5.1 Authenticating to eDirectory
Before any applications or policies can be accessed by the user, the user must log in to the network (that is, log in to Novell eDirectory™) to verify login rights and to establish a connection to the network servers where the user needs to be authenticated.
IMPORTANT:LDAP authentication, which is launched when users log in and access ZENworks applications or policies, consumes two of the grace logins granted to a user when the user's password expires. Grace logins are set in ConsoleOne on the Restrictions page (password restrictions section) of the eDirectory User object.
For example, when eDirectory notifies a user that he or she has two grace logins left on a server, that user actually has no grace logins and will not be able to log in until the password is reset.
If you have installed the Novell Client™, the Desktop Management Agent, and the Middle Tier Server, there are three login scenarios:
5.1.1 Logging in Using the Novell Client
When the Novell Client is used to authenticate, all communication to eDirectory and the server file system uses the traditional Novell NCP™ protocol. The client launches as the default login GINA (Graphical Identification and Authentication) user interface. For more information about authenticating with the Novell Client, see Using the Novell Client for Authentication
in the Novell ZENworks 7 Desktop Management Installation Guide.
The process of authentication to eDirectory using the 32-bit client in this scenario is illustrated in the following diagram:
Figure 5-1 Authentication to eDirectory Using the 32-bit Novell Client
Table 5-1 Steps in the eDirectory Authentication Process Using the 32-bit Novell Client
|
Step |
Explanation |
|---|---|
|
|
A user with the appropriate rights enters eDirectory credentials in the login fields of Novell Client GINA. |
|
|
The Novell Client sends the authentication request to eDirectory in an NDAP/LDAP packet. |
|
|
eDirectory confirms that the login credentials are valid and sends the authentication response packet through NDAP/LDAP to the user workstation. |
|
|
The Novell Client on the user workstation receives the response packet and confirms a successful authentication. The network connection is established. |
However, if these same workstations are taken outside of the firewall, the client continues to launch as the default login GINA. Users can log in locally to their own Windows desktops, but they cannot authenticate to eDirectory through the ZENworks Middle Tier Server.
If users who have both the agent and the client installed on their machines want to authenticate and receive applications outside the firewall, they can still do so by using an alternative login method, but their workstations can receive only application files, not Desktop Management policies. For this reason, you should consider removing the client and installing only the agent on workstations that are to be used mainly outside the firewall.
For more information about the alternative login method used when the client and agent are installed together on a workstation outside the firewall, see Logging in Locally to the Workstation.
5.1.2 Logging in Using the Desktop Management Agent
If you install the Desktop Management Agent and you want your users to log in to the network through the agent, you need to understand how the Desktop Management Agent authenticates to the network. For more information about setting up the Desktop Management Agent for authentication, see Using the Desktop Management Agent and the ZENworks Middle Tier Server for Authentication
in the Novell ZENworks 7 Desktop Management Installation Guide.
The diagram below shows the process occurring when a user authenticates to eDirectory using the Desktop Management Agent outside the firewall. The process is similar when the user is inside the firewall.
Figure 5-2 eDirectory Authentication Using the Desktop Management Agent Behind a Firewall
Table 5-2 Steps of eDirectory Authentication Using the Desktop Management Agent Behind a Firewall
|
Step |
Explanation |
|---|---|
|
|
A user accesses the ZENworks Management Agent and enters a user ID and password. |
|
|
The agent collects the user credentials. Using public/private key and session key encryption methods, the credentials are securely passed to the ZENworks Middle Tier Server (through a corporate firewall) through HTTP or HTTPS. NOTE:Credentials are always secured using the techniques mentioned above whether the transport mechanism is HTTP or HTTPS. |
|
|
The ZENworks Middle Tier Server Web service receives the credentials through the firewall, unparses them, converts them to an NDAP/LDAP packet, and then uses NDAP/LDAP to pass them through a port in the back-end firewall to eDirectory. NOTE:No NetWare® licenses are consumed at the ZENworks Middle Tier Server. The licensed connections are consumed by the Desktop Management Server. |
|
|
eDirectory receives the NDAP/LDAP packet, confirms that the login credentials are valid, and sends the authentication response packet through NDAP/LDAP to the ZENworks Middle Tier Server. |
|
|
The ZENworks Middle Tier Server encrypts the returned LDAP or NDAP packet to XML again, then sends the XML confirmation packet over HTTP or HTTPS to the ZENworks Management Agent. |
|
|
The agent receives the XML packet, then unparses it and converts it to binary format, so the user at the workstation can recognize a successful login. |
When eDirectory authenticates users, they are authenticated to any server in the tree where the system administrator has granted them rights.
The ZENworks Middle Tier Server uses LDAP/NDAP to authenticate to eDirectory because of the search capabilities of these protocols. If you select during the installation of the ZENworks Middle Tier Server, the authentication request can use just the User ID (without its context) to search the entire tree for the authenticating user. Without a clear text password, the user must either log in using his or her fully distinguished name or you must restrict that user to an Authentication Domain, which is a particular context in the directory.
For more information about authentication and the role of the ZENworks Middle Tier Server in ZENworks file access, see Section 3.3, What Is the Desktop Management Server?.
5.1.3 Logging in Locally to the Workstation
If users bypass the Desktop Management Agent login by logging in to the local workstation only, they still need to authenticate to eDirectory to access their applications.
If the Application Explorer icon is displayed on the user's desktop or system tray, the user has the option (by right-clicking the icon) to log in to the ZENworks Middle Tier Server. If the user chooses to log in, the Novell Security Services login GINA is displayed.
Figure 5-3 The Novell Security Services Login Dialog Box
When the user enters his or her user ID and password at the Security Services login GINA, these credentials are given to the ZENworks Middle Tier Server, which passes them to eDirectory for authentication. This login GINA uses the same authentication process used by the Desktop Management Agent login GINA. For more information, see Logging in Using the Desktop Management Agent.