.
    Click on the Novell container object and select the properties of the SSL CertificateDNS - linux object Click the Certificate tab. Make sure Trusted Root Certificate is selected on the tab's sub menu items Click the Export button and take all the defaults. This will create a TrustedRootCert.der file in the user's home directory.


  3. Set the server certificate to be used for an SSL connection.
    Select the properties of the LDAP Server -- linux object and click on the SSL/TLS Configuration tab. Click on the browse button for Server Certificate and select the SSL CertificateDNS object. Click Apply and OK buttons.


  4. Create a new user in eDirectory.
    Select the Novell container object and then click the New User button on the tool bar. Enter the Name and Surname fields and click the OK button and enter the NDS password. Close ConsoleOne.


  5. Add the Trusted Root Certificate to a Sun Keystore.
    Create a certs directory in your user's home directory
    From a Command Prompt Window execute the following
    java sun.security.tools.KeyTool -import -alias TrustedCert -file ~/TrustedRootCert.der -keystore
    ~/certs/sslkey.keystore


  6. Execute the SetClrPwdApp application to set the Clear Text Password on a user object. Assign a different password than the user's NDS password.
    cd /opt/novell/nmas_all.2004.10.04/samples/methodExample/SetClrPwdApp
    ./run.sh
Authenticate to eDirectory with Clear Text Password
  1. Finally execute the LCMTestApp to authenticate to eDirectory using the user's Clear Text Password. Do not use the user's NDS password.
    cd /opt/novell/nmas_all.2004.10.04/samples/methodExample/LCMTestApp
    ./run.sh


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

Novell® Making IT Work As One

© 2009 Novell, Inc. All Rights Reserved.