NDS and Netscape's SuiteSpot
Articles and Tips:
01 Mar 1999
As directory services continue to evolve, many companies are realizing the benefits of leveraging Novell Directory Services (NDS) to support mission-critical applications. These benefits include simplified management, a single point of access, enhanced security, and overall reduced cost of ownership. For example, companies that use Netscape's SuiteSpot applications can achieve these benefits by integrating the SuiteSpot applications with NDS. Netscape's SuiteSpot applications include Netscape Messaging Server, Netscape Collabra Server, Netscape Calender Server, Netscape Certificate Server, and Netscape Enterprise Server Pro.
This article explains why NDS is the ideal directory to support Netscape's SuiteSpot applications and other mission-critical applications. This article also explains how to configure SuiteSpot applications to support NDS.
NDS IS THE IDEAL DIRECTORY
If you are considering integrating SuiteSpot applications or other mission-critical applications with a directory service, NDS is the ideal directory for this integration. NDS is a full-service directory that runs on multiple platforms and supports multiple access protocols. Cross-platform support and flexible access enable you to integrate a broad range of applications with NDS. NDS currently runs on the following platforms:
Novell's NetWare 4 and 5
Santa Cruz Operation's (SCO's) UnixWare
Microsoft's Windows NT (server or workstation)
Sun Microsystems' Solaris
In addition to accessing directory information from any platform, users should be able to access directory information through any protocol. NDS provides this flexible access. For example, suppose that a web user needs to look up a user in the NDS database. Because the web user does not have the NDS client, which provides the Novell Directory Access Protocol (NDAP), the web user must use HTTP to access NDS information. Users, network administrators, and applications can access NDS information through the following protocols:
Lightweight Directory Access Protocol (LDAP) 3.0
HTTP via a web server
Database queries through the Open Database Connectivity (ODBC) Application Program Interface (API)
Microsoft's Active Directory Services Interface (ADSI)
Multiple protocol support and flexible access enable you to integrate a variety of applications with NDS. For example, NDS supports LDAP store-and-retrieve applications such as the SuiteSpot applications, as well as other mission-critical applications that provide the following services:
Proxy servers that use NDS rights and hierarchy (for example, Novell's BorderManager).
Application distribution and management services (for example, Novell's Zero Effort Networks [Z.E.N.works]).
Workstation policy management and remote control services (for example, Novell's Z.E.N.works).
Management of Windows NT server domains (for example, Novell's NDS for NT).
Management of UNIX users (for example, Novell's NDS for Solaris).
Management of Microsoft's Exchange servers (for example, NetVision's Synchronicity for Exchange).
Management of database users (for example, Oracle8 for NetWare).
Management of users' access to web servers and configuration of web servers (for example, Netscape Enterprise Server for NetWare).
Applications that allow you to manage the infrastructure of switches and routers from companies such as Cisco Systems Inc., Lucent Technologies Inc., and Nortel Network's Bay Networks. These applications support the Directory-Enabled Networks (DEN) initiative. (For more information about this initiative, see "What Do NDS and DEN Have in Common?" NetWare Connection, Jan. 1999, pp. 30-32. You can download this article from http://www.nwconnection.com/jan.99/ndsden19.)
The key to lowering the cost of managing and deploying mission-critical applications is to reduce the number of places you need to go to manage these applications. Unless you integrate applications with a full-service directory such as NDS, you may have to manage applications through separate databases using separate management tools.
When you integrate mission-critical applications with NDS, the applications use NDS as their data-store (or at a minimum, synchronize their databases with NDS), thus eliminating the need to manage multiple databases individually. You can manage NDS-integrated applications with NDS management tools or the application's management utilities. You can choose from several NDS management tools, including the following:
The NetWare Administrator (NWADMIN) Utility. This 32-bit Windows application supports external management of non-Novell services--that is, services that are not part of the standard NDS schema. The NWADMIN utility allows you to manage the NDS environment through custom snap-in modules.
ConsoleOne. This Java management application allows you to manage the NDS environment through custom snap-in modules.
Simple Network-Management Protocol (SNMP) Agents. SNMP agents are available with Novell's ManageWise. SNMP is the standard protocol used by systems management tools such as Hewlett-Packard's OpenView.
NDS integration eliminates the redundancy of managing applications and the network separately. For example, you can use the NWADMIN utility to create one user account in NDS for each user. The user can then use this account to access the network, access applications such as Netscape's SuiteSpot applications, and access databases such as Oracle8 for NetWare. With NDS for NT and NDS for Solaris, the user can use this same user account and password to access a Windows NT or UNIX environment.
From a user's standpoint, a single login and password simplifies access to all of the resources the user requires, regardless of the platform or location of those resources. For you the network administrator, the management of your company's complex environment is greatly simplified.
WHAT ABOUT NETSCAPE DIRECTORY SERVER?
Of course, Netscape provides a simple, LDAP-based directory server called Netscape Directory Server. Why not just use Netscape Directory Server? Netscape Directory Server complements the other servers that Netscape provides, but because Netscape Directory Server is an LDAP-only solution, it is just a simple store-and-retrieve repository. If you want to use a full-service directory for more than simple lookup queries, you need more than an LDAP-only solution.
In addition, Netscape Directory Server is a proprietary data-store designed for a centralized approach to storing and retrieving information. The weakness of Netscape Directory Server becomes especially evident when it comes to data distribution. You cannot easily achieve sophisticated replication and partitioning or last-update synchronization with Netscape's current data-store.
Netscape provides APIs that allow you to use other databases (such as Oracle8 for NetWare) instead of the proprietary implementation that Netscape uses by default. However, these APIs do not solve data replication issues. The APIs merely allow the server that acts as the central repository to be more scalable than the Netscape default. The APIs also allow direct database queries to the database being used, totally bypassing any security or replication mechanisms you have in place.
Another area of weakness is the management of Netscape Directory Server. The only management tool for Netscape Directory Server is Netscape's own web-based tool. Although you can customize this management tool by creating custom web pages, there is no way to allow other management applications to access Netscape Directory Server.
INTEGRATING NETSCAPE'S SUITESPOT APPLICATIONS WITH NDS
Netscape's SuiteSpot is a comprehensive suite of applications that runs in a Windows NT Server or Solaris environment. SuiteSpot applications help enterprises effectively manage information and facilitate communication and collaboration between employees and partners. (This article does not apply to Netscape applications, such as Netscape Enterprise Server for NetWare, that run on NetWare. These applications are already integrated with NDS.)
Most of the SuiteSpot applications use a directory for the centralized storage of user and group information. Although SuiteSpot includes ten applications, this article focuses on integrating the following SuiteSpot applications with NDS:
Netscape Messaging Server
Netscape Collabra Server
Netscape Certificate Server
This article does not explain the exact steps for installing and configuring these SuiteSpot applications. Instead, this article describes the specific configuration options you need to select to successfully integrate these applications with NDS.
The Value of Integration
As mentioned earlier, both you and users benefit from NDS integration. When you integrate SuiteSpot applications with NDS, these applications can use NDS to store their data. The following example illustrates the value of integrating NDS and Netscape Messaging Server:
Suppose that you install Netscape Messaging Server and configure it to use NDS as its data-store. (This process is described later in this article.) Using the Netscape Server Manager tool, you create user Lindsey and specify a full name, password, and e-mail address. You also specify the location where you want to add the new user. (See Figure 2.) The user is then created in the NDS database in the context that you specified. (See Figure 3.) In a single action, you have just created an e-mail user and an NDS user. Now, whether Lindsey is logging in to the NDS tree or to her Netscape mail, she uses the same username and password.
