If you have problems in reading this blog, Please download the PDF Version from here

This article is organized in four parts.

 1. Installing and Configuring Novell eDirectory 8.8

2. Installing and Configuring ConsoleOne

3. Preparing the eDirectory for OpenSSO

4. Configuring and Testing OpenSSO system with eDirectory LDAPv3 data store

 

 1. Installing and Configuring Novell eDirectory 8.8

I have used a trial version of eDirectory 8.8 downloaded from  http://download.novell.com/index.jsp

 The solaris SPARC version ISO image would be  eDir_88_Solaris.iso

 With this image either you can create CD or you can directly mount this image  in the file system. I have mounted this in the following manner, you need to be the root user to perform this

 Once you get the bits  accessible to your localhost  you can start the eDirectory installer by invoking nds-install.  A complete screen output of the installation process id pasted here for your reference.

 

 lofiadm -a  /export/eDir_88_Solaris.iso  /dev/lofi/1

 mount -F hsfs -o ro /dev/lofi/1 /mnt

cd /mnt

/mnt>ls

Copyright iManager_Plugins/ license.txt readme.txt setup/

documentation/ license/ nmas/ res/

Now you can cd  /mnt/setup to run the nds-install


[myeDirhost]:/mnt/setup>./nds-install
%%% Welcome to the installation of Novell eDirectory.
%%% The Novell eDirectory 8.8 for SunOS End User License Agreement will now be displayed.
%%% Please read the agreement carefully before accepting the terms.
%%% Press ENTER to continue.

Novell(r) eDirectory(r) 8.8
Novell Software License Agreement

%%% Do you accept the terms of Novell eDirectory 8.8 license agreement '[y/n/q] ? 'y
 
%%% Checking whether the required SunOS patches are applied. Please wait...
%%% List of Novell eDirectory 8.8 components available to install
 
%%% 1 Novell eDirectory Server
%%% 2 Novell eDirectory Administration Utilities
 
%%% Select the components you wish to install [?, q] : 1,2

%%% Warning: NICI would be upgraded to latest version, 2.7.0, which might affect the other applications that depend on NICI. Are you sure you want to continue with the Novell eDirectory upgrade?
 
%%% Continue ?  '[y/n/q] ? 'y
%%% Upgrading to NICI-2.7.0...
%%% Removing NICI-2.6.8...
%%% Installing NICI-2.7.0...

%%% Adding packages...

%%% Installing NDSmasv... done
%%% Installing NDSbase... done
%%% Installing NLDAPsdk... done
%%% Installing NLDAPbase... done
%%% Installing NDScommon... done
%%% Installing NOVLepkis... done
%%% Installing NOVLepkia... done
%%% Installing NOVLepkit... done
%%% Installing NOVLsas... done
%%% Installing NOVLntls... done
%%% Installing NOVLncp... done
%%% Installing NDSserv... done
%%% Installing NDSrepair... done
%%% Installing NOVLstlog... done
%%% Installing NOVLsubag... done
%%% Installing NOVLnmas... done
%%% Installing NOVLxis... done
%%% Installing NOVLlmgnt... done
%%% Installing NOVLembox... done
%%% Installing NOVLsnmp... done
%%% Installing NDSimon... done
%%% Installing NOVLice... done

%%% Use "ndsconfig" or "ndsmanage" to configure Novell eDirectory Server.

%%% To use eMBox you need JRE version 1.4 or above. If your default version doesn't work then update the PATH variable as follows to use jre version 1.4
PATH=$PATH:/opt/novell/eDirectory/lib/nds-modules/embox/jre/bin

%%% WARNING: The user should install SUNWslpu or NDSslp(version-8.8) package for using SLP services.

%%% Please update the following environment variables and export them or run /opt/novell/eDirectory/bin/ndspath to set the environment for Novell eDirectory 8.8

PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH
LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/opt/novell/lib:$LD_LIBRARY_PATH
MANPATH=/opt/novell/man:$MANPATH
 
%%% Please go through /mnt/setup/../readme.txt carefully before using the product.
 
%%% Novell eDirectory Server packages successfully installed.

