Accessing Data on Multiple eDirectory Trees with a Single Login Using Novell NetStorage
Articles and Tips: article
01 Jun 2002
This AppNote introduces NetStorage, a feature of NetWare 6 that provides simple Internet-based access to files stored on a Novell network. It shows how NetStorage, when combined with other Novell technologies such as Novell Portal Services and DirXML, can provide a single Web-based view to access data on NetWare 5.x, and 6.x servers in a IP-based environment, even when that data is spread across multiple eDirectory trees.
NetStorage, file access, data storage, user management
Novell NetStorage, Novell Portal Services, DirXML
network administrators, consultants, integrators
familiarity with Novell networks and data storage
Many Novell customers have a mix of NetWare 5.x, and 6.x servers with multiple eDirectory/ NDS trees residing on IP-based networks. In these multiple-tree environments, one of the biggest challenges is to provide users a single user ID and password with a single Web-based view to access data that is spread across multiple servers in multiple trees. This AppNote details how you can provide this type of access to user/shared data through the use of Novell NetStorage, a component of NetWare 6.
Overview of NetStorage
Novell NetStorage provides simple Internet-based access to file storage. It acts as a bridge between a company's protected Novell network and the Internet, giving users secure file access from any Internet location. Files and folders on a NetWare server can be accessed using either a browser or via Network Neighborhood and Microsoft Web Folders. No Novell Client software is required. Users can securely access files from any IP-enabled machine via SSL (Secure Socket Layers) and HTTPS (Secure HyperText Transfer Protocol).
NetStorage (NCPL.NLM) is a service that runs on a NetWare 6 server. It can be installed as an optional component during the NetWare 6 installation or it can be installed after the NetWare 6 installation.
Once NetStorage is installed, users can copy, move, rename, delete, read, and write files between a local workstation and a NetStorage network place. In addition, NetStorage offers the following features:
It has the ability to process a user's container, profile, or user login script for drive mappings.
It honors eDirectory/NDS Group memberships for drive mappings.
It supports contextless and context-based logins into eDirectory. Hence users can log in using their short name (JDoe) or a Fully Distinguished Name (JDoe.NY.Novell).
When users authenticate via NetStorage, their container login script will be processed and their drive mappings will appear on a Web page in the form of folders. For example, a user's home drive mapping of "map h:=server1\vol1:users\username" in the login script will appear on the Web page as a folder named "HOME@H".
Methods of Accessing NetStorage Data
Users can access their data with NetStorage using any of several methods, as described below.
Note: If you installed the NetWare Enterprise Web Server on your NetWare 6 server running NetStorage then the default port for NetStorage will be 51080 for http, and 51443 for https. You must include these ports when you access the NetStorage for example, http://IPorDNS:51080/oneNet/NetStorage, or https://IPorDNS:51443/oneNet/NetStorage.
One method to access data is via an HTTPS URL in a browser in the form of https:// followed by either the IP address or the DNS name of the NetWare 6 server where you installed NetStorage, and then ending with "/NetStorage/" (see Figure 1).
NetStorage data access via a Web browser.
Notice the folder names-they reflect the drive letters based on the mappings in the user's login script.
Another data access method is via Network Neighborhood on a Windows 95/98/NT4/2000/XP desktop. All the user has to do is go to My Network Places, click on "Add a Network Place," and then type in https:// followed by either the IP address or the DNS name of a NetStorage server. Again, the folder name is ended with "/NetStorage". The user will be prompted for a username and password, and should enter the short eDirectory/NDS name and the correct password. A NetStorage Web Folder is shown in Figure 2.
NetStorage access via Web Folders, as seen in My Network Places on a Windows 2000 desktop.
When the user opens this Web Folder, the contents are displayed as shown in Figure 3.
A view of the contents of WebFolder "NetStorage on NetWare 6".
NetDrive Client Access
NetDrive is an easy-to-use Internet client that lets you access NetWare 6 servers over standard Internet protocols, such as WebDAV and FTP. NetDrive does not rely on the Novell Client in order to map network drives. It ships with NetWare 6 and requires about 2 MB of disk space when installed on the desktop. (For more information about NetDrive, see http://www.novell.com/documentation/lg/nw6p/index.html.)
Login Through Novell Portal Services
Another method is to log in through Novell Portal Services, as shown in Figure 4.
After logging in to Novell Portal Services, users will have access to their data.
Again, notice that the folder names reflect the mapped drive letters based on the user's container login script.
In the examples above, NetStorage is providing access to data stored on NetWare servers in a single eDirectory tree environment. Providing multi-tree access to data is explained in the next section.
The Solution to Multi-Tree Data Access
As discussed previously, the main challenge in a multi-tree environment is to provide a single identity/single password to multiple trees via a single Web-based user interface. This section describes how to meet this challenge with NetStorage and various products from Novell.
NetStorage with Novell Portal Services
The challenge of providing users a single Web-based interface to date in multiple trees can be solved via a combination of Novell Portal services (NPS) and NetStorage. You need to install a NetWare 6 server running NetStorage in each tree from which you want to access data. The Web-based interface is provided by NPS.
