Hello Community:
I have a very odd setup involving Windows Server 2003 and eDirectory 8.8 as follows:
0. I'm in a lab trying to emulate something I saw at a school district once. The lab is structured like this: Virtual network 0: backbone (only has VMs running Windows Server 2003 and represents the internet or a WAN as only routers and the occasional email server or other such things are connected to it, and it uses 10.x.x.x IP range) Virtual network 1 (this represents a site and has a box running RRAS on the WAN side it has an IP address of 10.0.27.100 and on the LAN side it hands out IP Addresses like 192.168.27.x)
1. I've setup a PPTP VPN through RRAS (Routing & Remote Access) on the site router VM and I've connected a Windows XP VM directly to the network representing the WAN. On the XP machine I disabled the Novell GINA and joined it to the AD domain while it was connected to the VPN thus when the machine is started the user pressed CTRL+ALT+DEL and chooses to enter their AD name and password and selects the AD domain from the list and checks the "login using a dial-up connection"). This was done as there is not a way to have the novell client pull the VPN profile that I've found and you cannot login to windows as Workstation Only then choose later to login to AD.
2. After logging on to Windows and AD through the VPN connection and then right-clicking on the red N in the sys tray and choosing "Novell login" I enter my name and password and choose Advanced >> and hit the Trees button: nothing shows up.
3. If I modify the hosts file on the client to have my eDirectory servers be WINX-CESD-US-edir1.lan (192.168.27.220) and WINX-CESD-US-EDIR2.LAN (192.168.27.221) then try the red N again while connected to the VPN, and choose Advanced >> and enter the IP address of one of the eDirectory servers or the hostname I put into the hosts file for both tree and server then I can browse for contexts.
I did a thing that I probably shouldn't have done when I set all this up and named the AD domain WINX-CESD-US.LAN (netBIOS name WINX-CESD-US) AND named my tree as WINX-CESD-US. The other odd thing about my setup is that I used Microsoft's Connection Manager Administration Kit to create a profile so when the VPN client connects it automatically gets LAN-side DNS and WINS servers otherwise that's a manual configuration every time. The only issue is now I am limited in what changes I can make to the configuration as opposed to just going through the "new connection wizard" and setting up the VPN and then putting up with the manual configuration of DNS and WINS
Upon doing some further investigation, I made sure to modify the SLPD.cnf file in C:\Novell\eDir\Service with the following:
#############################################################################
#
# OpenSLP configuration file
#
# Format and contents conform to specification in IETF RFC 2614 so the
# comments use the language of the RFC. In OpenSLP, SLPD operates as an SA
# and a DA. The SLP UA functionality is encapsulated by SLPLIB.
#
#############################################################################
#----------------------------------------------------------------------------
# Static Scope and Static DA Configuration
#----------------------------------------------------------------------------
# This option is a comma delimited list of strings indicating the only scopes
# a UA or SA is allowed when making requests or registering or the scopes a
# DA must support. (default value is "DEFAULT")
net.slp.useScopes = DEFAULT
# Allows administrator to force UA and SA agents to use specific DAs. If
# this setting is not used dynamic DA discovery will be used to determine
# which DAs to use. (Default is to use dynamic DA discovery)
net.slp.DAAddresses = 192.168.27.220,192.168.27.221
#----------------------------------------------------------------------------
# DA Specific Configuration
#----------------------------------------------------------------------------
# Enables slpd to function as a DA. Only a very few DAs should exist. It
# is suggested that the administrator read the OpenSLP users guide before
# enabling this setting. Default is false. Uncomment the line below to
# enable DA operation.
net.slp.isDA = true
# A 32 bit integer giving the number of seconds for the DA heartbeat.
# Default is 3 hours (10800 seconds). This property corresponds to
# the protocol specification parameter CONFIG_DA_BEAT [7]. Ignored
# if isDA is false.
;net.slp.DAHeartBeat = 10800
#----------------------------------------------------------------------------
# SA Specific Configuration
#----------------------------------------------------------------------------
# If net.slp.watchRegistrationPID is set to true, local registrations made
# with the SA via the SLPReg() API call will be monitored. If the PID of the
# process (and/or thread on Linux) disappears (the registering process died
# unexpectedly with out calling SLPDereg()), then the registration is
# automatically de-registered. (Default value is true. Uncomment the line
# below to disable PID watching.
;net.slp.watchRegistrationPID = false
#----------------------------------------------------------------------------
# UA Specific Configuration
#----------------------------------------------------------------------------
# A 32 bit integer giving the maximum number of results to accumulate and
# return for a synchronous request before the timeout, or the maximum number
# of results to return through a callback if the request results are
# reported asynchronously (default value is 256).
;net.slp.maxResults = 256
#----------------------------------------------------------------------------
# Network Configuration Properties
#----------------------------------------------------------------------------
# Force broadcasts to be used instead of multicast. This setting is seldom
# necessary since OpenSLP will automatically use broadcast if multicast
# is unavailable. (Default is false)
;net.slp.isBroadcastOnly = true
# A boolean indicating whether passive DA detection should be used.
# Default is true. Uncomment the following line to disable passive DA
# detection
;net.slp.passiveDADetection = false
# A boolean indicating whether active DA detection should be used. This is
# useful when the DAs available are explicitly restricted to those obtained
# from DHCP or the net.slp.DAAddresses property. Default is true. Uncomment
# the following line to disable active DA detection
;net.slp.activeDADetection = false
# The net.slp.DAActiveDiscoveryInterval property controls *periodic*
# transmission of active DA discovery SrvRqsts. The default setting
# of 1 which disables sending periodic active DA discovery SrvRqsts.
# However, even if net.slp.DAActiveDiscoveryInterval=1 OpenSLP agents will
# send a send active DA request only upon initialization. To disable all
# active DA detection you MUST net.slp.passiveDADetection = false. (you
# may also set net.slp.DAActiveDiscoveryInterval=0)
# simply set
;net.slp.DAActiveDiscoveryInterval = 1
# A positive integer that is less than or equal to 255. (The default is 255)
;net.slp.multicastTTL = 255
# An integer giving the maximum amount of time (in milliseconds) to perform
# active DA discovery requests. (Default is 2000 ms or 2 secs).
;net.slp.DADiscoveryMaximumWait = 2000
# A value-list of 32 bit integers used as timeouts, in milliseconds, to
# implement the multicast convergence algorithm during active DA discovery.
# Each value specifies the time to wait before sending the next request, or
# until nothing new has been learned from two successive requests.
# Default is: 500,750,1000,1500,2000,3000.
;net.slp.DADiscoveryTimeouts = 500,750,1000,1500,2000,3000
# An integer giving the maximum amount of time (in milliseconds) to perform
# multicast requests. (Default is 5000 ms or 5 secs).
;net.slp.multicastMaximumWait = 5000
# A value-list of 32 bit integers used as timeouts, in milliseconds, to
# implement the multicast convergence algorithm. Each value specifies
# the time to wait before sending the next request, or until nothing new
# has been learned from two successive requests.
# Default is: 500,750,1000,1500,2000,3000. In a slow network the less
# aggressive values of 3000,3000,3000,3000,3000 allow better performance.
;net.slp.multicastTimeouts = 500,750,1000,1500,2000,3000
# An integer giving the maximum amount of time (in milliseconds) to perform
# unicast requests. (Default is 5000 ms or 5 secs).
;net.slp.unicastMaximumWait = 5000
# A value-list of 32 bit integers used as timeouts, in milliseconds, to
# implement unicast datagram transmission to DAs. The nth value gives
# the time to block waiting for a reply on the nth try to contact the DA.
# Currently OpenSLP uses TCP for all unicast communication so this setting
# does not do anything
;net.slp.unicastTimeouts = 500,750,1000,1500,2000,3000