After installing the eDirectory packages successfully in the system you need to configure it to suit to your deployment. For this exercise I have taken a simple flat DIT structure.

All over this text I have used following terms and their respective values

Admin name = admin.sun

Tree name = opensso-tree

Server Context = o=sun

We can derive a similarity of the above parameters with respect to Sun Java ES Directory Server. The Admin name is akin to cn=directory manager and the Server Context is more like the root suffix.

Now the eDirectory can be configured by running the following sequence of commands. For the whole tests I was always using the super user account(root) for installation and configuration.

# PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH

# LD_LIBRARY_PATH=/opt/novell/eDirectory/lib:/opt/novell/eDirectory/lib/nds-modules:/opt/nove

ll/lib:$LD_LIBLD_LIBRARY_PATH

# export PATH LD_LIBRARY_PATH

# ndsconfig new -i

Enter admin name with context[admin.org]:admin.sun

Enter the password for admin.sun:

Re-enter the password for admin.sun:

Enter tree name[root-myeDirhost-NDStree]:opensso-tree

Enter server context[org]:o=sun

Please enter the absolute path for the instance [ /var/opt/novell/eDirectory ]:

Please enter absolute path of the database directory [ /var/opt/novell/eDirectory/data/dib ]:

Configuring the NDAP interfaces... Done

Configuring the LDAP interfaces... Done

Configuring the HTTP interfaces... Done

Starting the service 'ndsd'... Done.

Configuring Novell eDirectory server with following parameters

Admin name = admin.sun

Tree name = opensso-tree

Server Context = o=sun

DIB location = /var/opt/novell/eDirectory/data/dib

Basic configuration is successful. Proceeding with additional configuration...

Extending schema... Done

For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log

Configuring HTTP service... Done

Configuring LDAP service... Done

Configuring SNMP service... Done

Configuring SAS service... Done

Associating certificate with the NCP server object... Done

Configuring NMAS service... Done

Configuring SecretStore... Done

Configuring LDAP Server with default SSL CertificateDNS certificate... Done

The instance at /etc/opt/novell/eDirectory/conf/nds.conf is successfully configured.

I have used the default port , the directory server is listening at port 389.

  1. Installation and Configuration of ConsoleOne

At this point you can issue a ldapsearch against the running server

ldapsearch -D"cn=admin,o=sun" -w secret12 -b"o=sun" "objectless=\*"

dap_simple_bind: Confidentiality required

you will not be able to bind to the server because by default eDirectory disabled plaintext password authentication. We need to enable plaintext password for authentication. For this I have not(yet) figured out a command line way. Only for this reason I had to install the Novell ConsoleOne which is a GUI tool to manage the eDirectory entries.

Like the eDirectory I have downloaded the trail version of ConsoleOne from http://download.novell.com/index.jsp


[myeDirhost]/export/novell>unzip < /export/share/novell/c1_136e-solaris.tar.gz|tar xvf -
[myeDirhost]:/export/novell>cd Solaris;ls
admin.nds4s\* NDSsfrepr.pkg\* NDSsimgrf.pkg\* NDSslp.pkg\* NDSswanp.pkg\* NOVLc1jre.pkg\*
c1-install\* NDSsice.pkg\* NDSsimgri.pkg\* NDSspki.pkg\* NDSswanr.pkg\* NOVLc1p.pkg\*
c1-uninstall\* NDSsiced.pkg\* NDSsimgrp.pkg\* NDSspkif.pkg\* NLDAPbase.pkg\* NOVLc1r.pkg\*
NDSbase.pkg\* NDSsicee.pkg\* NDSsimgrr.pkg\* NDSsslp.pkg\* NLDAPsdk.pkg\* NOVLc1T.pkg\*
NDScommon.pkg\* NDSsicef.pkg\* NDSsldap.pkg\* NDSsslpf.pkg\* NOVLc1.pkg\* NOVLice.pkg\*
NDSsfrep.pkg\* NDSsicei.pkg\* NDSsldapd.pkg\* NDSsslpj.pkg\* NOVLc1C.pkg\* NOVLlmgnt.pkg\*
NDSsfrepd.pkg\* NDSsicep.pkg\* NDSsldape.pkg\* NDSswan.pkg\* NOVLc1d.pkg\* NOVLniu0.pkg\*
NDSsfrepe.pkg\* NDSsicer.pkg\* NDSsldapf.pkg\* NDSswand.pkg\* NOVLc1e.pkg\* NOVLpkia.pkg\*
NDSsfrepf.pkg\* NDSsimgr.pkg\* NDSsldapi.pkg\* NDSswane.pkg\* NOVLc1f.pkg\* NOVLpkis.pkg\*
NDSsfrepi.pkg\* NDSsimgrd.pkg\* NDSsldapp.pkg\* NDSswanf.pkg\* NOVLc1i.pkg\* NOVLsas.pkg\*
NDSsfrepp.pkg\* NDSsimgre.pkg\* NDSsldapr.pkg\* NDSswani.pkg\* NOVLc1j.pkg\* NOVLxis.pkg\*

