test

Sun Identity Manager 8.1 Resources Reference

Chapter 23 NetWare NDS

Identity Manager provides adapters for supporting the following Novell products:

The NetWare NDS adapter also supports GroupWise accounts.

Adapter Details

The following table summarizes the attributes of the Novell adapters:

GUI Name

Class Name

NetWare NDS 

com.waveset.adapter.NDSResourceAdapter

NetWare NDS with SecretStore

com.waveset.adapter.NDSSecretStoreResourceAdapter

Resource Configuration Notes

This section provides instructions for configuring NetWare NDS resources for use with Identity Manager, including:

Gateway Location

Install the Sun Identity Manager Gateway on any NDS client that can connect to the domain to be managed. Multiple gateways should be installed if pass-through authentication is enabled.

Gateway Service Account

By default, the Gateway service runs as the local System account. This is configurable through the Services MMC Snap-in.

If you run the Gateway as an account other than Local System, then the Gateway service account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses these rights for pass-through authentication and for changing and resetting passwords in certain situations.

When performing before and after action scripts, the gateway may need the Replace a process level token right. This right is required if the gateway attempts to run the script subprocess as another user, such as the resource administrative user. In this case, the gateway process needs the right to replace the default token associated with that subprocess.

If this right is missing, the following error may be returned during subprocess creation:

"Error creating process: A required privilege is not held by the client"

The Replace a process level token right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. To set this right on a system, open the Local Security Policies application within the Administrative Tools folder, then navigate to Local Policies > User Rights Assignment > Replace a process level token.

SecretStore Certificates

To support SecretStore, a SSL certificate must be exported from the NDS system to the Identity Manager application server.

One possible way to obtain this certificate is to use ConsoleOne to export the public key. To do this, start ConsoleOne and navigate to the SSL CertificateDNS object. On the Properties dialog of the SSL CertificateDNS object, select Public Key Certificate from the Certificates tab. Press the Export button to begin the process of exporting the certificate. You do not need to export the private key. Store the file in DER format.

Copy the DER file to the Identity Manager application server. Then add the certificate to the jdk\jre\lib\security\cacerts keyfile using keytool or other certificate management tool. The keytool utility is shipped with the Java SDK. Refer to the Java documentation for more information about the keytool utility.

Identity Manager Installation Notes

The NetWare NDS adapter does not require any additional installation procedures.

To add the NDS SecretStore resource to the resources list, perform the following procedure:

ProcedureAdding the NDS SecretStore Resource to the Resources List

  1. Add the following value in the Custom Resources section of the Configure Managed Resources page.


    com.waveset.adapter.NDSSecretStoreResourceAdapter

  2. Copy the jsso.jar file to the InstallDir\idm\WEB-INF\lib directory. The jsso.jar file can be obtained from one of the following locations where the NDS client with either Novell SecretStore or Novell SecureLogin is installed:

    • NovellInstallDir\ConsoleOne\version\lib\SecretStore

      • NovellInstallDir\ConsoleOne\version\lib\security

Usage Notes

This section provides information related to using the NetWare NDS resource adapter, which is organized into the following sections:

Miscellaneous

Pass-Through Authentication Notes

Before Identity Manager 8.0, implementing pass-through authentication required that you edit a registry key and create a separate resource adapter dedicated to performing pass-through authentication. This adapter communicated with the NetWare resource through its own gateway.

As of Identity Manager 8.0, pass-through authentication to a NetWare resource can be performed with a single resource and gateway. If you implemented pass-through authentication in a version prior to 8.0 and want to use a single resource and gateway, perform the following procedure.

ProcedureImplementing Pass-Through Authentication (Versions Prior to 8.0)

  1. Delete the pass-through authentication resource from your NDS login module group.

  2. If you want to delete the pass-through authentication resource from Identity Manager, first delete or modify the common resources attribute of the System Configuration object.


    <Attribute name=’common resources’>
   <Object>
      <Attribute name=’NDS Group’>
         <List>
            <String>NDS_Resource_Host</String>
            <String>NDS_Passthrough_Host</String>
         </List>
      </Attribute>
   </Object>
</Attribute>

    If your NDS group contains only the NDS resource and pass-through authentication host, then delete the entire Attribute element. Otherwise, delete the string that defines the pass-through authentication host.