Users will log in through a browser pointing to the server running NPS. The process varies depending on whether the Usernames and passwords are the same or different in the multiple trees.
If Usernames and/or passwords are different in each tree, the user will be prompted for a Username and password. For the Username, the user should enter the short name (such as JDOE), not the Fully Distinguished Name. This login prompt will occur one time for each tree the user wants to access data from. After the first logins have completed, the user's credential set (Username and password) are stored in a secure portion of eDirectory called Secret Store. All subsequent access will be seamless- -the user will not be prompted for a login. (Note that password changes and expiration are also handled by NPS and its use of Secret Store.)
For more information on how NPS enables Single Sign-On to many Web applications, see http://www.novell.com/products/portal/productinfo.html.
If Usernames and/or passwords are identical across the multiple trees, the user will not be prompted for Username and password for each tree. For example, suppose a user in the tree running NPS also has a Username that exists in five other trees. The user will be able to log in via NPS and have access to all allowed data residing on these separate trees seamlessly-there will be no login prompt for each tree. (Further details of this solution are given later in this AppNote.)
Note: For the seamless login to occur, the user passwords must be identical. However, the Fully Distinguished Names of the User objects do not have to be identical. For example, an FDN of username.nyc.us-east.Tree1 residing in Tree1 and an FDN of username.ny.americas.Tree2 residing in Tree2 will work seamlessly.
For this solution, there are two main requirements. First, you must introduce a select number of NetWare 6 servers running NetStorage into each tree to provide access to data residing on NetWare 5.x servers which are IP-bound. (The NetWare 6 servers running NetStorage do not require an eDirectory/NDS replica.) The details behind introducing a NetWare 6 server into an existing eDirectory/NDS environment are beyond the scope of this AppNote. For details, refer to TID (Technical Information Document) #2960568, which can be found at http://support.novell.com/cgi-bin/search/searchtid.cgi?/2960568.htm.
The second requirement is to install Novell Portal Services in one of your existing trees. This AppNote does not go into detail on the installation or operation of NPS. Information on NPS can be found at http://www.novell.com/products/portal/index.html.
Enabling NPS with NetStorage Access Services
To enable Novell Portal Services with NetStorage access services, the NetStorage gadget file is required. (A gadget allows you to present dynamic Web content in a Web page. Most Web pages are static-that is, the content does not change unless someone manually updates the page. To provide dynamic content, you need an application that retrieves data at regular intervals. In NPS, these applications are called "gadgets". Other portal vendors use terms such as Web parts, portlets, channels, and content delivery agents.) Currently, this file is available only on a NetWare 6 server running NetStorage under sys:/netstorage/netstorage.npg. To install NetStorage on a NetWare 6 server see the NetWare 6 documentation at http://www.novell.com/documentation/lg/nw6p/index.html.
Note: NPS can be installed on any platform (NetWare 5.x or 6.x, Windows 2000 Server, Solaris, or Linux). It does not have to be running on a NetWare server to enable it with NetStorage services.
The NetStorage gadget enables access to mapped network drives processed via the Novell Container login script. The NetWare 6 server running NetStorage can act as a gateway for access to storage running on NetWare 5.x servers. The NetWare 6 server must be able to see those 5.x server via the "display servers" command on the NetWare 6 server console or via SLP (Service Location Protocol).
As an added benefit, the NetStorage gadget also allows users to access their iFolder account (if they have one enabled), without the need for the iFolder client on the users' desktops. Novell iFolder is a form of "anytime anywhere" service that makes your data accessible even when you are disconnected from your corporate network or on the road. All you need is an Internet connection; you don't even need a VPN for security. Looking at Figures 1, 3, and 4 again, notice in each of the examples a folder called iFolder. This is the user's iFolder data. (For more information about iFolder, see http://www.novell.com/products/ifolder/.
Installing the NetStorage Gadget on NPS
To install the NetStorage gadget on Novell Portal Services, follow these steps.
Locate the NetStorage.npg file on a NetWare 6 server (in the sys:/netstorage folder) and install this file file using the standard NPS gadget installation interface.
Note: As of this writing, there is an issue with installing the NetStorage gadget from a NetWare 6 server that does not have SP1 applied. The installation process does not install all the files to the correct location on NPS, so you must manually copy all the NetStorage "properties" files located on your NPS server under /webapps/nps/portal/gadgets/com.novell.nps.gadgets.netstorage.NetStorage to /webapps/nps/WEB-INF/classes/com/novell/nps/gadgets/netstorage If you have applied SP1 to your NetWare 6 server then you do not need to manually copy files nor do you have to follow step 2 below. SP1 for NetWare 6 addresses this issue.
In the /webapps/nps/WEB-INF/classes/com/novell/nps/gadgets/netstorage folder, copy NetStorage.properties as NetStorage_en.properties.
Verifying NetStorage Functionality
Before continuing, you should verify that NetStorage is actually working on the NetWare 6 server. To do this, point your browser to the https://IP address/oneNet/NetStorage URL (the IP address specified should be the IP address of your NetWare 6 server running NetStorage.) You should be prompted to enter a Username and password. If after logging in you see your mapped drives and an iFolder folder, you are ready for the next step.
