iFolder 2.x and LDAP across the WAN

  • 3899464
  • 20-Jun-2007
  • 26-Apr-2012

Environment


Novell iFolder 2.1

Situation

Using multiple iFolder servers across a Wide Area Network (for example, from Syracuse, New York, USA to Singapore), users fail to authenticate when the other locations' LDAP service fails.

Resolution

This occurs due to a two step process in LDAP authentication when the iFolder server loads, which is identified in the additional notes section of this document. The method to circumvent this two step process is as follows.
  1. Open the configuration file that Apache uses for iFolder. The for NetWare is configuration file :
    SYS:/Apache2/ifolder/Server/httpd_ifolder_nw.conf
    The Linux configuration file is :
    /etc/opt/novell/ifolder/conf/httpd_ifolder_unix.conf
  2. Locate the LdapHost setting in the file.
  3. Change this to the loopback address (127.0.0.1)
  4. Delete the iFolder_ldap* objects from eDirectory.
  5. Restart Apache.
  6. Open the iFolder administration page :
    https://servername/iFolderServer/Admin
  7. Click into "Global Settings".
  8. Click into "User LDAPs".
  9. If an iFolder_ldap* object exists, open it and ensure that the settings discussed here are correct. If there is no iFolder_ldap* object listed, create a new one.
  10. For the LDAP host, choose the loopback address (e.g. 127.0.0.1).
  11. If using SSL, choose the LDAP certificate .DER that corresponds to the organizational CA.
  12. Use authentication credentials that are allowed to create the objects in eDirectory (e.g. "admin" and "o=novell").
  13. Create the object.
  14. Restart all iFolder servers.

Additional Information

This occurs due to a two step process in LDAP authentication when the iFolder server loads. The process for this is :
  1. The iFolder process reads the "LdapHost" and "LdapPort" settings from the NetWare configuration file :
    SYS:/Apache2/ifolder/Server/httpd_ifolder_nw.conf
    The Linux configuration file is :
    /etc/opt/novell/ifolder/conf/httpd_ifolder_unix.conf
  2. The iFolder server queries the LDAP server specified by those settings to obtain the iFolderSettings, iFolderLDAP, and iFolderServer objects from eDirectory.
  3. Using the iFolderLDAP objects' attributes, connections will be established to those servers for any authentication.
This causes the situation associated with this document to send authentication requests across the Internet. By using the 127.0.0.1 host for LDAP requests, all LDAP requests will connect to the localhost.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.