  3. Delete the pass-through authentication resource from the Resources page.

  4. If the gateway is no longer needed on the pass-through authentication host, you may disable the gateway service and remove the application.

Gateway Timeouts

The NetWare adapters allow you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.

You must manually add this attribute to the Resource object as follows:

<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.
    RAMessages:RESATTR_HANGTIMEOUT’ type=’int’ 
    description=’com.waveset.adapter.RAMessages:
    RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’>
 </ResourceAttribute>

The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.

Managing NDS Users in GroupWise

When integration with GroupWise is enabled, the NDS adapter can manage the GroupWise attributes of NDS users. The NDS adapter supports adding and removing NDS users from a GroupWise Post Office. It also retrieves or modifies other GroupWise account attribute, including AccountID, GatewayAccess, and DistributionLists.

Enabling GroupWise Integration

To activate the integration with GroupWise, you must define a value in the GroupWise Domain DN resource attribute. This value specifies the DN of the GroupWise domain which will managed. An example value for this attribute is

CN=gw_dom.ou=GroupWise.o=MyCorp

The NDS Tree resource attribute defines the NDS tree under which the GroupWise domain is expected to reside is. That is, the GroupWise domain must be in the same tree as the NDS users managed by the adapter.

Managing a NDS User’s GroupWise Post Office

The account attribute GW_PostOffice represents the GroupWise Post Office.

To add an NDS user into a GroupWise Post Office, set the GW_PostOffice account attribute to the name of an existing Post Office that is associated with the GroupWise domain.

To move an NDS user to a different GroupWise Post Office, set the GW_PostOffice account attribute to the name of the new Post Office that is associated with the GroupWise domain.

To remove an NDS user from its Post Office, set the GW_PostOffice account attribute to the same value as the GroupWise Delete Pattern resource attribute. The default value for GroupWise Delete Pattern resource attribute is *TRASH*.

SecretStore and the Identity Manager System Configuration Object

By default, you cannot use the NetWare NDS with SecretStore adapter to manage resource objects. To enable this functionality, you must edit the System Configuration Object.

Under the lines that read:

<!-- form mappings -->
   <Attribute name=’form’>
      <Object>

add the following:

<!-- NetWare NDS with SecretStore -->
<Attribute name=’NetWare NDS with SecretStore Create Group Form’
value=’NetWare NDS Create Group Form’/>
<Attribute name=’NetWare NDS with SecretStore Update Group Form’
value=’NetWare NDS Update Group Form’/>
<Attribute name=’NetWare NDS with SecretStore Create Organization Form’
value=’NetWare NDS Create Organization Form’/>
<Attribute name=’NetWare NDS with SecretStore Update Organization Form’
value=’NetWare NDS Update Organization Form’/>
<Attribute name=’NetWare NDS with SecretStore Create Organizational Unit Form’ 
   value=’NetWare NDS Create Organizational Unit Form’/>
<Attribute name=’NetWare NDS with SecretStore Update Organizational Unit Form’
   value=’NetWare NDS Update Organizational Unit Form’/>
<Attribute name=’NetWare NDS with SecretStore Create User Form’
value=’NetWare NDS Create User Form’/>
<Attribute name=’NetWare NDS with SecretStore Update User Form’
value=’NetWare NDS Update User Form’/>

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

The Gateway service should be used to connect to a NetWare NDS resource. The Gateway service uses a TCP/IP socket connection (3 DES) for exchanging password information on the network.

You can also use standard LDAP or LDAP over SSLP to connect to the NetWare NDS server. In this scenario, use the LDAP resource adapter.

Required Administrative Privileges

The Identity Manager administrator must have the proper NDS rights to create a NetWare user. By default, a NetWare administrator has all rights in the Directory and in the NetWare file system.

To perform password administration, an NDS administrator must have Compare, Read, and Write rights on the following properties:

The Identity Manager administrator account performing functions with NDS SecretStore must be defined as a SecretStore administrator.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature  

Supported?  

Enable/disable account 

Yes 

Rename account 

Yes, except renames are not supported when the NDS user also has a GroupWise account. 

Pass-through authentication 

Yes 

Before/after actions 

No 

Data loading methods 

  • Import directly from resource

  • Reconcile with resource

  • Active Sync

Account Attributes

This section provides information about the NetWare NDS account attribute support including:

The syntax (or type) of an attribute usually determines whether the attribute is supported. In general, Identity Manager supports Boolean, string, and integer syntaxes.

