Novell SSO LDAP extension--Novell-proprietary extension limited info


<< Back to Knowledge Search

Solution

Overview

Blecoat is using a Novell-proprietary extension to monitor events. Because this extension is proprietary, there is only limited documentation from Novell.

Bluecoat ship the Novell LDAP SDK binaries with BCAAA. BCAAA invokes the LDAP extension by calling ldap_monitor_events_filtered, which is implemented in Novell's ldapx.dll library.

This extension uses one or more of the following LDAP OIDs (from Novell's ldapx.h header):

#define NLDAP_MONITOR_EVENTS_REQUEST        "2.16.840.1.113719.1.27.100.79"
#define NLDAP_MONITOR_EVENTS_RESPONSE        "2.16.840.1.113719.1.27.100.80"
#define NLDAP_EVENT_NOTIFICATION        "2.16.840.1.113719.1.27.100.81"
#define NLDAP_FILTERED_MONITOR_EVENTS_REQUEST    "2.16.840.1.113719.1.27.100.84"

Take a pcap of an unencrypted connection, there is one or more of these OIDs on the wire. However, there is no documentation on the data fields that this extension sends on the wire.

The customer has this extension. It's part of a base eDirectory installation. that the server-end of the extension is implemented in the ldapxs library (C:\Novell\NDS\ldapxs.dll on normal Windows box).

While it's good to make sure the customer has the latest eDirectory patches, which prevent any memory leak. One way to find out is to enable the LDAP options in DSTrace. (The trace options for LDAP have to be enabled both in iManager/iMonitor and in DSTrace.) If eDirectory is running out of memory, then LDAP will report failed memory allocations. How to run DSTrace for LDAP, see:
http://support.novell.com/docs/Tids/Solutions/10062292.html

Need to find out how the customer's tree is partitioned? The documentation on this LDAP extension is limited. However, based on the eDirectory architecture, BCAAA would have to be monitoring a server which holds a replica containing the user object in order to receive login and logout notifications. BCAAA is actually monitoring for changes to the user's networkAddress attribute, and if the server doesn't hold a replica of the user's partition, then the server wouldn't get notified when this attribute changes. If the customer has partitioned up their tree, then they might need to be monitoring more than one server. See detail in Bluecoat Congiuration and Management Guide:
Chapter 14: Novell Single Sign-on Authentication and Authorization
About Novell SSO Realms

More info on the LDAP extension is below.
Section 1.7.1 in the link below contains an overview of how this extension works:
http://developer.novell.com/documentation/cldap/ldaplibc/index.html?page=/documentation/cldap/ldaplibc/data/ag7cvjp.html

Here's the Novell's documentation for the API BLuecoat use to invoke the extension:
http://developer.novell.com/documentation/cldap/ldaplibc/index.html?page=/documentation/cldap/ldaplibc/data/ak7dhv3.html

More info on the LDAP extension is below.

Section 1.7.1 in the link below contains an overview of how this extension works:

http://developer.novell.com/documentation/cldap/ldaplibc/index.html?page=/documentation/cldap/ldaplibc/data/ag7cvjp.html


Here's the Novell's documentation for the API BLuecoat use to invoke the extension:

http://developer.novell.com/documentation/cldap/ldaplibc/index.html?page=/documentation/cldap/ldaplibc/data/ak7dhv3.html

 

 

 

 

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ910
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5, SGOS 6
Topic      Authentication, BCAAA
Article Number      000012509
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat