Configuring the LDAP Server and Group Object

Novell LDAP Services for NDS is a server application that allows you to set up and configure an LDAP service for your network. It is installed through the product Solaris installation program. You can modify the default configuration of LDAP Services for NDS using ConsoleOne. You can set up and manage your Novell LDAP Server and control the access you want to give to LDAP clients accessing your NDS directory.

LDAP Services for NDS can also be loaded and unloaded at the Solaris prompt. To load LDAP Services for NDS, enter the following command:

/etc/init.d/nldap start

To unload LDAP Services for NDS, enter the following command:

/etc/init.d/nldap stop

Two new objects are added to your Directory tree when NDS is installed:

LDAP Server object: Use this object to set up and manage the Novell LDAP Server properties.

LDAP Group object: Use this object to set up and manage the way LDAP clients access and use the information on the Novell LDAP server.

Configuring the LDAP Server Object

The LDAP Server object stores configuration data for an LDAP Services for NDS server. During installation, an LDAP Server object named LDAP Server servername is created (where servername is the name of the server LDAP Services for NDS is installed on) is created. The LDAP Server object is created in the same container as the Solaris Server object.

NOTE: Each LDAP Server object configures one LDAP Services for NDS server. Do not assign the same LDAP Server object to more than one LDAP Services for NDS server. If you assign the LDAP Server object to another server, it is no longer assigned to the previous server.

Property Pages

The LDAP Server object uses five property pages:

General Page

Use this page to configure or enable the following server specific properties:

The Host Server, which is the server that is hosting LDAP Services for NDS.

The LDAP Group Property specifies the LDAP Group object that contains the configuration settings used by the LDAP Server. When installed, each LDAP server is placed in its own LDAP group.

Search Entry Limit defines the maximum number of objects for which the LDAP server will return data.

Search Time Limit defines the maximum amount of time in seconds that the LDAP server will use to return data.

Bind Limit defines the maximum number of simultaneous LDAP binds (or connections) an LDAP server can support.

Idle Timeout defines the maximum amount of time in seconds that an LDAP connection can be inactive.

TCP Port is unconfigurable at this time.

SSL Port is unconfigurable at this time.

SSL Certificate specifies the Key Material object for storing the SSL certificate for this LDAP Services for NDS Server.

Click the Refresh NLDAP Server Now to refresh the Novell LDAP settings. It should be done every time you modify the Novell LDAP settings.

Log File Options Page (not used for Solaris Servers)

Screen Log Options

Use this page to choose the type of events that are recorded in the LDAP Services for NDS log file and to configure log file parameters. Messages enabled in this page are displayed in the ndstrace screen. To display an event, select the corresponding check box.

Catalog Usage Page (not used for Solaris Servers)

Catalog Schedule Page (not used for Solaris Servers)

NOTE: For additional information about the Property Pages, refer to the ConsoleOne help files.

To configure the LDAP Server object, complete the following steps:

Launch ConsoleOne.

Select the LDAP Server object.

Enter the configurable parameters in the property pages.

Click OK.

WARNING: When the LDAP Server object is being configured, a refresh request is issued to the LDAP server. So, when the LDAP server is configuring, any service requests from LDAP clients (such as ldapadd) will not be serviced.

Configuring the LDAP Group Object

The LDAP Group object stores configuration data that can be applied to a single LDAP server or a group of LDAP servers. If you plan to implement the same configuration on multiple servers, configure one LDAP Group object and assign it to each of the LDAP Services for NDS servers from the LDAP Server General Page.

The LDAP Group configures the class and attribute mappings and security policies on the server. This greatly simplifies configuration changes, because one configuration change can be applied instantly to multiple LDAP servers.

During installation, an LDAP Group object named LDAP Group servername is created in the same container as the Solaris Server object.