The values for attributes with SYN_CI_LIST (such as Language) and SYN_PO_ADDRESS (such as Postal Address) syntaxes should be a list of strings separated by $. The values for SYN_OCTET_STRING attributes should be Base 64 encoded strings of the bytes in the octet stream.

Attribute Syntax Support

Information about attribute syntax support is provided in the following Supported Syntaxes and Unsupported Syntaxes sections.

Supported Syntaxes

The following table provides information about supported attribute syntaxes:

NDS Syntax  

Attr Type  

Object ID  

Syntax ID  

Boolean 

Boolean 

1.3.6.1.4.1.1466.115.121.1.7 

SYN_BOOLEAN 

Case Exact String 

String 

1.3.6.1.4.1.1466.115.121.1.26 

2.16.840.1.113719.1.1.5.1.2 

SYN_CE_STRING 

Case Ignore List 

String 

2.16.840.1.113719.1.1.5.1.6 

SYN_CI_LIST 

Case Ignore String 

String 

1.3.6.1.4.1.1466.115.121.1.15 

SYN_CI_STRING 

Class Name 

String 

1.3.6.1.4.1.1466.115.121.1.38 

SYN_CLASS_NAME 

Counter 

Int 

2.16.840.1.113719.1.1.5.1.22 

SYN_COUNTER 

Distinguished Name 

String 

1.3.6.1.4.1.1466.115.121.1.12 

SYN_DIST_NAME 

Fax Number 

String 

1.3.6.1.4.1.1466.115.121.1.22 

SYN_FAX_NUMBER 

Integer 

Int 

1.3.6.1.4.1.1466.115.121.1.27 

SYN_INTEGER 

Interval 

Int 

1.3.6.1.4.1.1466.115.121.1.27 

SYN_INTERVAL 

Numeric String 

String 

1.3.6.1.4.1.1466.115.121.1.36 

SYN_NU_STRING 

Octet String 

String 

1.3.6.1.4.1.1466.115.121.1.40 

SYN_OCTET_STRING 

Path 

String 

2.16.840.1.113719.1.1.5.1.15 

SYN_PATH 

Postal Address 

String 

1.3.6.1.4.1.1466.115.121.1.41 

SYN_PO_ADDRESS 

Printable String 

String 

1.3.6.1.4.1.1466.115.121.1.44 

SYN_PR_STRING 

Stream 

String 

1.3.6.1.4.1.1466.115.121.1.5 

SYN_STREAM 

Telephone Number 

String 

1.3.6.1.4.1.1466.115.121.1.50 

SYN_TEL_NUMBER 

Time 

Int 

1.3.6.1.4.1.1466.115.121.1.24 

SYN_TIME 

Unsupported Syntaxes

The following table provides information about unsupported syntaxes:

NDS Syntax

Object ID

Syntax ID

Back Link 

2.16.840.1.113719.1.1.5.1.23 

SYN_BACK_LINK 

EMail Address 

2.16.840.1.113719.1.1.5.1.14 

SYN_EMAIL_ADDRESS 

Hold 

2.16.840.1.113719.1.1.5.1.26 

SYN_HOLD 

Net Address 

2.16.840.1.113719.1.1.5.1.12 

SYN_NET_ADDRESS 

Object ACL 

2.16.840.1.113719.1.1.5.1.17 

SYN_OBJECT_ACL 

Octet List 

2.16.840.1.113719.1.1.5.1.13 

SYN_OCTET_LIST 

Replica Pointer 

2.16.840.1.113719.1.1.5.1.16 

SYN_REPLICA_POINTER 

Timestamp 

2.16.840.1.113719.1.1.5.1.19 

SYN_TIMESTAMP 

Typed Name 

2.16.840.1.113719.1.1.5.1.25 

SYN_TYPED_NAME 

Unknown 

2.16.840.1.113719.1.1.5.1.0 

SYN_UNKNOWN 

Account Attribute Support

Information about attribute support is provided in the following Supported Account Attributes and Unsupported Account Attributes sections.

Supported Account Attributes

The following attributes are displayed on the Account Attributes page for the NDS resource adapters.