Figure 2: After you integrate NDS with Netscape Messaging Server, you can use the Netscape Server Manager tool to create users, which are also created in NDS.
Figure 3: When applications are integrated with NDS, you can use the NWADMIN utility to manage these applications.
Now suppose that the Netscape Messaging Server is running on a Windows NT server. If you add NDS for NT to the network, Lindsey can use the same username and password to log in to the Windows NT environment.
When you create a user in a container object, the user inherits characteristics of that container object and any parent container objects. For example, if you grant access rights to the Novell container object or to the Users container object shown in Figure 3, user Lindsey (lmarymee) automatically receives the same access rights (assuming you have not turned off the inheritance option).
Through Novell's Z.E.N.works Application Launcher and policies, you can configure desktop preferences, applications, printers, and other information at the container level. When you create a user account for Lindsey, she inherits all of these configurations from the parent container objects. When Lindsey logs in to the network for the first time, Z.E.N.works automatically configures her Windows workstation with the appropriate desktop, applications, printers, and other information she needs to access resources on the network. This configuration takes place automatically when you create the user account; you never have to visit the user's workstation or assign the user individual access rights.
Preparing Your NetWare 5 Server
Before configuring Netscape's SuiteSpot applications to use NDS as the data-store, you must complete the following steps to prepare the NetWare 5 server:
Install LDAP Services for NDS and Public Key Infrastructure (PKI) Services if you want to use Secure Sockets Layer (SSL) on the NetWare 5 server. (Both services are included with NetWare 5.)
Install the NetWare 5 Support Pack 1. You can download NetWare 5 Support Pack 1 from Novell's Support Connection web site (http://support.novell.com/misc/patlst.htm#nw5).
You should install LDAP Services for NDS and PKI Services on the NetWare 5 server before you install NetWare 5 Support Pack 1. The NetWare Support Pack 1 installation utility detects the current server configuration and installs the appropriate files. If you have installed LDAP Services for NDS and PKI Services, the support pack installation utility automatically upgrades these services.
Any time you change the server's configuration, you should reinstall NetWare 5 Support Pack 1 for the new configuration. For example, if you install LDAP Services for NDS and PKI Services after you install NetWare 5 Support Pack 1, you must reinstall NetWare 5 Support Pack 1 to make the updates for these services take effect.
Installing LDAP Services for NDS and PKI Services
You must install LDAP Services for NDS on the NetWare 5 server because Netscape's SuiteSpot applications access directory information via LDAP. LDAP Services for NDS enable you to use LDAP to store information in and retrieve information from NDS.
PKI Services enable you to secure LDAP connections using SSL. Using PKI Services, you can create a Certificate Authority and key material that are used during SSL communications.
To install LDAP Services for NDS and PKI Services on the NetWare 5 server, you complete the following steps:
At the server console, load the NWCONFIG utility, and choose Product Options from the main menu.
Select Install Other Novell Products.
You will be prompted to enter the directory path to the NetWare 5 installation files. Enter the directory path to the NetWare 5 CD-ROM or the location where you copied the NetWare 5 installation files (such as a server volume).
The NWCONFIG utility launches the NetWare 5 graphical installation utility, and the Additional Products and Services window appears. Click the LDAP Services box and the PKI Services box, and then click the Next button.
The graphical installation utility then prompts you to authenticate to the NDS tree. Enter the username and password of a user who has supervisor rights to the container object in which the Server object is located. You must enter the full context of the user in the User field. For example, you could enter .admin.novell.
Specify whether or not you would like to use an LDAP catalog on the server. Choosing Yes will considerably speed up LDAP lookup queries in the directory. (Novell recommends that you create at least one LDAP catalog per geographical location.)
Specify how LDAP should use the catalog for searching. You can choose from two options:
Search catalog exclusively
Search NDS if the requested attributes are not in the catalog
Normally, you should choose the second option. However in certain situations, such as a remote location that attaches to the NDS tree periodically, you will want LDAP to search the catalog exclusively.
A summary screen appears; this screen shows LDAP Services and PKI Services in the Products to Install window. At this point, you can modify any parameters you specified earlier by choosing the Customize button and making the desired changes, or you can click the Finish button to begin the installation.
INSTALLING NETWARE 5 SUPPORT PACK 1
NetWare 5 Support Pack 1 contains updates that enable LDAP Services for NDS to properly interface with Netscape's SuiteSpot applications. The support pack also contains updates for other services included with NetWare 5.
Before you install NetWare 5 Support Pack 1, you complete the following steps:
Download the NetWare 5 Support Pack 1 from Novell's Support Connection web site (http://support.novell.com/misc/patlst.htm#nw5).
Unload JAVA.NLM and all other Java applications. Unloading JAVA.NLM and other Java applications allows the support pack to update JAVA.NLM and the Java class libraries.
If you are managing an IP-only environment, load IPXSPX.NLM. This NLM is required to install NetWare 5 Support Pack 1.
To install NetWare 5 Support Pack 1, you complete the following steps:
Explode the support pack file either by double-clicking the file from within Windows or by typing NW5SP1 at a DOS prompt.
Load the NWCONFIG NetWare Loadable Module (NLM) at the server console.
Choose Product Options, and then choose Install a Product Not Listed.
When prompted to enter the directory path where the support pack files are located, press the F3 key, and specify the appropriate directory path. For example, if the files are located in the PRODUCTS directory on the SYS: volume, enter SYS:\PRODUCTS. If the files are located on another server, include the name of the server in the path. For example, you may enter FS1\SYS:\PRODUCTS. In this case, the installation utility prompts you to authenticate to the remote server before you can complete the installation.
When prompted, indicate which files you want to install. You can choose from the following two options:
Backup files replaced by NetWare 5 Support Pack 1
Install NetWare 5 Support Pack 1
If you want to be able to uninstall the support pack later, you must select the option to back up files. To continue the installation, press the F10 key to accept the selected options. When the installation is completed, you must restart the server. (You can type RESTART SERVER at the server console to do this.)
INTEGRATING NETSCAPE MESSAGING SERVER WITH NDS
Netscape Messaging Server is a full-featured messaging system based on Internet standards. When integrated with NDS, Netscape Messaging Server stores the e-mail user information in NDS. You can then access and manage the users via LDAP.
To integrate Netscape Messaging Server with NDS, you must first change the LDAP schema mappings that enable LDAP Services for NDS to work with Netscape Messaging Server.
Changing the LDAP Schema Mappings
To change the LDAP schema mappings, you complete the following steps:
Launch the NWADMIN utility, open the LDAP Group object, and select the Class Map tab.
In the LDAP Class column, select the groupOfUniqueNames option, which maps to the NDS class Group.
Select the UnMap button.
Reselect the LDAP class groupOfUniqueNames option.
Highlight NSCP:mailGroup5 in the NDS Class List window.
Select the Map button.
If you later want to use Netscape Messaging Server for NetWare with LDAP Services for NDS, you must restore the original mapping of the LDAP class groupOfUniqueNames to NDS class Group.
Installing Netscape Messaging Server
After you have changed the LDAP schema mappings, you can install Netscape Messaging Server on the Windows NT or Solaris server. As mentioned earlier, this article does not explain how to install Netscape Messaging Server. Instead, this article points out the configuration options you must choose during the installation to integrate Netscape Messaging Server with NDS.
To implement the integration, you must specify that you will use LDAP to manage user and group information. This action indicates to Netscape Messaging Server that you will use a directory, such as NDS, to store user and group information instead of using the local hard drive of Netscape Messaging Server. You specify that you will be using LDAP on the LDAP Configuration screen, which appears during the installation of Netscape Messaging Server. (See Figure 4.)
