Novell Home

Runtime Switches in BorderManager 3.7

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 17 May 2002
 

Version: Novell BorderManager 3.7

For ACLCHECK.NLM

To improve the ability to manage Access Control Rules, the following runtime switches have been added. These switches should be specified on the "LOAD ACLCHECK" command in the NCF file where you start BorderManager (for example, you might add "LOAD ACLCHECK" after the "LOAD BRDSRV" line in the AUTOEXEC.NCF file).

/A - enables ACL rules to recognize aliases when using SSL authentication.

/Bxxx - enables you to define how often ACLCHECK tests for changes in user group membership. (User groups can be used in creating BorderManager Access Control Rules.) By default, ACLCHECK user groups every hour and will re-read the rules if a change is detected. You may only want ACLCHECK to do this every few hours to reduce the number of times per day that the rules are re-read. When using this switch, replace the xxx with an integer starting with 0. This is the number of hours ACLCHECK will wait before testing for group membership changes. For example, using "/B0" disables ACLCHECK's regular testing for group membership changes and "/B24" will cause it to test group membership and reread the rules only once per day (every 24 hours).

/G - enables smart group change detection. This switch requires Directory Services DS.NLM version 7.44 or later on all servers that host replicas of the user partitions. By default, to check for changes to group membership, ACLCHECK reads all group memberships from every group mentioned in an ACL rule. Therefore, ACLCHECK must walk the tree to find the group and then reread each one of the members from the list for each group. This action alone requires a great deal of DS processing. If a group membership change is detected, ACL check must re-read the rules and walk the tree again. With the latest version of DS and the /G switch, ACLCHECK can now check a timestamp on the group object to know whether it has changed.

/I - prevents resolution of IP addresses in rules. Warning: With this switch, two rules are required to completely block or allow a URL: one for the DNS name and one for the IP address.

/P nnnn - enables you to specify a preferred server for ACLCHECK DS requests. Replace "nnnn" with the name of the preferred server.

/Q - forces ACLCHECK to go into "quiet" mode when certain types of messages are being spuriously broadcast to attached users.

/S - suppresses the display console messages for IP addresses that can't be resolved. This helps those who prefer not to have messages displayed on the console stating that an address could not be resolved by ACLCHECK.

/Z1 - enables ACLCHECK to display group information as it is read.

/Z2 - enables ACLCHECK to display GetNDSRevision() info as it is called.

Example load line:
LOAD ACLCHECK /G /B12 /S

Runtime Switch For AUTHCHK.NLM

Currently, the reverse proxy checks for the browser IP address as well as the cookie ID. Unfortunately, checking for the IP address causes some ISPs to function improperly. To fix this issue, there is now a switch that enables the reverse proxy to check for the Browser cookie ID only. This switch should be specified on the "LOAD AUTHCHK" command in the NCF file where you start BorderManager (for example, you might add "LOAD AUTHCHK" before the "LOAD BRDSRV" line in the AUTOEXEC.NCF file).

/n - check for cookie ID only; do not check for IP address.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell