Novell is now a part of Micro Focus

New eDirectory 8.7.0.4 Pre- Support Pack 1 Information on Disabling Anonymous Binds

Articles and Tips: article

01 Jul 2003


Taken from Technical

Information Documents

#2965952 and #10077872

eDirectory 8.7.0.4 for All Platforms

The "eDirectory 8.7.0.4 for all platforms" patch contains an update to the original release of Novell eDirectory 8.7. This update is for the NetWare and NT platforms. It should only be applied to servers currently running Novell eDirectory 8.7.0. (The first shipping version was DS Module Build - 10410.98) This update is a Pre-Support Pack 1 update to eDirectory 8.7.0. Below is a brief explanation of this patchname version of 8.7.0.4:

  • 8 - Indicates the major version

  • 7 - Indicates the minor version

  • 0 - Indicates the Support Pack version

  • 4 - Indicates the number of updates to the Support Pack

Since the package version in Unix starts with 1, this is the third update to eDirectory 8.7 and there have been no Support Packs issued.

Note: The new NLDAP in this patch requires a schema update in order to function. Please reference TID #10077872 for further instructions.

You can download the eDirectory 8.7.0.4 for all platforms patch called edir8704.exe file at: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2965952.htm

How to Disable Anonymous Binds in LDAP (TID #10077872)

This update is only for a server currently running eDirectory 8.7.0. This update requires that eDirectory 8.7.0 already be installed on the server. If the server is running an earlier version of eDirectory, you must upgrade that server's version of eDirectory to the shipping version of 8.7.0 before applying this patch. The full 8.7.0 product can be found at http://downloads.novell.com (edir_87_xx_full.exe where xx=platform). Then this patch may be applied. For installation information on NetWare, see the NW\INSTALL.TXT file. For installation information on NT/2000, see the NT\INSTALL.TXT file.

Note: The new NLDAP in this patch requires a schema update in order to function. After installing this patch, please read the INSTALL.TXT for your platform, as well as the issues section of this README for further instructions.

Note: Do not install this update to NetWare 4.x, DS 6.x, 7.x, 8.x or eDirectory, 8.5.x or 8.6.x! This patch has only been tested using the latest support Support Packs and on 8.7.0 supported versions. Also, only install on a full installation of 8.7.0.

This new build of NLDAP (available with the eDirectory 8.7.0.3 and 8.7.0.4 updates) allows for the disabling of anonymous binds. If the schema update file included in the patch, LDAP.SCH, is not run then when the new NLDAP module loads clients will not be able to bind. To accomplish this, a new LDAP server attribute, ldapBindRestrictions, needs to be added to eDirectory's schema and to be associated to the LDAP server object. If NLDAP loads and does not see this attribute, either due to not running the new LDAP.SCH included in EDIR870FP1.EXE or due to the schema not having been synchronized to the server, then NLDAP will refuse all bind requests.

Make sure the EDIR8703.EXE/EDIR8704.EXE or EDIR8703.TGZ/EDIR8704.TGZ files are installed on your platform, then use the proper platform-specific schema extension utility to extend schema with the LDAP.SCH file and associate the attribute to the LDAP server object. Below are the NetWare, NT and UNIX procedures.

NetWare.

This should first be run on a Read-Write or Master replica of Root in the following order:

  1. From the NetWare Console, type "LOAD NWCONFIG" <Enter>. Select Directory Options > Extend Schema

  2. Authenticate as admin or a user with admin rights to Root. Change the path by pressing F3 and specify the location of the LDAP.SCH file in the 8703 patch (\NW\SYS\SYSTEM\SCHEMA).

  3. Force the schema synch process by running the following commands on the console:

SET DSTRACE=ON SET DSTRACE=+SCHEMA SET DSTRACE=*SSD SET DSTRACE=*SSA

Wait for an "All Processed = Yes" on the Directory Services screen, then continue to the ConsoleOne Section of this TID.

NT.

This should first be run on a Read-Write or Master replica of Root in the following order:

  1. Choose Start > Control Panel > Novell eDirectory Services > Highlight options in the INSTALL.DLM module. Then click Start .

  2. Choose "Install additional schema files" and click Next . Authenticate as Admin or a user with admin rights to Root.

  3. Browse to the LDAP.SCH file that is contained in EDIR8703/4.EXE (i.e., C:\8703\NT\NDS\LDAP.SCH).Click Finish .

  4. Force a Schema Synch Process from either Novell eDirectory Services--DSTRACE or from iManager DSTRACE.

  5. Wait for an "All Processed = Yes" message displayed on the Directory Services screen, then continue to the ConsoleOne section.

UNIX.

This should first be run on a Read-Write or Master replica of Root in the following order:

  1. Type the following command:

    
    ndssch <admin_fdn> /usr/lib/nds-schema/ldap.sch
  2. Authenticate as admin or a user with admin rights to Root and type the admin password when prompted.

  3. Force the schema synch process by running the following commands on the console:

ndstrace set dstrace=nodebug dstrace +scma +scmd set dstrace=*ssd set dstrace=*ssa

Wait for an "All Processed = Yes" on the Directory Services screen and then continue with the ConsoleOne section.

ConsoleOne.

A new attribute, ldapBindRestrictions, has been added to the eDirectory schema and has been associated with the LDAP server class. Now we can associate it to our LDAP server and then populate it with a value.

  1. Load ConsoleOne.

  2. Browse to your LDAP server object.

  3. Right-click > Properties > Other tab.

  4. Click on the Attribute Add button. Scroll to the ldapBindRestrictions attribute, and click OK .

  5. To disable anonymous binds, put a value of 1 in the attribute value field. To allow such connections, put in a value of 0.

  6. Select Apply and then click OK .

    Note: In 870SP1, due out with NetWare 6.5, a property tab will be available for this setting to be toggled on or off. Also, the schema will automatically extend for this function.

* Originally published in Novell AppNotes


Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates