On NDS Connections
Articles and Tips: tip
Novell Consulting Services
Novell Consulting Services
01 Mar 1996
NetWare 4.1 administrators may wonder what the different types of connections are that they see under MONITOR's Connection Information option. Here's a quick review of what this is all about.
In NetWare Directory Services (NDS), a connection requires the use of the VLM client or Client32 software for authentication to a NetWare 4.1 server. To provide a single sign-on to multiple NetWare 4 servers and to perform background authentication when users need to access other network resources, an NDS connection uses a security mechanism known as RSA encryption between the client and server.
An NDS connection is said to be in one of three states:
Connected but not logged in
Connected But Not Logged In
This state describes a user who has initially attached to a NetWare 4.1 server either through the NETX shell, the VLM client, or Client32. The connected but not logged in state can exist for either NetWare 3 or NetWare 4 users if this is the first server the client software attaches to as the user logs in. If users make the connection after walking the NDS tree, they may find themselves in this state even after the process of initially attaching to the first server.
Authentication is the process of proving the user's or object's identity to a server. A connection in the Authenticated state indicates that a NetWare 4.1 server has established the user's identity after the user has entered a correct username and password. Authentication occurs for both NetWare 3.x and NetWare 4.x users, but NetWare 4.1 adds more security to this process.
In NetWare 3.1x, authentication meant simply logging in and supplying a valid username and password. In NetWare 4.1, the extended authentication happens "behind the scenes" at the client. After the user enters a username and password when prompted during the login sequence, the remainder of the authentication process is invisible to the user. Authentication relies on sophisticated encryption algorithms that are based on a public/private key system. For security purposes, sensitive data is never transmitted across the wire.
Once users have been successfully authenticated, a process known as background authentication occurs if the user's login script specifies connections to other servers. Connecting to another NetWare 4.1 server does not require the user to reenter his or her password. However, all connections are authenticated the same way, and no distinction is made between the first and subsequent server logins in terms of the process.
Licensed and Authenticated
A connection is said to be licensed when a user has made a request of one of the server's services, such as a mapping a drive or capturing to a printer. The server's user license count is decremented by one after each user connection has been licensed. Only an authenticated connection can be licensed.
The combination of these states determines what level of access a user currently has in a NetWare 4.1 environment. For example, when a connection is neither authenticated or nor licensed, the user can navigate the NDS tree through the use of the CX (Change conteXt) command. Users who haven't logged in yet have initially attached to a server, but have not yet been authenticated. When users are both licensed and authenticated, they can access NDS and file system information to the extent allowed by their rights assignments.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.