eDirectory
Connector name |
|
Connector type | Executable |
Type (UI field value) | Novell NDS |
Target system versions supported / tested | The Novell eDirectory connector is intended for backward compatibility with older NDS systems where it is impossible to access the back-end via LDAP. Bravura Security recommends targeting the eDirectory with the Novell eDirectory connector. It is possible to target eDirectory using the LDAP connector, however, this practice is not recommended. |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
Bravura Security Fabric performs operations on Novell eDirectory by installing the Novell IntraNetWare client on the Bravura Security Fabric server. Accounts are listed from the entire tree or a sub-tree and are reset using an administrative account with credentials stored encrypted on the Bravura Security Fabric server. The Novell eDirectory connector (agtnds) uses the NCP protocol for all communications. Nothing is installed on NetWare/NDS servers.
The following Bravura Security Fabric operations are supported by this connector:
administrator verify password
user change password
expire password
check password expiry
administrator reset password
administrator reset+expire password
user verify password
enable account
disable account
check account enabled
unlock account
check account lock
create account
delete account
add user to group
delete user from group
create group
delete group
move contexts
rename account
update attributes
list account attributes
List:
accounts
attributes
groups
members
The following sections show you how to:
Define an account for the target system administrator
Install the required software components
Create template accounts
Set the Novell Directory Services (NDS) target system address in Bravura Security Fabric
This chapter also describes how Bravura Identity handles special attributes, used when creating or modifying accounts on an NDS target.
Note
The agtnds connector establishes and closes the connection to Novell each time it is run. Only one connection can be active at any given time, so when the connector is run, it automatically terminates the NetWare connection from Windows.
Preparation
Before you begin, you must:
Know the name of each NDS tree and the top-level context in which Bravura Security Fabric performs operations.
Install the Novell Client on the Bravura Security Fabric server.
Create an administrative account in the NDS tree that can list users in the relevant NDS sub-tree and reset passwords for every user object in the sub-tree.
Create at least one test account in the sub-tree. More accounts, in multiple contexts, are better.
Create at least one template account
Bravura Security Fabric can identify users in the NDS tree based on one of two mutually-exclusive assumptions:
Each user has at most one account in the NDS tree. Ideally, but not necessarily, the common name uniquely identifies each user.
A user may have multiple accounts in different contexts in the tree, but the common name uniquely identifies the user.
You must decide which assumption best fits your NDS tree.
Installing client software
Bravura Security Fabric communicates with the NDS server via the NCP protocol. Before you can target NDS, you must install the Novell Client on the Bravura Security Fabric server. The client software must also be installed on Bravura Security Fabric proxy servers.
Do not install the Microsoft Client for Novell Networks.
If Bravura Security Fabric is installed on Windows 2008, you must install Novell Client 2 for Windows 7/2008/2008R2.
Configuring a target system administrator
Bravura Security Fabric uses a designated account on the NDS target system to perform operations.
To create an administrative account on a NDS server, first create a user on the NDS directory that you want to manage, then add the user as a trustee for the directory:
To create an administrative account on a Novell Directory Services (NDS) server, first create a user on the NDS directory that you want to manage, then add the user as a trustee for the directory:
Open Netware Administrator at <volume name>\sys\public\win32\nwadmin.exe.
Expand the tree list to see the directory-level object you want the user to manage.
For example, select Root if you want the user to manage the entire directory.
Right-click on the object name and select Add Trustee.
Netware Administrator displays the dialog box.
Select the user you want to add as a trustee and click OK to close the dialog box.
Click the appropriate checkboxes in the Object Rights section of the dialog box. These rights define the user's access permissions at the selected directory level.
Click the appropriate checkboxes in the Property Rights section. These rights define the user's actions at the selected directory level.
Click OK.
Ensure that you set and note the account’s password. You will be required to enter the account’s login ID and password when you add the GroupWise target system to Bravura Security Fabric .