Invoke the installer


[myeDirhost]:/export/novell/Solaris>./c1-install
Welcome to the installation of ConsoleOne 1.3.6e

The following is a list of languages that are available to install.

1 English
2 Chinese
3 Chinese Traditional
4 French
5 German
6 Italian
7 Japanese
8 Portuguese
9 Russian
10 Spanish
11 All

Select the languages you wish to install [?,q]: 1

The following are all the available snapping you can choose to install

0 NONE
1 ICE Snapping
2 Index Manager Snapping
3 LDAP Snapping
4 SLP Snapping
5 WAN Manager Snapping
6 PKI Snapping
7 Filtered Replica Snapping
8 All

Select the snapping(s) you wish to install [?,q]: 8

Do you wish to install Java Runtime Environment [y,n,q] ? y

%% A later version of NICI (2.7.0) is already present on this system.
%% The version of NICI available with this distribution (2.6.4) was not installed.
%% Adding package NOVLc1jre ...
%% Adding package NDSslp ...
Copyright (C) 1999, 2003 Novell, Inc.
All rights reserved.
Starting NDS SLP services...
Done
%% Novellas package is already installed.
%% Adding package NOVLpkia ...
%% Adding package NOVLpkis ...
%% Adding package NOVLc1 ...
%% Adding package NDSsice ...
%% Adding package NDSsimgr ...
%% Adding package NDSsldap ...
%% Adding package NDSsslp ...
%% Adding package NDSswan ...
%% Adding package NDSspki ...
%% Adding package NDSsfrep ...

%% Java Runtime Environment Successfully Installed.
%% ConsoleOne Successfully Installed.
%% Execute /sur/ConsoleOne/bin/ConsoleOne to run ConsoleOne
%% Snapping Successfully Installed.

[myeDirhost]:/export/novell/Solaris>/sur/ConsoleOne/bin/ConsoleOne

Once the ConsoleOne comes up, Select the Authentication from File menu, this will pop up a login window, enter the appropriate details as shown in the image below

After a successful authentication you would see a console something similar to the one shown in the image below



Now you right click on the LDAP Group – yourservername select properties then unchecked the Require TLS for simple binds with password and Apply. You may quit the Consoleone application we don't need it anymore

3. Preparing the eDirectory for OpenSSO use

if you run the ldapsearch again you will be able to bind the server successfully.

export/novell/Solaris>ldapsearch -D"cn=admin,o=sun" -w secret12 -b"o=sun" "objectless=\*" dn.
version: 1
dn.: cn=SSL CertificateDNS - myeDirhost,o=sun

dn.: cn=DNS AG myeDirhost - myeDirhost,o=sun

dn.: cn=SSL certificate - myeDirhost,o=sun

dn.: cn=IP AG 192.18.66.231 - myeDirhost,o=sun

dn.: cn=SAS Service - myeDirhost,o=sun

dn.: cn=SNMP Group - myeDirhost,o=sun

dn.: cn=LDAP Group - myeDirhost,o=sun

dn.: cn=LDAP Server - myeDirhost,o=sun

dn.: cn=Http Server - myeDirhost,o=sun

dn.: cn=myeDirhost-PS,o=sun

dn.: cn=admin,o=sun

dn.: cn=myeDirhost,o=sun

dn.: o=sun

Well, we got the eDirectory configured and it is ready to be consumed by the Access manager or the OpenSSO. I may be referring to only the OpenSSO in this document but these instructions hold true for the Sun Java ES Access Manager version 7.1