Resource User Attribute

NDS Syntax

Attribute Type

Description

Create Home Directory 

Boolean 

Boolean 

Indicates whether to create a home directory for the user. The Home Directory Parameter must be set. 

Description 

Case Ignore String 

String 

Text that describes the user. 

Facsimile Telephone Number 

Facsimile Telephone Number 

String 

The telephone number and, optionally, the parameters for a facsimile terminal associated with a user. 

Full Name 

Case Ignore String 

String 

The full name of a user. 

Generational Qualifier 

Case Ignore String 

String 

Indicates a person’s generation. For example, Jr. or II. 

Given Name 

Case Ignore String 

String 

The given (first) name of a user. 

Group Membership 

Distinguished Name 

String 

A list of the groups to which the user belongs. 

GW_AccountID 

Not applicable 

String 

Account ID specified in the User Information field for GroupWise accounting. 

GW_DistributionLists 

Not applicable 

String 

Distribution lists of which the user is a member. The values must be valid distribution list distinguished names (DNs). 

GW_GatewayAccess 

Not applicable 

String 

Restricts access to GroupWise gateways. See your gateway documentation to determine if this field is applicable. 

GW_Name 

Not applicable 

String 

The GroupWise mailbox name. 

GW_PostOffice 

Not applicable 

String 

The name of an existing Post Office that is associated with the GroupWise domain. 

Home Directory 

Path 

String 

The location of a client’s current working directory. See the “Usage Notes” for more information. 

Initials 

Case Ignore String 

String 

The user’s middle initial. 

Internet EMail Address 

Case Ignore String 

String 

Specifies an Internet e-mail address. 

Case Ignore String 

String 

A physical or geographical location. 

Locked By Intruder 

Boolean 

Boolean 

Indicates an account has been locked due to excessive failing login attempts. 

Login Grace Limit 

Integer 

Int 

The total number of times an old password can be used (after the old password has expired) to access the account. 

Login Maximum Simultaneous 

Integer 

Int 

The number of authenticated login sessions a user can initiate simultaneously. 

ou 

Case Ignore String 

String 

The name of an organizational unit. 

Password Allow Change 

Boolean 

Boolean 

Determines whether the person logged in under an account can change the password for that account. 

Password Expiration Interval 

Interval 

Int 

The time interval a password can remain active. 

Password Required 

Boolean 

Boolean 

Establishes that a password is required for the user to log in. 

Password Unique Required 

Boolean 

Boolean 

Establishes that when a user password is changed, it must be different from those in the Passwords Used attribute. 

Surname 

Case Ignore String 

String 

Required. The name an individual inherits from a parent (or assumes by marriage) and by which the individual is commonly known. 

Telephone Number 

Telephone Number 

String 

The user’s telephone number. 

Title 

Case Ignore String 

String 

The designated position or function of a user within an organization. 

userPassword 

N/A 

Encrypted 

Required. The user’s password. 

The following table lists additional supported attributes that are defined in the NDS User object class.

Resource User Attribute  

NDS Syntax  

Attribute Type  

Description  

Account Balance 

Counter 

Int 

The amount of credit the user has to buy network services, such as connection time. 

Allow Unlimited Credit 

Boolean 

Boolean 

Indicates whether the user account has unlimited credit for using network services. 

audio 

Octet String 

String 

An audio file in binary format. 

businessCategory 

Case Ignore String 

String 

Describes the kind of business performed by an organization. 

carLicense 

Case Ignore String 

String 

Vehicle license or registration plate 

departmentNumber 

Case Ignore String 

String 

Identifies a department within an organization 

displayName 

Case Ignore String 

String 

The name to be displayed on admin screens. 

Employee ID 

Case Ignore String 

String 

Numerically identifies an employee within an organization 

employeeType 

Case Ignore String 

String 

Type of employment, such as Employee or Contractor 

Entrust:User 

Case Exact String 

String 

Specifies an Entrust user. 

Higher Privileges 

Distinguished Name 

String 

An alternative set of security access privileges. 

homePhone 

Telephone Number 

String 

The user’s home telephone number. 

homePostalAddress 

Postal Address 

String 

The user’s home address. 

jpegPhoto 

Octet String 

String 

A JPEG file containing a photo of the user 

labeledUri 

Case Ignore String 

String 

The user’s Uniform Resource Identifier (URI). 

