Securing Ldap Contextless Login

  • Document ID:7016120
  • Creation Date:29-Jan-2015
  • Modified Date:29-Jan-2015
    • Micro Focus Products:
      Client for Open Enterprise Server (Novell Client)
      eDirectory
      Open Enterprise Server

Environment

OES11.x
eDir 8.8.7
eDir 8.8.8

Situation

How to configure LDAP contextless login for SSL
How to configure LDAP contextless login for encryption
LDAP contextless login for SSL

Resolution

To enable SSL'd ldap for contextless login do the following:

1) Create a new KMO object.  Consoleone | create object | select from the drop down list NDSPKI:Key Material | Choose/browse to the LDAP NCP server name/object | put in a name | do the defaults | Click finish

2) Export the TrustedRootCert
Once you are viewing the properties of the KMO | go to the Certificates Tab | choose the drop down for "Trusted Root Certificate" | export | Default name is fine | put this "TrustedRootCert-Test1 - Servername.der" on the ldap contextless workstation/client's file system.

Note: My "SSL CertificateDNS" object did not present a Certificate Tab so I created a new KMO and taught the "ldap server" object to use this new KMO.

3) Configure the "LDAP Server" object to use the new KMO.
Properties of the ldap server object | SSL configuration | SSL certificate | browse to the new KMO | apply
Unload nldap
load nldap

4) Configure the Ldap Contextless Login client:
Once you have the "TrustedRootCert-Test1 - Servername.der" on the client's file system (I would put it in directory that is inconspicuous...not the root of c).
Then go into the properties of the NW client | Ldap contextless login | select or add the LDAP server under Servers | properties | Enabled encrypted data (SSL) and put the path and name of the certificate.

To prove this is secured/SSL'd, I configured my "ldap group" object to not allow cleartext and turned on the dstrace for ldap.

Notice the TLS handshake of the certificate: 

14:46:10 CC1ED040 LDAP: Work info status: Total:2 Peak:1 Busy:0

14:46:10 CC1ED040 LDAP: Thread pool status: Total:4 Peak:4 Busy:3

14:46:49 CC2E60A0 LDAP: New TLS connection 0xcc68f3c0 from 10.10.10.80:1037, monitor = 0x298, index = 1

14:46:49 CEA23380 LDAP: Monitor 0x298 initiating TLS handshake on connection 0xcc68f3c0

14:46:49 CEAA7440 LDAP: DoTLSHandshake on connection 0xcc68f3c0

14:46:49 CEAA7440 LDAP: Completed TLS handshake on connection 0xcc68f3c0

14:46:49 CEAA7440 LDAP: DoBind on connection 0xcc68f3c0

14:46:49 CEAA7440 LDAP: Treating simple bind with empty DN and no password as anonymous

14:46:49 CEAA7440 LDAP: Bind name:NULL, version:3, authentication:simple

14:46:49 CEAA7440 LDAP: Sending operation result 0:"":"" to connection 0xcc68f3c0

14:46:49 CEAA7440 LDAP: DoSearch on connection 0xcc68f3c0

 4:46:49 CEAA7440 LDAP: Search request:
   base: ""
   scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
   filter: "(objectClass=*)"
   attribute: "directoryTreeName"
14:46:49 CEAA7440 LDAP: Sending search result entry "" to connection 0xcc68f3c0
14:46:49 CEAA7440 LDAP: Sending operation result 0:"":"" to connection 0xcc68f3c0
14:46:49 CEAA7440 LDAP: DoSearch on connection 0xcc68f3c0
14:46:49 CEAA7440 LDAP: Search request:
   base: ""
   scope:2 dereference:0 sizelimit:0 timelimit:20 attrsonly:0
   filter: "(&(objectClass=inetOrgPerson)(|(cn=cxless1)))"


Additional Information

Formerly known as TID# 10096147