Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
4189 views

Authenticating Directories

Hi Shaun,
Not much on this forum so far. I'm not able to get eDirectory to be used
as the Authenticating Directory for ESM 3.5. A stand-alone LDAP browser
running on the ESM server has no problems even without SSL. Is there
logging for the Test configuration action?

Cheers,
Kirk

0 Likes
11 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

A bit more detail on the issues. Ran Wireshark from the W2K3 server (sp2)
to sniff what was going on. No packets left the server while running the
Test to eDirectory! Event viewer has error that read:

1) Exception Information
*********************************************
Exception Type: System.Net.WebException
Status: TrustFailure
Response: NULL
Message: The underlying connection was closed: Could not establish trust
relationship with remote server.
TargetSite: Void
HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage,
System.Runtime.Remoting.Messaging.IMessage)
HelpLink: NULL
Source: mscorlib


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

No change after uninstalling and reinstalling ESM on server. I did
install the console on XP (sp2) and it looked like the install went
smoothly. But when putting in the eDirectory credentials (SSL on or off)
it bombed with the message "PolicyEditor.exe - Common Language Runtime
Debugging Services" "Application has generated an exception that could not
be handled"

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

Kirk,

hi, I've not even installed the darn thing myself yet, but I'll go
ask..

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

Kirk,

did you uncheck secure authentication?
The user name is in LDAP format
The Novell client will need to be installed on the server and logged
in using the same user credentials used in the Zenworks Management
Console’s Authenticating Directories screen.

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

Made some progress.

Reinstalled ESM while logged in a eDir user ZenESM. Ran the
Authenticating Directories without Secure Authentication and using ZenESM
LDAP style credentials pointing to a NetWare 6.5 server which has "Require
TLS for simple binds with passwords" as DESELECTED in its LDAP Group
object. OK this works and packet trace looks good!

When I went to save this credential set for the Authenticating
Directories, I got an error "Unable to set default service permissions for
<Friendly Name>". I noticed that the "Available for User Authentication"
had been automatically checked but the Domain/Tree field was still blank.
Filled it in with the tree name and then it seemed to save OK.

Tried running the ESM Management console and presented with the logon box
of User Name "Administrator", Password and Directory "<Friendly Name>".
Put in the ESM administrator password and get "The application has
experienced an unrecoverable error. Shutting down". Event viewer error
for this says:
Exception Type: Senforce.PolicyEditor.Bll.FatalErrorException
Message: Could not communicate with the Management Server Database.
Application must shut down.
TargetSite: Void btnOkay_Click(System.Object, System.EventArgs)
HelpLink: NULL
Source: PolicyEditor

If I use the LDAP credentials for the ZenESM edirectory user I get "Logon
not permitted". This leads me to believe that I need an account called
Administrator in the eDirectory tree with the same password as the local
administrator account on the windows 2003 server. I'm going to try this
and I'll let you know.

Cheers,
Kirk

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

Kirk,

okey dokey

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

Made some progress.

Reinstalled ESM while logged in a eDir user ZenESM. Ran the
Authenticating Directories without Secure Authentication and using ZenESM
LDAP style credentials pointing to a NetWare 6.5 server which has "Require
TLS for simple binds with passwords" as DESELECTED in its LDAP Group
object. OK this works and packet trace looks good!

When I went to save this credential set for the Authenticating
Directories, I got an error "Unable to set default service permissions for
<Friendly Name>". I noticed that the "Available for User Authentication"
had been automatically checked but the Domain/Tree field was still blank.
Filled it in with the tree name and then it seemed to save OK.

Tried running the ESM Management console and presented with the logon box
of User Name "Administrator", Password and Directory "<Friendly Name>".
Put in the ESM administrator password and get "The application has
experienced an unrecoverable error. Shutting down". Event viewer error
for this says:
Exception Type: Senforce.PolicyEditor.Bll.FatalErrorException
Message: Could not communicate with the Management Server Database.
Application must shut down.
TargetSite: Void btnOkay_Click(System.Object, System.EventArgs)
HelpLink: NULL
Source: PolicyEditor

If I use the LDAP credentials for the ZenESM edirectory user I get "Logon
not permitted". This leads me to believe that I need an account called
Administrator in the eDirectory tree with the same password as the local
administrator account on the windows 2003 server.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

OK! Got it to work. I have not tried all the permutations.
For eDirectory as the Authenticating Directory; Logged onto the server as
Administrator on the local W2k3 server and Administrator.Org for
eDirectory via Novell Client. Launched ESM Management Console and
configured Authenticating Directories to use same cn=administrator,o=org
credentials pointing to IP address of server that DOES NOT REQUIRE TLS for
simple binds with passwords, deselected the "Secure authentication"
checkbox, manually added the Tree name after the successful test of
authentication and saved the settings. Next launched the Console and got
the login dialog box with "Administrator" filled in already and the
friendly name of the eDirectory tree previously saved. This is where I
went wrong and got "Account not found"! I had to use the
cn=administrator,o=org style credentials to login to the management
console. BTW, there is only room for 34 characters in the LDAP field for
the user. Suggest increasing this to support a deeper OU structure. Page
42 and 43 of the Install guide needs reworking to clarify what is really
required.

Cheers,
Kirk

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

Kirk,

thanks - I've passed those comments on to the SENforce guys

--

Shaun Pond


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Authenticating Directories

Kirk,

and the reply was "We are one step ahead of Kirk's suggestions. I have
tested a dev build with everything he has asked and that works."
they're also updating the docs now

--

Shaun Pond


0 Likes
Todd3 Absent Member.
Absent Member.

Re: Authenticating Directories

Kirk,

I would be happy to assist you. I am a ZESM expert.

Please contact me.

Thanks,

tcrane@novell.com
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.