LDAPS does not work between MidTier and Backend servers

(Last modified: 15Jan2006)

This document (10082533) is provided subject to the disclaimer at the end of this document.

symptom

LDAPS does not work between MidTier and Backend servers

fact

Novell ZENworks for Desktops 4 - ZFD4

Novell ZENworks for Desktops 4.0.1 - ZFD4

Novell ZENworks Middle Tier

change

Changed the LDAP port to the secure LDAP port on the backend (usually 636).  Authentication through the middletier stopped working.

cause

LDAPS is not supported between the middletier and the backend.  This is why the backend LDAP group object must have 'Allow Clear Text Passwords' checked (or if using eDirectory 8.7 or higher, it must have 'Require TLS for simple binds with password' unchecked).

fix

LDAPS would secure the proxy user's credentials on the wire.  The documentation and install mention to use the admin credentials when defining the proxy user's account during MiddleTier installation.  There are three workarounds currently available to ensure that the admin's credentials are secure:

1.) Have the middletier and the backend it points to be one and the same box.

2.) Ensure that the middletier and the backend it points to are on switches that cannot be traced.

3.) Create an arbitrary user to be used as the MiddleTier proxy user account.  This account would need the following rights:

To authenticate through the MiddleTier without using a context, grant Read rights to the CN attribute of the users that will login through this middletier

To Remote Manage workstations via the User Object or Password-based Remote Management in a client32-less environment, grant Write rights to the zendmWSNetworkAddress of the users in the backend tree.  NOTE:  you will also need create Entry rights to these user objects because this attribute is not present by default on the user object.  This attribute will get created the first time a user logs in through the middletier on a workstation that does not have the Novell Client32 on it.

To administer the middletier via the NSADMIN url, the administrator account used needs to be equivalent to the proxy user account.  The administrative user also needs the Write right to the Equivalent to Me attribute on the proxy user account.  NOTE: By default, a newly created user does not have the Write right to the Equivalent to Me attribute on its own account - so therefore, if an arbitrary user is created as the proxy account, you must grant this account the Write right to its own Equivalent to Me attribute in order to administer the Middle Tier via NSADMIN with the newly created arbitrary account.  FYI - this proxy account is stored in HKLM or myserver \Software\Novell\XTier\Configuration\Xsrv in the registry on the middletier server.

note

If the middletier server is also the iFolder NetStorage server, the proxy account needs to have the rights to add an auxiliary class (xTier) and write to the attribute (xTier-iFolderPassPhrase).  This is to handle when a user sets his password from within NetStorage.

document

Document Title: LDAPS does not work between MidTier and Backend servers
Document ID: 10082533
Solution ID: NOVL88899
Creation Date: 28Apr2003
Modified Date: 15Jan2006
Novell Product Class:Management Products

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.