Secure Identity Q and A - Feb 15

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 15 Feb 2006


Q1 When running unattended full repair on servers, I repeatedly get the following -11001 errors:

Checking server: .POST1.CORP                                            
Checking server: .EDU1.STUDENT.                                    
ERROR: Could not find a net address for this server - Error : 11001

A1 The problems are most likely caused by SLP misconfiguration, such as some servers not having SLP scope configured.

Q2 When I try to install an iManager plug-in, I don't see the install option.

A2 In iManager 2.5 or 2.6, go to the sys:\tomcat\4\webapps\nps\WEB-INF\configiman.properties file. Add the fdn of your user, including tree name=eDirectory. For example, admin.myorg.my_tree=eDirectory

Restart tomcat (tc4stop) and check in the logger screen that tomcat is stopped. Then start tomcat (tomcat4) and when you go to Module Installation, you will see Available Novell Plug-in Modules.

Q3 How can you tell if a server was not removed from DS properly?

A3 If the NCP Server object for it is still in the tree, it hasn't been removed.

Q4 I'm looking to authenticate XP/2000/2003 users to eDirectory without a client. I have a couple of Win2000/2003 boxes that run services that Novell cannot provide. The only user on the machine is 'Administrator' but I would like to be able to change my 'Administrator' password in a single location (eDirectory).

A4 Try http://www.evidian.com/security/wiseguard/advancedlogin.htm

Q5 We have two trees on the network. I can ping the Novell servers on the other Tree, I can Rconsole into them, but I cannot see them via ConsoleOne, nor can I browse to them via Explorer. They also do not show up under the 'Tree' list in the Advanced tab of the login screen. Ideas?

A5 Presumably they are on another subnet, and you have not set up SLP accordingly. You'll need to point those servers to your DA so they can register their services with it. That way the clients will know where to look.

Identity Manager

Q1 I installed the remote loader with the Cool Solution "Setting up the DirXML Java Remote Loader on UNIX Tru64 with SSL" - Everything works as described, but when I start the remote loader (Java process) all the classes are loaded and it is finished ... no server process is started, and I get no errors. (When I leave out one of the variables I get a java error.)

A1 The most common thing that causes the problem you describe is putting the -sp option in the configuration file. -sp is for setting the passwords and will cause the remote loader to load, set the password, and exit. As such it should be only used on the command line and not placed in the config file.

Q2 I want users in an OU to automtically be put in a Group Object within that OU. When they leave the OU I want them taken out. What's the driver I'd use do to that?

Dynamic Group functionality does exactly what I'd like to do, however, I want to sync these groups to Active Directory and the AD driver is not syncing the Dynamic Group.

A2 The AD driver supports role based entitlements, which are basically dynamic groups with entitlements attached. Set up an AD test driver with entitlement support, create an entilement policy with your (dynamic group-like) selection criteria, and add an AD group entitlement. That should be pretty much what you're looking for.

Q3 - I have my AD all created and working. I've managed to get all 5000+ users synced over to eDirectory and now I'm finding out I should have enabled entitlements. Can I enable them after creating the driver? I'd delete it and just recreate it but that will mess up the DirXML associations, won't it? I just want to use the same driver as it's configured and add the entitlement support into it.

A3 Select Add Driver (or New Driver) and choose the AD driver as if you were making a new one. When you get to the first set of questions for the drivers config, and the first question is driver name, select Update an Existing Driver from the dropdown list on the right. Then configure the driver how you want it. At the end when it imports, select Update all parts of the driver.

You should check through the policies after you finish to make sure they all make sense. It's a cumulative change - policies/changes are added to the driver config rather than ripping out the old one and putting a new one in.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© Micro Focus