What is CLNTRUST?
Novell Cool Solutions: Tip
By Marcus Williamson
Digg This -
Posted: 6 Dec 2001
Current version: BorderManager 3.6
Authentication to BorderManager is necessary to allow rules-based access and to provide NDS user names in the BorderManager proxy logs. As with any type of authentication, it is essential to ensure that credentials (username and password) are not compromised by any part of the authentication process.
BorderManager 2.x accommodated this requirement by requiring a separate password for BorderManager authentication, which meant that the standard NDS password was never used and never passed over the wire. However, this meant additional administration overhead in maintaining two passwords.
In BorderManager 3.x Novell provides two methods of authentication, known as "SSL" and "Single Sign On".
SSL is implemented by establishing a secure HTTP session between the BorderManager server and browser client, allowing the standard NDS username and password to be passed across the wire without being compromised.
Single Sign On (CLNTRUST)
Single Sign On is implemented by loading a module known as CLNTRUST, usually in the login script, in a manner similar to the following:
REM This line clears the current trust relationship
REM This line establishes the trust relationship
After loading of CLNTRUST you will notice a key icon in the system tray, which you will use later to get the results.
A reversal of client/server roles
The name CLNTRUST stands for "client trust", which hints at how the utility works. However, contrary to the belief of some, it is not CLNTRUST which actively establishes a connection with the BorderManager proxy server. In fact, CLNTRUST listens patiently on port 3024 until the first browser request from the client is received at the BorderManager proxy server. At this point, it is the BorderManager server which plays the active role in soliciting information from the CLNTRUST utility. The proxy asks the CLNTRUST utility to confirm the username and authentication state of the logged in user who is on the IP address which made the proxy request. If the user has loaded CLNTRUST and is correctly logged in, then the proxy request can proceed. If not, the user is presented with an error screen informing them that they are not logged in.
The results of requests from the BorderManager server to the CLNTRUST utility can be seen by double-clicking the key icon in the system tray. To remove CLNTRUST, simply run DWNTRUST. As you can see from the login script excerpt above, it is normal to run DWNTRUST first, to clear any previous instance, followed by CLNTRUST.
To get the newest version of CLNTRUST, see TID 2958316
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com