Figure 4: As you install Netscape Messaging Server, you specify that you will use LDAP, and you provide information about the LDAP server.
After you have indicated that you want you use LDAP-based authentication, you specify information about the LDAP server you want to use. You also specify this information on the LDAP Configuration screen. In the fields listed below, you must provide the following information:
Server Name. Enter the IP address of the NetWare 5 server that is running LDAP. For example, you may enter 192.168.1.251.
Server Port. This port is always 389, which is the standard port used for SSL.
Base Distinguished Name. Enter the NDS context in which you want to place users created by the mail administration tool. Note: Netscape's SuiteSpot applications use comma delimited naming from the most significant to the least significant object. For example, you may enter O=Novell, OU=Users.
Next, the installation program prompts you to provide administrator authentication information for the LDAP server. You must provide the ADMIN username and password or the username and password for a user who has equivalent rights to the container object in which NDS will create the mail users. When you use the Netscape Server Manager to create or manage mail users, you must use this user account to authenticate to NDS.
INTEGRATING NETSCAPE COLLABRA SERVER WITH NDS
Netscape Collabra Server is an open discussion server that allows collaboration and information sharing among teams of people. When integrated with NDS, Netscape Collabra Server stores its user information in the NDS database, and you can access and manage the users via LDAP. To make the integration work, you must first install Netscape Messaging Server using the configuration options described in the previous section. You must then extend the NDS schema with a new object class and a new attribute class that enable LDAP Services for NDS to work with Netscape Collabra Server.
Adding a New Object Class and a New Attribute Class
To extend the NDS schema to add the new object class and new attribute class, you complete the following steps:
Launch the NDS Manager utility, choose Object from the menu bar, and then choose Schema Manager from the menu bar.
Choose Create New Attribute Class from the menu bar.
Define the class as follows:
Syntax: case ignore string
Attribute flags: none
Choose Create New Class from the menu bar.
Define the object class as follows:
Class type: Effective
Mandatory attributes: NSCP:ngComponentCIS
Optional attributes: NSCP:nsaclrole, NSCP:nscreator, NSCP:nsflags, NSCP:nsnewsACL, NSCP:nsprettyname, NSCP:subtreeACI, Description
Naming attributes: NSCP:ngComponentCIS
Containment: Organization, Organizational Unit, Country, Locality
After you have created the new classes, you must map them by completing the following steps:
Launch the NWADMIN utility, open the LDAP Group object, and then select the Class Map tab.
Select the Add button.
Add the LDAP class Nginfo.
Highlight NSCP:Nginfo3 in the NDS Class List window.
Select the Map button.
Move to the Attribute Map tab.
Add LDAP class ngcomponent.
Highlight NSCP:ngcomponentCIS in the NDS Attribute List window.
Select the Map button.
Installing Netscape Collabra Server
After you have changed the LDAP schema mappings and added the new object class and new attribute class, you are ready to install Netscape Collabra Server on a Windows NT or Solaris server. (Remember this article discusses only the configuration options you must choose during the installation to integrate Netscape Collabra Server with NDS.)
To integrate Netscape Collabra Server with NDS, you must specify that you will use LDAP to manage user and group information. Netscape Collabra Server can then use NDS to store user and group information instead of storing this information on the local hard drive of Netscape Collabra Server. During the installation of Netscape Collabra Server, you specify that you will be using LDAP on the LDAP Configuration screen. This screen is identical to the LDAP Configuration screen that appears during the installation of Netscape Messaging Server. (See Figure 4.)
After you have indicated that you want to use LDAP-based authentication, you specify information about the LDAP server you want to use. You specify this information on the LDAP Configuration screen. In the fields listed below, you must provide the following information:
Server Name. Enter the IP address of the NetWare 5 server that is running LDAP.
Server Port. This port is always 389, which is the standard port used for SSL.
Base Distinguished Name. Enter the NDS context in which you want to place users created with the Collabra administration tool. Note: Netscape's SuiteSpot applications use comma delimited naming from the most significant to the least significant object.
