Geeks With Blogs

News Clicky Web Analytics

web stats View David Caddick (davidcaddick@gmail.com)'s profile on LinkedIn

Search this Site!

Locations of visitors to this page
View My Stats eXTReMe Tracker
This posting is provided "AS IS" with no warranties, and confers no rights. The opinions expressed within are my own and should not be attributed to any other Individual, Company or the one I work for. I just happen to be a classic techie who is passionate about getting things to work as they should do (and are sometimes advertised and marketed as being able to?) and when I can I drop notes here to help others falling in to the same traps that I have fallen in to. If this has helped then please pass it on - if you feel that I have commented in error or disagree then please feel free to discuss with me either publically or privately? Cheers, Dave
Thin Clients, VDI and Linux integration from the front lines.... Raw and sometimes unedited notes based on my experiences with VMware, Thin Clients, Linux etc.

Recently I have been looking in to some issues relating to mixed Novell and AD Authentication at customers sites and there does not seem to be too much information that is readily available so I thought it might be useful if I post some of the details and links here as a helper to others? ;-)

One of the most interesting points is that it would appear that Novell really hasn't done much to the Novell Client in quite a while, and even with the advent of Vista it has not so much revisited the classic 4.91 SP4 version but simply created a new one from scratch that has no backwards compatibility or any relationship to the 4.91 version....

Also something to be aware of is that quite some while back it would appear that Novell did try for a Catalogue of sorts that may or may not have been somewhat similar to AD's implementation but it was dropped from NDS ver. 8.x and above - so if you are trying to get Contextless Login working the only other real alternative is to use a method of creating an Alias for all Users in one specific OU and then referencing all Logins to search that one specific OU at login.

Now if you are like me, this appears to be almost laziness on the part of the developers? Surely they could do better than this? And even if you do get Contextless Login working what it actually amounts to is that the user can use either the short User ID <davidca> or the UPN <david.caddick@novell.com> and when you either use:

  • Tab Key
  • Mouse to move to the Password box
  • Click on OK

you will then find that the Contextless Lookup is evoked and your user name is changed to match the Case of exactly what it is the NDS

Anyway, here is the documents that might prove useful if you are investigating similar issues?

One of the most useful documents would appear to be this one: 

Configure AutoAdminLogon for Novell Clients for Windows NT/2000/XP

AutoAdminLogon can be implemented in any of the 5 combinations listed below. For each version of the client, we will describe which combinations can be implemented and how to implement those combinations.

Auto login to NDS and NT
Auto login to NDS and manual login to NT
Auto login to NT and manual Login to NDS
Auto login to NT and disable login to NDS
Manual login to NDS and NT

There is also this document that is more specific to Terminal Server/Citrix Presentation Server XenApp Server environments:

LDAP Contextless Login in Terminal Services Environments

In all versions of the Novell Client for Windows 2000/XP/2003 prior to and including Novell Client 4.91 SP3, the LDAP Contextless Login support will only perform a contextless lookup if a user interactively changes the contents of the "Username:" field or the "Tree:" field of the Novell Client login dialog.

As such, the LDAP Contextless Login support was not able to benefit scenarios involving Windows Terminal Services environments where TSClientAutoAdminLogon was being used in conjunction with credentials pre-supplied in the terminal connection, and/or with TSClientAutoAdminLogon in Citrix Metaframe environments that were launching published applications.

The widely used workaround for this limitation was to move or alias eDirectory users into a single container, such that in absence of contextless login support the terminal service environment could successfully default to a single context for all eDirectory user logins.

If you do have issues relating to getting Contextless Login working correctly the most authorative document I could find would appear to be this:

Setting Up LDAP Contextless Login and LDAP Treeless Login

Several large Novell customers have used LDAP Contextless Login to facilitate the merging of several trees in to one global tree. Before LDAP Contextless Login, users were often annoyed by being required to change their context information in the login screen when changes took place in the tree structure. This resulted in IT costs to manage and support the change. LDAP Contextless Login makes it easier for users to work in the new global tree because it makes it unnecessary for the users to manage or know about changes to their organization's name or its placement in the hierarchy. Because users no longer need to enter their context to authenticate, the context can be changed on the back end as many times as necessary without the users needing to know and without the costs associated with managing and supporting these changes.

The Lightweight Directory Access Protocol (LDAP) is an Internet communications protocol that lets client applications access directory information. It is based on the X.500 Directory Access Protocol (DAP) but is less complex than a traditional client and can be used with any other directory service that follows the X.500 standard. Lightweight Directory Access Protocol (LDAP) Services for Novell eDirectory is a server application that lets LDAP clients access information stored in eDirectory.

If your network has LDAP Services for Novell eDirectory set up on your eDirectory tree and you are running Novell eDirectory 8.5 or later, users who are logging in to the network from Windows can log in to the network without having to enter their context in the Novell Login screen. To log in, users need to know only their username, password, and the name of the tree that is running LDAP Services. Optionally, you can also have users log in to the network without having to specify the eDirectory tree name.

User objects can be located in the tree by username or e-mail address. You can also enable wildcard searches. If wildcard searches bring up multiple usernames, the user is prompted to select his username.

Posted on Thursday, March 27, 2008 9:55 AM IT Management , Security | Back to top


Comments on this post: Mixed Novell and AD Authentication issues

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Dave Caddick | Powered by: GeeksWithBlogs.net