Setting Up the NetStorage Gadget
To set up the NetStorage gadget, follow these steps:
Assign the NetStorage Gadget to one of your Object Schemes in NPS.
Edit the NetStorage Gadget Assignment Data and click on "Show All Settings".
Add a new setting called PATHNAME (all capital letters) with a value of "oneNet/NetStorage" (note there is no leading "/" and you should not include the quotation marks). This is the default value used by NetWare 6 for the URL of NetStorage access.
Add a new setting called WEBSERVER (all capital letters) with a value of http:// followed by the IP address of the NetWare 6 server running NetStorage (for example, http://22.214.171.124 - there is no ending "/").
Add a new setting call REF_WEBSERVER (all capital letters) with a value of https:// followed by the IP address of the NetWare 6 server running NetStorage (for example, https://126.96.36.199 - Again, there is no ending "/").
Restart your webserver and tomcat or restart your NetWare 6 server.
You will need to set up a NetStorage Gadget assignment (steps 1-5 above) for at least one NetWare 6 server residing in each tree you want to grant access to.
Note: If you installed the NetWare Enterprise Web Server on your NetWare 6 server running NetStorage then the default port for NetStorage will be 51080 for http, and 51443 for https. You must include these ports in your "WEBSERVER" setting, i.e. http://IPorDNS:51080, and your "REF_WEBSERVER" setting, ie. https://IPorDNS:51443/oneNet/NetStorage
Checking Out the Results
Now the user can log in to the Portal and check out the results. After logging in to Novell Portal Services, the user will have access to data on both Tree1 and Tree2. Figure 5 shows a user's mapped data drives obtained from the container login script in Tree1.
View of folders for mapped drives in Tree1.
Notice "Tree1 - File Access" has been selected in the left panel under "Services." In this example, the user has access to mapped data drives obtained from the Container login script in Tree1.
Figure 6 shows a user's mapped data drives obtained from the container login script in Tree2, accessed when the user clicks on "Tree2 - File Access" in the left panel.
View of folders for mapped drives in Tree2.
NetStorage reads the container, profile, and user login scripts from the primary eDirectory server specified during the installation and displays the user's drive mappings based solely on those login scripts. Even if users have specific eDirectory rights to other files and folders on the network, they will not be able to access those files and folders using NetStorage unless login script drive mappings exist to the folders (or unless the files are in the user's home directory). If you want to provide users with NetStorage access to a specific folder, you might have to add a drive mapping to that folder in a login script.
Note: Local files and folders are not accessible using NetStorage.
The Solution on Steroids: Adding DirXML
DirXML is an application-integration and data-synchronization solution that works with your existing network infrastructure to automatically distribute new and updated information across all of your directories, applications, and databases. With DirXML, the identity information in all of your data repositories can be simply updated and instantly synchronized. DirXML is a powerful solution that can resolve many data synchronization issues, as well as data flow, control, and authorization issues your organization may be experiencing. For more details about DirXML, see http://www.novell.com/products/edirectory/dirxml/.
Putting DirXML to Work
With DirXML in the equation, there are several approaches that can be taken. Many organizations like the idea of an employee "workforce" tree to enable a solution called "Zero Day Start". Zero Day Start eliminates the delay between the time a new employee walks through your doors and the time he or she has the tools necessary to be productive: e-mail account, network ID, phone number, desktop ID, the many database IDs for your organization's applications, and so on. This section uses the workforce tree concept as an example.
The first step is to install DirXML on each of the trees you want to synchronize Usernames and Passwords with the "WorkForce" tree. The Workforce tree should have a relatively flat design: basically just the O=YourCompany and then all the Usernames below. (This is an over-simplified scenario for the sake of this example; as with everything that will impact your directory infrastructure, you should plan carefully and understand the technology before you proceed.)
Next, install Novell Portal Services into the "WorkForce" tree and configure it according to your specific needs.
Finally, follow the procedures specified in "Enabling NPS with NetStorage Access Services" above.
That's it, you're finished-only you're never really finished. Once you delve into NPS and DirXML, you will be amazed at all the business problems you can solve using these solutions. The possibilities are endless!
This AppNote has described the steps necessary to provide file access to NetWare 5.x IP-based servers, and NetWare 6.x servers without the need for any Novell Client software on the user's desktop. It has also described how to provide a single Web-based aggregated view of data attached to various versions of NetWare residing in different eDirectory/NDS trees via a single Web-based login provided by Novell Portal Services.
If you have been considering ways to provide a Web-based view of data residing in different directories but were afraid of what it might cost to implement, fret no longer. NetWare 6, Novell Portal Services, and DirXML provide an incredibly powerful solution that is cost-effective and easy to implement.
For Additional Information
Here are a few resources you can look at for further information on the technologies discussed in this AppNote.
Novell Web site:
Novell Connection articles (http://www.ncmag.com):
"Novell Portal Services, A Better Way to Build a Desktop" (December 2000)
"Too Many Directories? Synch ‘Em with DirXML" (May 2000)
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.