Property Pages

The LDAP Group object contains four property pages from which you set configuration options:

General Page

The LDAP Group object stores the configuration data for a defined LDAP group within your Directory tree. Use this page to configure or enable the following:

The Referral option allows a client to search for objects on a single server it is connected to. When the requested object is not found on the LDAP server the client has connected to, the client receives a URL, known as LDAP referral, containing the information needed to connect an LDAP server that does have information on the object.

Allow Clear Text Passwords allows transmission of bind requests that include passwords over nonencrypted connections. By default, only passwords exchanged over SSL connections are encrypted.

Proxy Username allows administrators to configure a separate identity (other than [Public]) for anonymous binds. An anonymous bind is a user connection to a network service that does not contain a username. The Proxy username is the name of an NDS User object.

Server List Page

Allows you to view, add, and remove the servers that use the configuration data stored in this object. LDAP access to the servers in this list is logically equivalent to the same security restrictions and class and attribute mappings.

Attribute Map Page

Use this page to define a relationship between any LDAP attribute and any supported NDS attribute. When an LDAP client requests LDAP attribute information from the LDAP server, the server returns the corresponding NDS attribute information.

In the column on the left, the LDAP attribute name appears. In the column on the right is the corresponding NDS attribute. You can move the attributes up or down, as well as add, delete, or modify the attributes.

Class Map Page

Use this page to define a relationship between any LDAP class and an NDS class. When an LDAP client requests LDAP class information from the LDAP server, the server returns the corresponding NDS class information. The default LDAP Services for NDS configuration contains a predefined set of class and attribute mappings.

In the column on the left, the LDAP class name appears. In the column on the right is the corresponding NDS class. You can move the classes up or down, as well as add, delete, or modify the classes.

NOTE: For additional information about the Property Pages, refer to the ConsoleOne help files.

To configure the LDAP Group object, complete the following steps:

Launch ConsoleOne.

Select the LDAP Group object.

Enter the configurable parameters in the property pages.

Click OK.

Assigning NDS Rights for LDAP Clients

LDAP Services for NDS allows LDAP clients to access data in NDS directories. All LDAP clients bind, or connect, to NDS as one of the following types of users:

[Public] user

Proxy user

NDS user

Login restrictions and password restrictions will still apply. However, any restrictions will be relative to where LDAP is running. Time and address restrictions are honored, but address restrictions are relative to where the NDS login occurred-in this case, the LDAP server.

To assign NDS rights for LDAP clients, complete the following steps:

Determine which type of username the LDAP clients will use to access NDS:

[Public] (anonymous bind)

Proxy user (proxy user anonymous bind)

NDS user (NDS user bind)

If users will use one Proxy user or multiple NDS usernames to access LDAP, create these usernames in NDS.

Assign the appropriate NDS rights to the usernames that LDAP clients will use.

The default rights that most users receive provide limited rights to the user's own object. To provide access to other objects and their attributes, you must change the rights assigned in NDS.

When an LDAP client requests access to an NDS object and attribute, NDS accepts or rejects the request based on the LDAP client's NDS identity. The identity is set at bind time.

LDAP Schema

Specialized schema files are available from the NDS download site. To apply a schema (*.SCH) file, start NWCONFIG.NLM and select Directory Options > Extend Schema. You are prompted for the Administrator's name, password, and the location and name of the schema file.

inetOrgPerson

The default LDAP schema shipping with this release maps the object class inetOrgPerson to the NDS User class. Since this is a direct mapping and not a schema extension, the attributes of User are applied to inetOrgPerson. This mapping provides backward compatibility with NetWare 5 and Support Pack 1.

Novell's NDS download site contains the NOV_INET.ZIP file. This file contains a separate schema extension file (NOV_INET.SCH), and instructions (NOV_INET.TXT) that modify the NDS User class to provide all of the attributes for the full RFC-compatible definition for inetOrgPerson. Adding this schema extension exposes an object class with all of the RFC and the Netscape attributes specified.

residentialPerson

The default schema file shipping with this release does not provide an object class definition for residentialPerson. The NDS download site contains the RPERSON.ZIP file. The file contains the schema extension file (RPERSON.SCH) and an instruction file (RPERSON.TXT)that provide a full RFC-compliant definition for residentialPerson. If you plan to use this object class, we recommend that you extend the schema instead of simply mapping residentialPerson to the NDS User class.

newPilotPerson

The default schema file shipping with this release does not provide an object class definition for newPilotPerson. The NDS download site contains the NPERSON.ZIP file. The file contains the schema extension file (NPERSON.SCH) and an instruction file (NPERSON.TXT) that provide a full RFC-compliant definition for newPilotPerson. If you plan to use this object class, we recommend that you extend the schema instead of simply mapping newPilotPerson to User in NDS.

photo

If you try to extend the schema to include a "photo" attribute (see RFC 1274), this attribute might conflict with a prior definition for this class. The "photo" attribute can be defined either as a SYN_STREAM (which can only be single-valued in NDS), or as a SYN_OCTET_STRING (which can be multivalued).RFC 1274 calls for "photo" to be multi-valued with a maximum string length of 250,000 octets. NDS allows a maximum of 63,000 octets in a SYN_OCTET_STRING. You will have to choose the restrictions on "photo" that you prefer. The schema extension file for inetOrgPerson contains an "ldapPhoto" attribute definition based on multivalue and SYN_OCTET_STRING.

Modifying the NDS Schema for LDAP

LDAP Schema Mappings

A schema is a set of rules that defines the classes and attributes allowed in a directory and the structure of a directory (where the classes can be in relationship to one another). Because the schemas of the LDAP directory and the NDS directory are different, mapping of LDAP classes and attributes to the appropriate NDS objects and attributes is necessary. These mappings define the name conversion from the LDAP schema to the NDS schema.

No LDAP schema mappings are required for a schema entry if the name is a valid LDAP schema name. In LDAP, the only characters allowed in a schema name are alpha-numeric and the '-' character. To ensure that searching by OIDs works after a schema extension other than LDAP, such as a ".sch" files, you must refresh the LDAP configuration. On the NetWare platform, you can execute an LDAP Refresh Immediate at the server console. In Console One you, can issue an LDAP Refresh Server Now on the LDAP Server object. If you don't want to run Console One.

Many-to-One Mappings

To support LDAP from NDS, LDAP Services uses mappings in the protocol level instead of the directory service level to translate between LDAP and NDS attributes and classes.

For example, if you create a pkiUser through LDAP then you search for "objectClass = entrustUser" you can get back a pkiUser. This problem occurs whenever two LDAP classes or attributes are mapped to the same NDS class (in this case pkiUser) or attribute.

If you request "*" (all attributes), then you get the attributeName which is first in the mappings list. If you ask for an attribute by name, you will get the correct name.

Table 1 shows the many-to-one class mappings. Table 2 shows the many-to-one attribute mappings.

Table 1. Many-to-One LDAP Class Mappings

LDAP Class Name	NDS Class Name
MailGroup rfc822mailGroup	NSCP:mailGroup1
EntrustCA PkiCA	PkiCA
EntrustUser PkiUser	PkiUser
GroupOfNames GroupOfUniqueNames Group	Group

Table 2. Many-to-One LDAP Attribute Mappings

LDAP Attribute Name	NDS Attribute Name
C Country Name	C
Cn CommonName	CN
Description MultiLineDescription	Description
L Localityname	L
Member uniqueMember	Member
o organizationname	O
ou organizationalUnitName	OU
sn surname	Surname
st stateOrProvinceName	S
certificateRevocationList;binary certificateRevocationList	CertificateRevocationList
authorityRevocationList;binary authorityRevocationList	AuthorityRevocationList
deltaRevocationList;binary deltaRevocationList	DeltaRevocationList
cACertificate;binary cACertificate	CACertificate
crossCertificatePair;binary crossCertificatePair	CrossCertificatePair
userCertificate;binary userCertificate	UserCertificate