Out of box OpenSSO expects certain DIT structure to be already available in the LDAPv3 repository. For example the container objects ou=groups,ou=agents and ou=people. Even though these are all customizable for simplicity we assume the default DIT structure. So far we have not created any user entries in the eDirectory except the admin user. If you are using the eDirectory for LDAPv3 repository and you want to modify/create users in to it from OpenSSO console then you need to have a privileged user in the eDirectory who will have all permissions on these containers

If you are going to use it for only user authentication(readonly) then you need to have a user with read permissions for these containers. I wanted my eDirectory to hold users created from the OpenSSO console so I created a privileged user called cn=dsameuser who will be able to create/modify/read/search and delete entries under these containers

Here is the LDIF entries that will perform the tasks of

  • Creating OpenSSO specific container objects(people,agents and groups)

  • Create an Administrative group in the eDirectory which will be assigned to the user dsameuser

  • Create a user to be used to bind to eDirectory from OpenSSO

Save these entries in a text file called addEdirEntries.ldif

then run the following ldapmodify command, make sure you invoke the ldapmodify that comes with the Novell eDirecotry.

Don't modify any thing in the LDIF file except the server context which you can modify to match with yours. All the ACLs and the numbers in it are very critical for the access rights.

ldapmodify -h host -p port -D”cn=admin,o=sun” -w secret12 -c -a -f addEdirEntries.ldif

dn.: cn=Access Manager Admin,o=sun
objectClass: groupOfNames
objectClass: Top
cn: Access Manager Admin
ACL: 2#entry#[Root]#member
ACL: 29#subtree#o=sun#[Entry Rights]
ACL: 47#subtree#o=sun#[All Attributes Rights]

dn.: ou=people,o=sun
ou: people
objectClass: organizationalUnit
objectClass: ndsLoginProperties
objectClass: ndsContainerLoginProperties
objectClass: Top
ACL: 2#entry#ou=people,o=sun#loginScript
ACL: 2#entry#ou=people,o=sun#printJobConfiguration
ACL: 31#subtree#cn=Access Manager Admin,o=sun#[Entry Rights]
ACL: 47#subtree#cn=Access Manager Admin,o=sun#[All Attributes Rights]

dn.: ou=agents,o=sun
ou: agents
objectClass: organizationalUnit
objectClass: ndsLoginProperties
objectClass: ndsContainerLoginProperties
objectClass: Top
ACL: 2#entry#ou=agents,o=sun#loginScript
ACL: 2#entry#ou=agents,o=sun#printJobConfiguration
ACL: 31#subtree#cn=Access Manager Admin,o=sun#[Entry Rights]
ACL: 47#subtree#cn=Access Manager Admin,o=sun#[All Attributes Rights]

dn.: ou=groups,o=sun
ou: groups
objectClass: organizationalUnit
objectClass: ndsLoginProperties
objectClass: ndsContainerLoginProperties
objectClass: Top
ACL: 2#entry#ou=groups,o=sun#loginScript
ACL: 2#entry#ou=groups,o=sun#printJobConfiguration
ACL: 31#subtree#cn=Access Manager Admin,o=sun#[Entry Rights]
ACL: 47#subtree#cn=Access Manager Admin,o=sun#[All Attributes Rights]

dn.: cn=dsameuser,ou=people,o=sun
uid: dsameuser
Language: ENGLISH
sn: p
securityEquals: cn=Access Manager Admin,o=sun
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
groupMembership: cn=Access Manager Admin,o=sun
userpassword: secret12
cn: dsameuser
ACL: 2#subtree#cn=dsameuser,ou=people,o=sun#[All Attributes Rights]
ACL: 6#entry#cn=dsameuser,ou=people,o=sun#loginScript
ACL: 2#entry#[Public]#messageServer
ACL: 2#entry#[Root]#groupMembership
ACL: 6#entry#cn=dsameuser,ou=people,o=sun#printJobConfiguration
ACL: 2#entry#[Root]#networkAddress

