Created 12 15 2004
Updated 12 21 2004

1.  What is the issue?

From my LDAP enabled iR, I cannot browse for names (CN Property) as anonymous on Netware 5.x/6.x servers using LDAP
Perhaps you can browse for an email address but you cannot browse by name
When you browse by email address, the name field is not populated
When I browse a Windows server with LDAP, I have no issue


2.  Is this an issue?
First off, this is not a problem.
It is a default security design
The default anonymous LDAP browsing capabilities of our Windows 2000 server reveals a huge amount of data
The default anonymous LDAP browsing capabilities of our Netware 5 and 6 server reveals much less data
Novell has chosen to not reveal the cn property using anonymous binds by default


3.  What can be done?
There are a few solutions;
Use authentication
Assigning the CN property
Create an LDAP Proxy User



4.  Creating an LDAP proxy user
A proxy user called proxy for example is created.  This user is to have no password
This user is made a trustee of container(s) and finally this user is added to the LDAP group object
The documentation talks about making the proxy user a trustee of the root.
Perhaps another more secure way is to make the proxy user a trustee of the organization units that hold the users you want to query
It's really up to the Netware admin
Now, Anonymous binds include the CN property


5.  What about clear text passwords?
One can authenticate with LDAP using port 389 (unencrypted) and port 636 (encrypted using SSL)
Under Netware 5.1, the LDAP group object has a setting called "Allow clear text passwords".  By default it is unchecked
Under Netware 6.0, the LDAP group object has a setting called "Require TLS for simple binds with password".  By default it is checked
This means that by default, Netware 5.1 and 6 will not allow password authentication over the unencrypted port 389
A very good idea on behalf of Novell to force this
If you choose to authenticate using LDAP with a password, this default Netware setting will not allow you to communicate over port 389
If you try, the error you get on the iR will be
"No destination matching the specified search condition was found.
Change the search condition or check settings"
Although this is the same error received if a working search fails, keep note of it in case this is the situation.


6.  Can I disable port 389 altogther?
Yes.  A setting called Disable TCP port will shutdown this port
The iR will tell you this if you try to connect to this port if it is disabled
"Cannot connect to the selected server.
Check your settings"
Use SSL instead if this is the case


7.  Can I disable anonymous browsing?
Yes.
eDirectory 8.7 and later extends the LDAP schema
It introduces an attribute called "ldapBindRestrictions"
Using this attribute, you can disable anonymous binds completely
Please note that some applications that rely on anonymous binds may break.


8.  What is the correct context for user?
Windows 2000 Server with Active Directory
windows domain name/windows user name
domain/user

Novell Netware 5.1 or later
Add the correspoinding object class (o ou c cn) and seperate each by commas
IE if the distinguished name of the user katie is katie.it.engineering.nasa. then add this
cn=katie,ou=it,ou=engineering,o=nasa

Lotus Notes Domino R5 or later
Enter the dn (Distinguished name) of the user
"cn=admin","ou=team1"
or
"cn=admin","o=salesdept"


9.  I need some links to some LDAP browsers
LDAP Browser/Editor is a great JAVA based tool
Softerra's LDAP Browser is pretty cool as well

---

Home                   Back

If you find an error or wish to comment please let me know.