If GroupWise is installed on a Windows system, Bravura Security Fabric also requires access to the UNC path using a system account. A share is established to access information required to perform the supported operations. If Groupwise is installed on a Novell NDS system, a system account is not required; GroupWise and NDS use the same Admin ID.
Expand the tree list to see the directory-level object you want the user to manage.
For example, select Root if you want the user to manage the entire directory.
Right-click on the object name and select Add Trustee.
Netware Administrator displays the dialog box.
Select the user you want to add as a trustee and click OK to close the dialog box.
Click the appropriate checkboxes in the Object Rights section of the dialog box. These rights define the user's access permissions at the selected directory level.
Click the appropriate checkboxes in the Property Rights section. These rights define the user's actions at the selected directory level.
Click OK.
Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .
Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new NDS accounts. The following example illustrates how you can create a template account on your NDS server:
Open Netware Administrator at: <volume name>\sys\public\win32\nwadmin.exe.
Expand the tree list to see the Organization Unit (the second level branch) to which you want to add a new user.
Right-click on the Organization Unit name and select Create.
Netware Administrator displays the New Object dialog box.
Select User and click OK.
Netware Administrator displays the Create User dialog box.
Type a Login Name and Last Name.
Click the Use a Template icon to select a Novell template to create the new user . (Optional)
Select the checkbox next to Create Home Directory.
Click the Home Directory icon to select a
Volumeand Sub-directory for the user’s home directory.Select the checkbox next to Create Additional Property.
Click the Define additional properties icon to set the following parameters in the properties dialog box:
Login Restrictions
Account Disabled (Optional) If you want to prevent use of the account. Do this to create an inactive template account, or an account that is not used until a later date.
Account has an expiry date (Optional) To select a date when the account becomes disabled.
Password Restrictions Select from:
Allow user to change password
Require password
Force personal password changes
Require unique passwords
Limit grace logins
Login Time Restrictions To restrict the hours during which the user can connect to a server.
Group Membership To select the groups in which the user account has membership.
It is recommended that you do not add template accounts to Bravura Security Fabric managed groups. Managed group memberships should be handled by including them in roles.
Security Equal To To select a user account which has security clearance equal to that of the new user account.
Print Job Configuration To configure the user’s printer.
Login Script To define a script that executes when a user logs in.
Click OK.
See your Novell systems administrator or Novell documentation for more information.
Targeting Novell eDirectory
For each NDS sub-tree, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems).
Type is Novell NDS, listed under "Network Operating Systems" in the drop-down list.
Address uses the following settings:
Context Set to root to manage the entire tree.
Tree Novell NDS tree name.
Group Group name.
The Administrator ID and Password identify the administrative account that you created earlier.
Be sure to enter a fully qualified name for the administrator ID.
The full list of target system parameters is explained in Target System Options .
Handling attributes
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, in the Manage the system (PSA) module. To do this, select Novell NDS from the Manage the system > Resources > Account attributes > Target system type menu.
This section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior on NDS. For information about the native NDS attributes managed by Bravura Security Fabric, consult your NDS documentation.
_homedir_option The _homedir_option pseudo-attribute controls how Bravura Security Fabric should handle home directories, upon deletion of the owner’s account. You can set the value of _homedir_option to either:
delete– delete the home directory (default)nodelete– do not delete the home directoryYou can override the configured action/value for the _homedir_option pseudo-attribute only at the target system and target system type levels. Overriding this attribute at the template level has no effect.
_sup_homedir_option This attribute is currently not used.
home directory If the template account has files in the home directory, they are not copied.
used by The used by attribute in NDS is ignored, as it is not applied in general cases.
Allowing users to specify the container DN
You can configure Bravura Security Fabric to use a profile/request attribute to prompt users for the destination container when creating or moving accounts on a target system that supports contexts.
When the Profile/request attribute to use as the container DN option is configured on the Target system information page, users can:
Set the destination container when creating new accounts.
Users do this by setting the profile/request attribute value in the request form. By default, Bravura Security Fabric creates new accounts in the same container as the template. Without the profile/request attribute, you may need to set up identical templates for each container.
