LDAP3 and eDirectory

Similar Messages

• Mac OS X 10.5 Leopard and eDirectory

  Hello, all! I am trying to set up a Mac to authenticate against eDirectory running atop a Netware 6.5. So far, I have been successful in binding the Mac to eDirectory, and I am able to browse the directory as well as read object attributes without problem. However, I am not able to authenticate against the server for login. I have verified that usernames and passwords are correct, and am able to authenticate against the directory on windows clients, but authentication still fails on the Mac. Running DSTrace, I consistently see the following error: " BIO ctrl called with unknown cmd 7 ". If anyone has any ideas, please help! Thanks.

  Are you tracing with +LDAP, +AUTH and +NMAS on?
  > I have tried both authenticated bind and anonymous
  bind with the same result: I am able to read objects and their
  attributes in the directory, but unable to sign on as a user from the
  directory.
  I'm not sure what you mean by that last phrase. Having bound to eDir via
  LDAP, that's as logged on as LDAP gets. The DA in LDAP stands for
  Directory Access, and that's all it gets you - access to the directory,
  not the the server's other resources.
  If you are trying to authenticate to eDir to get access to the file
  system on NW you need to attach via CIFS or AFPTCP.
  Andrew C Taubman
  Novell Support Forums Volunteer SysOp
  http://support.novell.com/forums
  (Sorry, support is not provided via e-mail)
  Opinions expressed above are not
  necessarily those of Novell Inc.

• 802.1x, Machine Authentication, Active Directory and eDirectory

  Does anyone think this is feasible as a solution...
  Problem Definition.
  1) Machines all use the netware Client and authenticate to eDirectory initially, then to AD.
  2) I want to use ACS, not Free Radius.
  3) I don't want to use a 3rd party supplicant.
  Possible solution...
  Does anyone think it might be possible to authenticate a machine using a certificate into AD before the user logs in using the netware client. My thinking being this... the user (or machine in this case) will have already been identified as trusted (through AD), will be connected to the network when the user submits their netware credentials. This would mean that netware could be left out of the 802.1x process completely and yet the user would still get a single sign on experience.

  I did. Basically the scenrio I described in the original post worked.
  The only caveat is that user auth still occurs through 802.1x once you submit the user credentials. There are regestry hacks which disable this if you solely want to use machine auth.
  hope this helps

• DSfW and eDirectory Network Address attribute

  Hi,
  In a DSfW environment, with Windows only clients, we lose the update of the attribute "network address". We need it to provide SSO with the proxy authorization.
  Does anyone know if is possible to have the same behaviour than with the Novell Client? Any idea to have the windows client logon to DSfW updating the network attribute on eDirectory?
  Regards
  Jose Luis

  I am pretty sure, that the SSO agent/application of the Fortinet is
  able to use AD as a SSO source to the proxy. That can't be done in the
  same way as against Edir, but it does work well.
  I have a Sonicwall SSO based on the AD of DSfW and it works great.
  Based on the complexity of my setup, where the connection to the
  internet runs on a physical and logical network, which is completely
  different and separated from the local network connections to the DSfW
  and all other servers I am quite sure, that it would work in a less
  complex setup just out of the box without big configuratrion hassles.
  W. Prindl
  jlrodriguez wrote:
  >
  >Thanks for your answer. But the problem is that who has to read for
  >the IP Address is the proxy (PaloAlto/Fortinet). It does it searching
  >in eDirectory the user that has in the "network address" attribute
  >the IP address of the workstation trying to access Internet, and
  >applying then the corresponding policies.
  >It works perfectly if the workstation has the Novell Client, but not
  >without it.
  >Regards

• OID and eDirectory

  Hello everybody,
  I'm interested in OID - eDirectory (NOVELL) integration. If somebody had done it, could you share it with me please? My email ID is [email protected]
  Thanks much
  Srini.