Language 

Case Ignore List 

String 

An ordered list of languages 

Last Login Time 

Time 

String 

The login time of the session previous to the current session. 

ldapPhoto 

Octet String 

String 

A photo of the object in binary format. 

Login Allowed Time Map 

Octet String 

String 

The allowed login time periods for an account for each day of the week to a precision of one-half hour. 

Login Disabled 

Boolean 

Int 

Informs the user that the account has been disabled. 

Login Expiration Time 

Time 

String 

A date and time after which a client cannot log in. 

Login Grace Remaining 

Counter 

Int 

The number of grace logins are left before the account is locked. 

Login Intruder Attempts 

Counter 

Int 

The number of failed login attempts that have occurred in the current interval. 

Login Intruder Reset Time 

Time 

String 

The next time that the intruder attempts variable will be reset. 

Login Script 

Stream 

String 

The user’s login script. 

Login Time 

Time 

String 

The login time of the current session. 

manager 

Distinguished Name 

String 

The user’s supervisor. 

Minimum Account Balance 

Integer 

Int 

The minimum amount of credit (or money) a user must have in his or her account to access specified services. 

mobile 

Telephone Number 

String 

The user’s cell phone number. 

NDSPKI:Keystore 

Octet String 

String 

Contains wrapped private keys. 

NRD:Registry Data 

Stream 

String 

NetWare Registry Database 

NRD:Registry Index 

Stream 

String 

The index of the NetWare Registry Database 

pager 

Telephone Number 

String 

The user’s pager number. 

Password Expiration Time 

Time 

String 

Specifies when the password will expire. 

preferredLanguage 

Case Ignore String 

String 

The user’s preference for written or spoken language. 

Print Job Configuration 

Stream 

String 

Contains information on the specified print job configuration. 

Printer Control 

Stream 

String 

The NDS counterpart of the DOS printer definition file, NET$PRN.DAT. 

Profile 

Distinguished Name 

String 

The login profile to be used if the user does not specify one at login time. 

Profile Membership 

Distinguished Name 

String 

A list of profiles that the object can use. 

Public Key 

Octet String 

String 

A certified RSA public key 

roomNumber 

Case Ignore String 

String 

The user’s office or room number. 

secretary 

Distinguished Name 

String 

The user’s administrative assistant. 

Security Equals 

Distinguished Name 

String 

Specifies group membership and security equivalences of a user. 

Security Flags 

Integer 

Int 

The NCP Packet Signature level of the object. 

Timezone 

Octet String 

String 

The time zone offset for a user. 

UID (User ID) 

Integer 

Int 

A unique user ID for use by UNIX clients. 

userCertificate 

Octet String 

String 

A certificate for certificate management.

userSMIMECertificate

Octet String 

String 

The user’s certificate for Netscape Communicator for S/MIME. 

x500UniqueIdentifier 

Octet String 

String 

An identifier to use in distinguishing between users when a DN has been reused. 

Unsupported Account Attributes

The following account attributes are not supported:

Resource Object Management

Identity Manager supports the following NetWare NDS objects by default. Any string, integer, or Boolean-based attributes can also be managed.

Resource Object  

Features Supported  

Attributes Managed  

Group 

Create, update, delete 

L, OU, O, CN, Description, Member, Owner 

Organizational Unit 

Create, update, delete 

OU, Description, L, Facsimile Telephone Number, Telephone Number 

Organization 

Create, update, delete 

dn, O, Description, L, Facsimile Telephone Number, Telephone Number 

Identity Template

The default identity template is

CN=$accountId$.O=MYORG

You must replace the default template with a valid value.

Sample Forms

This section lists the sample forms that are available for this resource adapter.

Built-In

These forms are built into Identity Manager:

Also Available

The NDSUserForm.xml form is also available.

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following classes:

To make access to NDS through the Sun Identity Manager Gateway single-threaded or serialized, set the following registry key and value in the HKEY_LOCAL_MACHINE\SOFTWARE\Waveset\Lighthouse\Gateway node on the Gateway machine:

Name  

Type  

Data  

ExclusiveNDSContext

REG_DWORD 

  • 0: Disables this feature. The context is multi-threaded.

  • 1: The context is single-threaded.

Tracing can also be enabled on the following methods to diagnose problems connecting to the gateway: