BorderManager Single Sign-On for Linux
Novell Cool Solutions: Feature
By Jenn Bitondo
Digg This -
Posted: 3 Nov 2005
You no longer have to run SSL on your Linux box to log in to your BorderManager proxy - now you can run Single Sign On. The latest BorderManager 3.8 patch includes a Single Sign On (SSO) for BorderManager. You will need to download BM38SP4 from www.novell.com/support. Included in this download is the CLNTRUST.TAR file.
First, you need to make sure you have the Novell Client installed for Linux. This is the same prerequisite that was needed with Windows machines. Make sure the Linux client is working and that you are logged into the tree. In Figure 1 below, you can tell you are logged into the tree by the drive mapping. The H drive is mapped from my login script and has a blue arrow to lead us in the right direction.
Figure 1 - Drive mapping for tree login
You can run CLNTRUST from the command line or from the login script. If you run it from the login script, make sure you start the line with a "#" so the script knows that it needs to execute something. Figure 2 shows an example of the login script and Diagram 3 shows a successful login script.
Figure 2 - Sample login script
Figure 3 - Login script success
Your users can also run this from a command line, so long as they are already logged and authenticated in the NDS tree. Figure 4 shows a successful login from the command line.
Figure 4 - Command-line login
How can I tell if Client Trust is Running?
There are three basic ways to tell if clntrust is running:
1. Run the PS AUX command from a terminal and see if it shows /clntrust (Figure 5).
Figure 5 - Running PS AUX
2. Run netstat to see if clntrust is running. Try running this netstat command:
-alp | grep 'clntrust'
The -a will grab all the information on all interfaces, -l will tell you if it is listening and -p lets you specify a specific program. Figure 6 shows what you will see if it is running and listening.
Figure 6 - Information from netstat command
3. Test it out against your rules. If BorderManager does not see you logged in, you will get a 403 error like the one shown in Figure 7 below.
If you have rules set up to deny users access to certain sites, you will see a 404 error like the one in Figure 8. In my BorderManager access control rules I have certain users denied to .microsoft.com/
Figure 7 - 403 error: BorderManager does not see you logged in
Figure 8 - 404 error: access to site is denied
When running clntrust you may receive some errors, but clntrust may still work and be running on your machine. Figures 9 and 10 below show different errors you may receive, but clntrust will still be working.
Figure 9 - Error, clntrust still working
Figure 10 - Another error, clntrust still working
On Linux there is no DWNTRUST, like there is on the Windows version. However, once a user disconnects from the network or chooses Novell Logout on the client he or she will not be able to use the clntrust login. The clntrust will still be running on the workstation, but it is not authenticated to an NDS tree - so the user will get the 403 error. When you or another user logs into the NDS tree again, clntrust will do its authentication job so BorderManager knows who the person is and which rules to enforce.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com