Next, the installation program will prompt you to provide administrator authentication information for the LDAP server. You must provide the ADMIN username and password or the username and password for a user who has equivalent rights to the container object in which NDS will create the Collabra users. When you run the Netscape Server Manager to create or manage Collabra users, you must use this user account to authenticate to NDS.
INTEGRATING NETSCAPE CERTIFICATE SERVER WITH NDS
Netscape Certificate Server enables companies to issue, sign, and manage public-key certificates by using SSL for private communication over extranets and intranets. When integrated with NDS, Netscape Certificate Server stores user public-key information in NDS. Unlike the other two SuiteSpot applications featured in this article, Netscape Certificate Server does not require any additions or modifications to the NDS schema for integration with NDS.
Installing Netscape Certificate Server
To enable NDS integration, you must configure a number of items when you install Netscape Certificate Server. (Remember this article discusses only the configuration options you must choose during the installation to integrate Netscape Certificate Server with NDS.)
During the installation, you configure the following items:
Certificate Server name
CA_Certificate Authority name
Service Administrator name
When you configure these items, you must specify each item's Common Name and the Organizational Unit, Organization, and Country objects in which you want to create the item. (See Figure 5.) As you configure these items, note the names you give to each item. You must create each item manually as NDS User objects in the container object in which Netscape Certificate Server stores the public keys.
Figure 5: By integrating NDS with Netscape Certificate Server, you can store user public-key information in NDS.
The next part of the installation that relates to NDS is the Certificate Server Directory Configuration. You should configure the fields of this screen as follows:
Enable Updates to Directory Server. Answer Yes.
Directory Server Host. Enter the IP address of the NetWare 5 server that is running LDAP.
Server Port. This port is always 389, which is the standard port used for SSL.
Access DN. Enter a distinguished name (DN) for a user who has Write privileges to NDS. Note: Netscape's SuiteSpot applications use comma delimited naming from the most significant to the least significant object.
Components to Form the DN in the Directory. Check the appropriate components in the certificate server's subject name that will be used to form the subject's distinguished name in NDS. For example, you could select CN, OU, and O.
Components to Match Attributes in the Directory. Check the appropriate components in the certificate server's subject name that will be used to match the attributes in the subject's NDS entry. For example, you could select UID, CN.
After you install Netscape Certificate Server, you must launch the NWADMIN utility and create the User objects to represent the items that you configured during the installation. You should create four User objects that represent the following items:
The names that you give to these objects must match exactly the name that you specified during the installation of Netscape Certificate Server. You must complete this step before Netscape Certificate Server can store public keys in NDS.
Integrating mission-critical applications with NDS provides many benefits: Users have simplified access to the network and the applications. You save significant time and money deploying and managing these applications.
In addition to supporting simple LDAP applications such as SuiteSpot, NDS can support a broad range of directory-enabled applications. NDS supports LDAP as one of many access protocols.
Although Netscape does have an LDAP implementation with a proprietary data-store, this solution lacks the capabilities needed for mission-critical applications. The primary applications that use Netscape Directory Server are Netscape's SuiteSpot applications. Since Netscape designed SuiteSpot applications to run standalone (requiring no directory server), these applications store most of their data elements in separate databases. (For example, Netscape Certificate Server uses Informix to store Certificate information, and Netscape Collabra Server uses a directory, such as NDS, to store its information.)
Integrating these applications with NDS reduces the number of required databases to a single database. This database can then be used not only for SuiteSpot applications but also for network and mission-critical applications.
Sandy Stevens is a freelance writer based in Salt Lake City, Utah. She is the coauthor of Novell's Guide to NetWare Printing, Novell's Guide to BorderManager, and Novell's Guide to Integrating intraNetWare and NT--all of which are available from Novell Press.
* Originally published in Novell Connection Magazine
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.