  Hi! I am also interested in doing this as well. Could some body share their experiances and/or suggest ways to go about it..?
  Thanks
  Ram Kakani

• Isilon NAS and eDirectory

  Hello,
  I'm trying to get an Isilon NAS to authenticate via LDAP to eDirectory. It binding correctly with a user name and password and can look up users but won't allow those users to authenticate over CIFS. I think it might not be able to find the correct password attribute. All users have a Universal password policy assigned and the user that the Isilon binds as has rights to look up user passwords in that policy.
  Any ideas? Or has someone done something like this before?
  Thanks
  James

  > I'm trying to get an Isilon NAS to authenticate via LDAP to eDirectory.
  > It binding correctly with a user name and password and can look up users
  An eDirectory username and password? How does this happen if not via CIFS?
  > but won't allow those users to authenticate over CIFS. I think it might
  Right... so this sentence and the previous sentence seem to be at odds.
  Could you help me understand what is different about "binding correctly
  with a username and password" and "won't allow those user to authenticate
  over CIFS"?
  > not be able to find the correct password attribute. All users have a
  LDAP binds all work one of two ways unless they are really poorly-written:
  1. Direct LDAP bind; there is no looking-up the password.
  2. LDAP Compare: Sends an LDAP Compare request with the current password
  by passing in an attribute for comparison ('userPassword') and the
  password value itself (whatever that is) and then the LDAP server
  (eDirectory) returns true or false. There isn't much flexibility here,
  really...
  > Universal password policy assigned and the user that the Isilon binds as
  > has rights to look up user passwords in that policy.
  This is, if implemented, the scenario I was referring to when I said some
  were "really poorly-written." Actually retrieving the password and
  comparing elsewhere is not the way this should ever be implemented;
  there's no reason to implement it this way (see other options above) and
  it's pretty unlikely that retrieving the password is not how the
  application works since it wouldn't work with many LDAP vendors. In the
  case of eDirectory it could work with UP, but only if the application uses
  a special NMAS control to retrieve the password via LDAP, and that is also
  pretty unlikely.
  > Any ideas? Or has someone done something like this before?
  Find out more about the differences in what works and what doesn't. Also,
  you may want to do some tracing of LDAP using ndstrace. Enable all of the
  tracing/screen options in iManager or ConsoleOne and then run ndstrace and
  post the output that you see here, both of a successful and failed LDAP
  test (pointing out which was which from the trace):
  ndstrace
  set dstrace=nodebug
  dstrace +time +tags +ldap
  dstrace file on
  set dstrace=*r
  #perform test here
  dstrace file off
  quit
  The ndstrace.log file will have the output from your tests.
  Good luck.

• Associating existing GroupWise and eDirectory accounts

  I'm trying to associate existing eDirectory accounts with existing GroupWise accounts using the GW Admin API. I am able to create new groupwise accounts and associate them with existing eDir accounts using the addexisting user method of the desired postoffices' Users object, however when I try to use this method on an already existing groupwise account, a user commit failed exception is generated. The key point here is that both the GW and eDir accounts already exist. I'm just trying to associate them as is possible in ConsoleOne. Any help would be greatly appreceiated!

  I'm trying to associate existing eDirectory accounts with existing GroupWise accounts using the GW Admin API. I am able to create new groupwise accounts and associate them with existing eDir accounts using the addexisting user method of the desired postoffices' Users object, however when I try to use this method on an already existing groupwise account, a user commit failed exception is generated. The key point here is that both the GW and eDir accounts already exist. I'm just trying to associate them as is possible in ConsoleOne. Any help would be greatly appreceiated!

• Setting up FreeRADIUS and eDirectory for 802.1X Authentication

  Not sure how many people know about this, but I sure didn't. Novell
  actually has a TID on how to set all of this up. Just thought I share this
  with you guys. Might just help someone out there.
  http://www.novell.com/support/php/se...200%2083136239

  Hcyuan,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Messenger 2.04 and eDirectory

  The Messenger install manual states that Messenger needs eDirectory, but does eDirectory have to be installed "on" the server with Messenger or does Messenger just need to be able to talk to eDirectory on the network?
  thanks
  Brad

  On 5/21/2010 8:55 AM, Brad Beckenhauer wrote:
  > The Messenger install manual states that Messenger needs eDirectory, but
  > does eDirectory have to be installed "on" the server with Messenger or
  > does Messenger just need to be able to talk to eDirectory on the network?
  > thanks
  > Brad
  Just needs to talk.

