Understanding LDAP authentication for GroupWise

  • 7002927
  • 07-Apr-2009
  • 26-Apr-2012

Environment

Novell GroupWise 8
Novell GroupWise 7

Situation

GroupWise LDAP authentication can be done in 2 different ways.
1.  Extended operations.
A conversion between DN and CN takes place no LDAP lookup.
Very fast,  requires ldapx and ldapxs, GroupWise and the user objects must be in the same eDirectory tree. 
2. Root DSE  search.
Filters the search for InternetEmailAddress, and searches from the top of the tree down.
This search is slower, requires the LDAP server to walk the tree to find all partitions.  Recommended to search against a LDAP server holding a copy all partition in the tree.  
 

Resolution

The extended search is by far the best method when possible.  It is much faster, there is no LDAP tree walking.  The LDAP server should hold a copy of all user objects that may log into GroupWise.
 
For the Extended Operations the following needs to be true.
1.  The GroupWise POA and the GroupWise users must exist in the same tree.
2.  The POA must load ldapx when the agent is started.
     A.  ldapx, ldapsdk, and ldapssl nlms, or binaries need to be placed in the same folder as gwpoa.nlm or binaries.
     B.  The Server Console will show ldapx load on NetWare.  There are other processes that load and use ldapx such as CIFS.
3.  The LDAP object must have extension.
     A.  Use ConsoleOne, the other tab of the LDAP server object in eDirectory will show you the extensions.
     B.  iMonitor will also show you the individual extensions of the LDAP server object.
     C.  The extension can be recreated by upgrading the LDAP server.
          I.   In ConsoleOne, go to the other tab on the LDAP server and group object and set the ldapconfigversion to 0 (zero).
          II.  Restart LDAP. The ldapconfig version will go back to either 8 or 10 depending on the eDirectory version.   
 
Get a LDAP trace of a GroupWise login on the LDAP server see tid How Do I Trace LDAP Activity.  The following a an example of an LDAP trace for user bhead.
 
DoExtended: Extension Request OID: 2.16.840.1.113719.1.27.100.1
Sending operation result 0:"":"" to connection 0x97b031c0
DoBind on connection 0x97b031c0
Bind name:cn=bhead,o=test, version:3, authentication:simple
 
The above extension can be seen with iMonitor looking at the LDAP server object. 
 
The following trace is without the extensions perform a rootdse search.  In this trace the LDAP attribute mail is converted to Internet Email Address.
 request: base: ""  scope:2  dereference:0  sizelimit:1  timelimit:0  attrsonly:0  filter: "(mail=bhead@mbrunger1.lab.novell.com)"
 
For optimum performance on a rootdsesearch ensure the following.
1.  The LDAP server should have a replica for each partition in the tree.
     A.  Not having all partitions will cause the server to make an NCP connection to a eDirectory server that does have a copy of the partition.
     B.  If the tree cannot be walked correctly, the POA will report a ldap error 80 and the login will fail.
2.  A server index can be created for the attribute InternetEmailAddress to speed up the search.
 

Additional Information

This tid is not meant to address LDAP or eDirectory specific issues.  Use a 3rd party ldap browser to look for problems.  Browser 281 or 282, Softerra, LDAPsearch or even ConsoleOne can be used to verify that the expected edirectory information is returned.
 
This document is meant to be platform independant.  The same steps apply for NetWare, Linux and Windows.  The exception would be where the NLM's, Binaries, or dll's reside.