# To OpenSLP the following is the same as net.slp.unicastTimeouts. Use
# net.slp.unicastTimeouts instead.
;net.slp.datagramTimeouts = IGNORED
# An integer giving the maximum value for all random wait parameters.
# (Default is 5000 or 5 sec)
;net.slp.randomWaitBound = 5000
# A integer giving the network packet MTU in bytes. (Default is 1400)
;net.slp.MTU = 1400
# A list of IP address of network interfaces on which the DA/SA should listen
# for slp requests. By default, slpd will use all interfaces.
;net.slp.interfaces = 1.2.3.4,1.2.3.5,1.2.3.6
#----------------------------------------------------------------------------
# Security
#----------------------------------------------------------------------------
# A boolean indicating whether the agent should enable security for URLs,
# attribute lists, DAAdverts, and SAAdverts. (Default setting is false and
# ENABLE_SECURITY code must be compiled)
;net.slp.securityEnabled=true
# A boolean indicating whether the DA or SA will only allow deregistrations
# and re-registration from the *exact* host that made the registration.
# Default setting if true. Uncomment the line below to disable source
# address checking.
;net.slp.checkSourceAddr=false
#----------------------------------------------------------------------------
# Tracing and Logging
#----------------------------------------------------------------------------
# A boolean controlling printing of messages about traffic with DAs.
# Default is false. Uncomment the following line to enable DA traffic
# tracing
;net.slp.traceDATraffic = true
# A boolean controlling dumps of all registered services upon registration
# and deregistration. If true, the contents of the DA or SA server are
# dumped after a registration or deregistration occurs. Default is false.
# Uncommment the following line to enable registration message logging
;net.slp.traceReg = true
# A boolean controlling printing details when a SLP message is dropped for
# any reason. Default is false. Uncomment the following line to trace all
# dropped messages
;net.slp.traceDrop = true
# A boolean controlling printing of details on SLP messages. The fields in
# all incoming messages and outgoing replies are printed. Very verbose.
# Default is false. Uncomment the following line to enable verbose message
# tracing.
;net.slp.traceMsg = true
#----------------------------------------------------------------------------
# Serialized Proxy Registration
#----------------------------------------------------------------------------
# The net.slp.serializedRegURL is not supported by net.slp.serializeRegURL.
#
# slpd accepts the [-r] command line parameter that specifies the serialized
# registration file. The default serialized registration file is
# /etc/slp.reg
And I made sure to make similar changes in the same file on the other eDir server. Additionally in Novell Client Properties on the Service location tab the scope is set to DEFAULT and the DAs are set to 192.168.27.220 and 192.168.27.2221.
Now find below screenshots of everything I just mentioned.
Screen 01: XP Longin showing the "Login Using A dial-up connection" checkbox checked
Screen 02: choosing the VPN profile (AnyConnect Winx Central VPN)
Screen 03: Signing into the VPN
Screen 04: Novell Login from the red N in the tray not showing any Trees
Screen 05: a supposed successful login after entering the custom domains as setup in the hosts file.
Now with all the show and tell done and out of the way, what seemingly has gone wrong? In practice, clients should be able to connect to the VPN as shown (given that AD won't allow you to sign on "after the fact" of doing a workstation only login using your local account), the from the red N be able to choose the "trees" button to get a list of them just as if they were on the LAN. Based on what I've cooked up, does everything look right or what additional steps should I take to make that work as designed? If there's nothing that can be done to make that "Trees" button work as designed given my unique setup, what should be done to at least ensure a successful login?
I clearly remember seeing this at a school site once because this is how the teachers submitted grades from home when that time came round. The district was too cheap to get a dedicated VPN appliance like Cisco so they stood up RRAS boxes and the teachers would connect to those (one per site as not to overwhelm the RRAS box at the district office), this district was also in the process of moving away from exchange 2000 (I think) to GroupWise of some flavor (or was it some other Microsoft system they were trying to get away from... I don't remember). Since student and staff logins and group policy was already setup through AD and they didn't want to migrate off of that (try migrating 50+ staffers at each site and 500+ students per site off of AD over a weekend and see what happens) thus the Novell stuff. The only reason I know these weird facts about the submitting grades from home is because my math teacher and stepmom were good friends so I got to see more than most.
Then again my memory from that time is fuzzy so it might not have been that school but it was a school district that I attended at some point that tried to pull this stunt or something remarkably similar and got it to work.
Thanks:
Carly G. Fleischmann
==
Disclaimers: I am often responding from mobile and so I apologize for the bad formatting and any auto-correct mistakes that might happen. 2) I have a team of advocates, assistants, and advisors who assist me in writing, responding to, and managing posts and community engagement; such advocates, assistants and/or advisors will clearly identify themself along with their role. Any opinions expressed by my team are the opinions of that individual and do not necessarily represent my opinions or those of my support team unless otherwise noted.