How to enable LDAP authentication using SSL with GroupWise

  • 10098063
  • NOVL102536
  • 21-Jun-2005
  • 18-Apr-2006

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Fact

Novell GroupWise 6.5

Symptom

How to enable LDAP authentication using SSL with GroupWise

Error: LDAP SSL key file not found [D078] User:<userid>

Note

Below are the steps necessary to enable LDAP authentication using SSL for your post office authentication method:

1.  For whatever server you are using for LDAP authentication, in the NDS view in consoleone, go to the container in the tree where the LDAP server objects are located.  Here you should find your LDAP server and LDAP group object as well as SSL CertificateIP and DNS objects.
2.  On the LDAP Server object go into properties and select the SSL/TLS tab.  Here you have a Server Certificate field that should have either the SSL CertificateIP or DNS certificate specified.  You can use either, so for whatever one you have listed we need to then export out a key for that object, so take note of which certificate being used.
3.  For the SSL certificate used, go into the properties of this object and select the Certificates tab.  Here you will have an option at the bottom to export a certificate for this object.
4.  Select export.  First option asks if you want to export out the private key.  If you choose yes, it will export out a .pfx file.  If you select no, you can export a base64 or binary .der formatted certificate.  We will choose no and export out a binary .der format certificate.  The only format that works is a .der format.  Select next and then finish.  This puts the .der file on the root of your c:\ drive by default, but you can change the path and place the file either in the root of your post office directory or in sys:\system.  If you create it on your c:\ drive, you will need to copy it out to your server.  Once this is done, rename the long certificate name to something 8 characters or less.  This will save you from getting D078 errors shortly.
5.  On the LDAP Group object go into the properties.  On the General tab check "Require TLS for simple binds with password."  With older versions of the snapins with was referred to as "Allow clear text passwords".  Here you would want to uncheck this latter option.

Note: Setting this option discourages users from attempting to bind with passwords over a non-encrypted connection because the bind attempt fails. The password, however, is sent to the server before the bind fails. It is possible for an eDirectory username and password to be captured during a failed bind attempt.

6.  In ConsoleOne, select Tools|GroupWise system operations|LDAP servers.  Here we will define the location of the LDAP server the post office will use to authenticate to and what certificate used.
7.  Specify a name and/or description.  Check the box for Use SSL and specify the location of the certificate we just exported.  Define the IP address of the LDAP server and change the port to 636.  Lastly, you can select either Bind or compare.  We want to select Bind.  Compare - Opens up a single connection for LDAP authentication and leaves it open.  Compare also does not
give notifications if passwords expire.  Bind will open a new connection for each request.  If NMAS is running of this server, it potentially can cause issues with passwords. Last option you can assign an ldap server per post office.  If you are setting up LDAP authentication for multiple post offices, define an ldap server for each post office.  We you associate an encryption key for the ldap server to use,
this will make it so you don't have to search across the network to find the encryption key. 
8.  On the post office object, go into properties and drop down to security on the GroupWise tab.  Change the security level to High and select LDAP authentication.
9.  Unload and reload nldap and your post office agent.

NOTE:
If you load the POA and you get the following error the certificate filename is too long for GroupWise. 

Error: LDAP SSL key file not found [D078] User:<userid>

When you enable SSL on your LDAP servers you specifiy a location of the certificate you exported for that ldap server.  GroupWise prefers 8.3 naming conventions for Certificate filenames, server names and volume names.
Two options work to get around the Long filename issue:
1.  Place the .der file in the sys:\system directory and specify only the name of the certificate file.
2.  Place the .der file in the post office directory and have the path be volume:\<path to post office>

This should allow LDAP authentication using SSL and protect against usernames and passwords from being
captured in clear text.

.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.