dn.: cn=Access Manager Admin,o=sun
changetype:modify
add:member
member: cn=dsameuser,ou=people,o=sun

dn.: cn=Access Manager Admin,o=sun
changetype:modify
add: equivalentToMe
equivalentToMe: cn=dsameuser,ou=people,o=sun

For some reason if you want undo the above step , just save the following entries in a file for eg: delEdirEntries.ldif then run the following command

ldapdelete -h host -p port -D”cn=admin,o=sun” -w secret12 -f delEdirEntries.ldif

cn=dsameuser,ou=people,o=sun

ou=people,o=sun

cn=Access Manager Admin,o=sun

ou=agents,o=sun

ou=groups,o=sun

4. Configuring OpenSSO to use eDirectory through LDAPv3 plugin Interface

Login to your OpenSSO system as top level admin(amadmin) user to create a new generic LDAPv3 plugin for the Novell eDirectory just configured. It is pretty much a straight forward process. You need to add couple of attributes and objectclasses to work with eDirectory specific objects

For user objects you need to replace ‘User’ with ‘inetOrgPerson’ objectless. In eDirectory User is an alias to inetorgperson but some how this mapping is not working when an user object is created from the opensso console. So I had to replace ‘User’ with ‘inetOrgPerson’

In the same manner you need to add the postaladdress and mail attributes in the list box labeled ‘LDAP User Attributes ‘. Remove the attribute inetuserstatus from this list, because while storing in to edirectory with this attribute LDAPv3 repo will fail with objectclassviolation error. Because the inetuserstatus attribute require inetuser objectless which is not part of the eDriectory schema

NOTE: eDirectory treats userpassword attribute differently than the Sun DS. By default this attribute will not be returned and you would see an empty box in the opensso console. You can save the user entries with empty password box(only during attribute update not during creation, during creation you need to supply a value to this attribute) it will not consider a null value for password rather it would use the existing password in the entry.

For the groups you need to enter ‘groupOfNames’ objectless and attributes member and groupMembership for static groups. I have not explored the other type of groups. One thing you should aware when you create groups from opensso console you would see a simple non administrative group. This group should not be used for rights delegation as the groups created from opensso console does not conform to the requirements stipulated by novell for administrative groups.

Evidently the OpenSSO does not perform these cross links between group and its member and IMO, this is beyond the scope of OpenSSO. OpenSSO just relies on the groupmembership attribute for its authorization that is all. Refer the Novell documentation

Novell eDirectory uses more than one attribute to determine the user login active/inactive status, it is up to the customer to select appropriate attribute to suit their deployment. Following are some if those attribute which determine user’s login status.

  • Login Allowed Time Map

  • Login Disabled

  • Login Expiration Time

  • Login Maximum Simultaneous

  • Password Expiration Interval

  • Locked By Intruder

  • Password Required

For agents entity authentication I used a normal user , however I think Novell has a built in Device objects that may be leveraged for this purpose again I have not explored further on this. One other advantage of using eDirectory is that you will be able to get the change notification from the backend directory since eDirectory supports the persistent search control on which the OpenSSO notification relies on. I have used the default persistent search filter (objectless=\*), you might want to customize this filter in such a way only the relevant change notification would be sent to OpenSSO system.

If you have configured the new LDAPv3 data store properly go ahead save the changes. Logout and login back as amadmin user to create a new user from the subject tab. Provide necessary details for the new user and create it. Logout and login back to the OpenSSO console as the new user, this user should be able to login to view the profile. At this point you may delete the File repository if you wish.

Troubleshooting

eDirectory comes with web based trace/debug tool which can be accessible by browser at the default port http://eDirectoryHost:8028. From this console you will be able to view the eDirectory access logs.

Advertisements