3.4 Using OpenSLP to Simplify Login

The service location protocol (SLP) was developed so that networking applications such as the Novell Client for Linux could discover the existence, location, and configuration of networked services in enterprise networks. Without SLP, users must supply the hostname or network address of the service that they want to access.

Because SLP makes the existence, location, and configuration of certain services known to all clients in the local network, the Novell Client for Linux can use the information distributed to simplify login. For the Novell Client, having SLP set up allows users to see the trees, contexts, and servers available to them when they use the Novell Client for Linux Login screen. When they click the Browse button, a list of available trees, contexts, or servers appears and they can select the appropriate ones. For example, instead of remembering an IP address or DNS name for a server, users can select the server’s name from a list of available servers.

SLP must be activated and set up on your Novell servers in order for the Novell Client to take advantage of it. For more information, see “SLP Services in the Network” in the SUSE LINUX Enterprise Server Installation and Administration Guide.

SLP is not set up by default on Linux workstations. The Novell Client for Linux includes a Novell Client Configuration Wizard to simplify the process of configuring your SLP and other Novell Client configuration options. The Novell Client Configuration Wizard provides only basic SLP configuration because this is all that is required by the client. However, if other applications on your workstation require more advanced settings, you can modify the /etc/slp.conf file to set advanced settings.

For more information on advanced SLP configuration, see the OpenSLP Web site. In addition, the /usr/share/doc/packages/openslp directory contains documentation on SLP, including a README.SuSE file containing the SUSE® LINUX details, several RFCs, and two introductory HTML documents (An Introduction to SLP and OpenSLP User’s Guide). RFC 2609 details the syntax of the service URLs used and RFC 2610 details DHCP via SLP.

3.4.1 Setting Up SLP

  1. Launch the Novell Client Configuration Wizard using either of the following methods:

    • Click Novell Client tray application icon > System Settings.

    • In YaST, click Network Services > Novell Client.

  2. Select Service Location Protocol (OpenSLP), then click Start Wizard.

  3. Specify the following SLP information for your network:

    • Scope List: Specify the scopes that a user agent (UA) or service agent (SA) is allowed when making requests or registering, or the scopes that a directory agent (DA) must support.

    • Directory Agent List: Specify the specific DAs that UA and SA agents must use. If this setting is not used, dynamic DA discovery is used to determine which DAs to use.

    • Broadcast Only: Select this option to use broadcasting instead of multicasting. This setting is not usually necessary because OpenSLP automatically uses broadcasting if multicasting is unavailable.

      SLP is designed to use IP multicasting; however, if any SLP Agent does not implement IP multicasting, then all Agents must use broadcasting to reach that Agent. If a DA does not support multicasting, we recommend using the Directory Agent List to configure that Directory Agent rather than using this option.

      If the network does not contain a DA, IP servers must use their own SAs to specify the services that are available. If the SA does not support multicasting and if there are any services advertised by that SA that are needed by the UA on this machine, then use the Broadcast Only option.

      Broadcasting has the disadvantage of being limited to the local LAN segment.

    • Maximum Results: Specify a 32-bit integer giving the maximum number of results to accumulate and return for a synchronous request before the time-out, or the maximum number of results to return through a callback if the request results are reported asynchronously.

  4. Complete the Novell Client Configuration Wizard.

  5. Restart the workstation.

3.4.2 Troubleshooting SLP Configuration

If users cannot see a list of available trees, contexts, and servers when they use the Novell Client for Linux Login screen, use slptool, located in /usr/bin, to troubleshoot your SLP configuration.

After you start slpd (located in /usr/sbin), you should be able to issue a query for SLP service agents using the following command:

slptool findsrvs service:service-agent

This should display a list of the hosts that are running slpd, which indicates that OpenSLP is successfully installed and working. If you do not get a list, OpenSLP is not installed correctly or is not working. See Section 3.4.1, Setting Up SLP for more information.

3.4.3 Configuring SLP and the SUSE Firewall to Work with the Novell Client for Linux

In order for the Novell Services button in your file browser to work correctly, both SLP and the SUSE firewall must be configured properly. If OpenSLP is not installed, the SLP protocol is disabled, or your firewall settings are turned on (as they are by default in SUSE Linux Desktop 10 SP1), a warning message is displayed when you try to scan for or access Novell services.

Figure 3-1 SLP/Firewall Message

Click Configure SLP to open the Novell Client Configuration Wizard. Follow the instructions in Section 3.4.1, Setting Up SLP to configure SLP.

Click Configure Firewall to open the Firewall Configuration wizard in YaST. You can turn the firewall off, or manually configure the firewall to let SLP packets in and out. If your LAN interface is defined as External in the SUSE firewall configuration, you can try adding SLP Daemon Rules as an allowed service, or you can try changing your LAN interface definition to Internal.

Turning Off the SUSE Firewall

  1. Launch the YaST Control Center.

    GNOME: Click Computer > More Applications > System > YaST.

    KDE: Click the menu button > System > YaST.

  2. Click Security and Users in the left column, then click Firewall in the right column.

  3. Click Stop Firewall Now, then click Next.

  4. Click Accept to close the Firewall Configuration wizard.

    The next time you click the Novell Services button in your file browser, you should be able to scan for or access Novell services.

Manually Configuring the SUSE Firewall

To allow iptables to accept incoming unicasts from the DAs in your network, the following needs to be added to the firewall as the first rule (or before anything is denied).

  1. Modify the /etc/sysconfig/SuSEfirewall2 file.

    Change the following lines from

    #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" FW_CUSTOMRULES=""

    to

    FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" #FW_CUSTOMRULES=""

  2. Modify the /etc/sysconfig/scripts/SuSEfirewall2-custom file.

    In fw_custom_before_denyall() add the following:

    iptables -I INPUT 1 -j ACCEPT -p udp --sport 427

    That will make SLP lookups work properly.

Adding SLP Daemon Rules for External or DMZ Firewall Zones

  1. Launch the YaST Control Center.

    GNOME: Click Computer > More Applications > System > YaST.

    KDE: Click the menu button > System > YaST.

  2. Click Security and Users in the left column, then click Firewall in the right column.

  3. Click Allowed Services in the left column to open the Firewall Configuration: Allowed Services screen.

  4. Select SLP Daemon from the Service to Allow drop-down menu, then click Add.

  5. Click Next, then click Accept.

Changing Your LAN Interface Definition to Internal

  1. Launch the YaST Control Center.

    GNOME: Click Computer > More Applications > System > YaST.

    KDE: Click the menu button > System > YaST.

  2. Click Security and Users in the left column, then click Firewall in the right column.

  3. Click Interfaces in the left column, double-click your LAN interface, then select Internal Zone from the drop-down menu.

  4. Click OK, then select Start-Up in the left panel.

  5. Click Save Settings and Restart Firewall Now.

  6. Click Next, then click Accept.