If enabled when setting the target system address, Bravura Security Fabric can also create a container if a non-existing one is specified.
Move existing accounts on the target system to a different container.
Users do this by setting the To container value – which is actually the profile/request attribute, but with a different name – on the move accounts page. Bravura Security Fabric only displays the move operation (the Move button) for users with accounts that can be moved between containers.
To allow users to select a container for a create account or move context operation:
Add a profile attribute to provide a place to prompt the user for this information. To learn how to do this, see Profile and request attributes.
It is recommended that you configure the profile attribute to have a set of restricted values, so that the requester or product administrator can select from a drop-down list.
Ensure that you set read/write permissions for the profile attribute.
To learn how to do this, see Attribute groups.
Provide a group of users the "Move user from one context to another" rule.
To learn how to do this, see Access to user profiles.
Update the page by typing the name of the profile attribute in the Profile/request attribute to use as the container DN field.
This allows Bravura Security Fabric to use the profile attribute for this purpose.
Creating Novell eDirectory alias accounts
Bravura Identity can create an NDS alias account when creating a new user. Aliases are used, for example, so that users don’t have to know what context they belong to when they log in.
Bravura Identity creates alias-type objects using two pseudo-attributes:
_aliasfirstpart The alias login name. If this attribute is not set, the login ID of the created account is used as the alias login name.
_aliascontainter The container context of the alias account.
For example, if a template account is
CN=sample.OU=People.0=Mercury
then _aliascontainer is set to
OU=Accounting.O=Mercury,
and:
_aliasfirstpart is
alias4and the requested profile ID isname1, then Bravura Identity creates:User:
CN=name1.OU=People,O=MercuryAlias:
CN=alias4.OU=Accounting,O=Mercury
_aliasfirstpart is not set and the requested profile ID is
name1, then Bravura Identity creates:User:
CN=name1.OU=People,O=MercuryAlias:
CN=name1.OU=Move Users,O=Mercury
You must map profile attributes to set these pseudo-attributes. This is done in a similar way to the procedure described in Allowing users to specify the container DN.
Configuring agent behavior
To configure the NDS connector (for all NDS targets):
Log into the Manage the system (PSA) module.
Click Manage the system > Maintenance > Connector behavior and navigate to the NDS connector behavior configuration page.
Enable the options listed below as required.
Click Update.
Note
The steps and options may vary from your installed Bravura Security Fabric version.
Option | Description |
|---|---|
NDS RESET CLR EXPIRY | Expire NDS passwords this many hours after an administrative reset. If the "Force Periodic Password Changes" setting is not enabled in NDS, Bravura Security Fabric does not enable this setting after a password reset. |
NDS RESET ENABLE ACCT | Enable disabled NDS accounts after a successful password reset. |
NDS RESET EXPIRY INTERVAL | By default, expire NDS passwords this many minutes after a password reset, if users have no expiry interval set on the NDS server. If the "Force Periodic Password Changes" setting is not enabled in NDS, Bravura Security Fabric does not enable this setting after a password reset. |
Troubleshooting
If you experience any errors, verify that:
The Novell Client is installed on the Bravura Security Fabric server, rather than the Microsoft Client for Novell Networks.
The latest Novell Client updates are applied.
You can log into the NDS tree from the Bravura Security Fabric server using the administrator ID and password you created.
You can reset user passwords with nwadmin , from the Bravura Pass server, logged in with the administrator ID and password you created.
If you get error:
FFFFFF22 you may have to restart the Bravura Security Fabric server.
889A then the login ID of either the user or administrator is not a fully-qualified NDS name.
If a user-ID caused the error, then you must either assign NDS alternate login IDs to your users (See Attach other accounts (PSL)), or set the address of the NDS server to the context where your users have accounts.
If the error was caused by the administrator ID, then you must enter a fully qualified ID into the help desk program (see above).
Refer to NetWare documentation for information about NetWare error codes.