• BorderManager 3.6 and eDirectory 8.8

  Hello,
  I wonder wether BM 3.6. will work with eDir 8.8. I know it is not supported. But will it be possible? Anyone already did that?
  Thank you,
  Regards,
  Nico

  In article <[email protected]>, Nigoooh wrote:
  > I wonder wether BM 3.6. will work with eDir 8.8. I know it is not
  > supported. But will it be possible? Anyone already did that?
  >
  I'm guessing it will work - but I have not tried it myself.
  Craig Johnson
  Novell Knowledge Partner
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• Edirectory upgrade and I manager

  I upgraded to the latest support pack for edirectory to my Netware 6.5 sp8 server. I am trying to add a new Suse server to the tree and after doing the upgrade I can no longer login into imanager nor add the Suse server to the tree. My authintacation fails. the message I get trying to login to iManager is.
  Unable to create AdminNamespace. java.lang.NoClassDefFoundError
  How do I correct this?
  Thanks
  Dave.

  You might try the iManager forum here, but what versions of iManager and eDirectory do you have and from where are you trying to run it?

• EDirectory and 3.4 and 3.1 Client

  Greetings,
  Over the weekend we upgraded two servers to eDirectory 8.7.3.3, NetWare 5.1 sp7. On one server we can still use the Windows 98 client 3.1 and login successfully. On the other server the 3.1 client fails. Any ideas on why one works and the other does not?
  We also added NFA to both servers.
  The only diff in the NLMs is the drivers for the hardware and the one that does not work also has lic_api.nlm and tui.nlm loaded. I unload the lic_api.nlm but that did not make the 3.1 client work.
  Thanks!
  Jeff

  Yes, 3.4 does work. My question was why 3.1 does work with one server but not on the other when they both appear to be the same. They both have the same version of NetWare 5.1 sp7 and eDirectory 8.7.3.3. Maybe it will just be one of those mysteries. If I can figure this out then we will not have to worry about upgrading clients before we upgrade to eDirectory on our other 40 server/sites.
  Thanks!
  Jeff
  >>> Edison Ortiz<[email protected]> 4/6/05 7:18:15 PM >>>
  On 4/6/2005 Jeffrey Beard wrote:
  > Yes I can ping the server. DS.NLM is loading. Other clients with current
  > versions login fine.
  Then, it's clear that version of eDirectory does not support v3.1 for some
  reason. I suggest going with v3.4 since you just said it works.
  Edison Ortiz
  Novell Product Support Forum SysOp
  (No Email Support, Thanks !)

• Restoring eDirectory info from Netware 5.1 to 6.5.

  What are the chances of restoring eDirectory info from a Netware 5.1 server to a NetWare6.5SP8 server?
  My network is a mixture of NW6.5SP8 and OES 11SP2 servers, with a single exception.
  Due to organizational politics, we have a department that has kept an old NetWare 5.1 server running.
  That server crashed yesterday (finally!), and has been removed from eDirectory.
  Amidst my joy, however, there is a problem:
  My server backup software had never had any ACL-related problems when I've used it to restore data to my NW6.5 or OES11 servers.
  That includes restoring data to a different server.
  I had no problems restoring the data from this 5.1 server to another location, but no ACL information was included in the restoration.
  My only desire at this point is to find a way to discover the ACL information with regard to that data. There were a LOT of group-related access rights on this server.
  Even though it wouldn't be my responsibility to recreate those rights, I'd like to see if I can recover it somehow.
  What would be the expected result of attempting to restore both the data and the eDirectory info from tape backup of the NetWare 5.1 server to a newly created NW6.5SP8 server?
  I don't care how much the server complains about not seeing the rest of the network, as long as I can log into it and look at the file rights information.
  If I were to create a new server in its own tree, isolated from the production network, and attempt to restore both data and eDirectory to the server, would it be logical to expect the ACl information to be restored?
  I may still have a NW5.1 server CD around somewhere, but if I can accomplish my goal with a NW6.5 server, it'd be faster.
  Any thoughts are welcome.

  Thank you for your response, Anders
  Yes, I'm referring to file rights.
  I'm confused, then.
  I have always thought that trustee rights involved both eDirectory and the file system; that without eDirectory the file system wouldn't be able to correlate the trustee rights to eDirectory objects (users, groups, etc...).
  For instance, I have an OES 11 server that does not use the NSS file system.
  I set it up as an NCP server and used the Migration utility to copy files from an NW6.5 server to its ext3 volume
  The trustee rights were retained for those files.
  I assumed that this was due to the eDirectory information.
  If trustee rights are contained in the file system, this becomes even more mysterious to me.
  I know for a fact that the data NSS volume on the crashed server had a LOT of trustee rights assignments; this group has a lot of programs that can't be allowed to see each others' data.
  Their IT person also backs up the same data, although with a different backup program.
  Restoration from his backup had the same result; no trustee rights.
  The crashed server still exists, although its SYS volume is corrupted.
  Both its SYS volume and it's data volume reside on the same drive, which is mirrored within NetWare.
  My next thought was to mount those drives in another computer and see if the data volume remains un-corrupted.

• Windows 7 automatic login to AD and Edir

  Any one have clear instructions on how to accomplish automatic login to a windows AD domain and edirectory?
  Using Novell Client 2 Sp3 for windows 7 (IR6). Novell is the primary login.
  Goal is to enable the automatic login to both as user "install" .. sysprep the image.. deploy the image so it automatically logs in as the user. Installs associated default zenworks bundles, with the last bundle removing the automatic login registry keys.. then reboot and be ready for the user to login to.
  used to use autolog.exe from Tommy for XP, which I understand doesn't work with windows 7.

  Lol apparently I just need to talk myself through this process :P
  Seems to be working at the moment. Here's what I did. Computer is joined to AD domain and has Novell Client installed/primary logon. I haven't tried this with a sysprep'd image yet, but hoping the sysprep process doesn't change any of these keys:
  HKLM\Software\Novell\Login
  REG_SZ AutoAdminLogon = 1
  REG_SZ DefaultLocationProfile = Default
  REG_SZ DefaultUserName = install (or whatever username you intend to use)
  REG_SZ DefaultPassword = password (or whatever password associated with above username)
  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  REG_SZ AutoAdminLogon = 1
  REG_SZ DefaultDomainName = yourdomainname
  REG_SZ DefaultUserName = install (or whatever username)
  REG_SZ DefaultPassword = install (or whatever password associated with above username)
  REG_DWORD DisableCAD = 1 (disable the Ctrl+Alt+Del prompt)

• Adapter up and down

  Hi,
  I have one cluster of two nodes, with Netware 6.5 SP1 and eDirectory 8.7.3
  installed. In one of the nodes it continuously appears this message:
  23/02/2006 9:25:16 : CE1000-6.90-0
  Severity = 0 Locus = 4 Class = 5 ID = 0x1070000
  CE1000-NW-000-Adapter 2-Board 2:
  Link is down.
  23/02/2006 9:26:35 : CE1000-6.90-0
  Severity = 0 Locus = 4 Class = 5 ID = 0x1070000
  CE1000-NW-000-Adapter 2-Board 2:
  Link is up. 1000 Mbs Full Duplex
  and with time it causes down of node.
  Can I help me?
  Thanks.

  On 06/10/2011 14:56, NOVELLJACK1 wrote:
  > I'm experiencing basically the same issue but not losing the node that I
  > know of.
  First of all you may want to start a new thread as you're replying to
  one that is over 5 years old.
  > SYS$LOG.ERR reports the following on a consistant basis.
  > Started happening after I updated Server with SP8
  SP8 but what version of NetWare? 6.5 (since you've posted in the
  NW6.x/OES forum)?
  What SP were you running before you updated the server?
  When you applied SP8 did you choose to upgrade LAN and storage drivers?
  > My Server onboard NIC = Intel(R) PRO/1000
  >
  > Wednesday, 10-05-2011 8:33 am
  > File reset by user: admin
  > *************************************************
  > 10-05-2011 10:06:23 am: E1000-8.24-0
  > Severity = 0 Locus = 4 Class = 5 ID = 0x1070000
  > E1000-NW-000-Adapter 1-Board 1:
  > Link is down.
  >
  > 10-05-2011 10:06:25 am: E1000-8.24-0
  > Severity = 0 Locus = 4 Class = 5 ID = 0x1070000
  > E1000-NW-000-Adapter 1-Board 1:
  > Link is up. 100 Mbs Full Duplex
  >
  > Novell Driver:E1000.LAN V8.24 Dec 22 2005
  >
  > Does Novell have a more recent driver? or what would you
  > recommend for a NIC
  > My Server is a Dell PowerEdge 700
  AFAIK that's the latest driver Novell ship (bearing in mind NetWare is
  no longer being supported).
  Are you running any other post-SP8 patches as listed @
  http://wiki.novell.com/index.php/Nw6...st_SP8_Patches
  HTH.
  Simon
  Novell Knowledge Partner (NKP)
  Do you work with Novell technologies at a university, college or school?
  If so, your campus could benefit from joining the Novell Technology
  Transfer Partner (TTP) program. See novell.com/ttp for more details.