By Girish Mutt
The main objective of this AppNote is to give you an overview of how you can configure and use the eDirectory with SecureLogin in a LDAP Failover deployment. As most of the deployments of NSL are deployed like this, this AppNote will help you to understand the detailed procedure to be followed for deploying NSL with eDirectory in LDAP Failover scenario.
Table of Contents
This AppNote covers all those aspects that allow you to configure and use eDirectory in LDAP Failover scenario with Novell SecureLogin (NSL). Novell SecureLogin is a Single Sign-On product that can be used with numerous Directory servers like Novell eDirectory, Microsoft AD and other LDAP Complaint directories. In a Customer deployment of NSL with eDirectory, it is very common to provide High Availability for eDirectory in a Failover scenario. This can be achieved by configuring eDirectory for LDAP Failover deployment. The most common of such deployments include having a Single Tree of Novell eDirectory with two servers under same tree. In this case when the master server goes down, the Failover server can be used with NSL to have High Availability. This AppNote is intended to cover all those aspects in terms of eDirectory configuration, NSL configuration for LDAP Failover.
This article covers the following:
In a typical customer deployment, eDirectory is used with High Availability where in under a Single Tree will have multiple servers to support failover. When the primary server goes down, the secondary failover server will take up the load and provide High Availability for eDirectory service dependent applications. This feature of eDirectory can be utilized with the NSL in a simple and easy manner. For NSL to work in a Failover scenario, eDirectory should be configured with the following steps:
NSL can be used with eDirectory in Failover deployment only when you use it in LDAP modes. When you are using NSL in LDAP Mode, you will be specifying the LDAP Server IP-address and the LDAP port for the secured connection to eDirectory during installation. When deployment of eDirectory has a LDAP Failover server configured , we need to take care of providing the LDAP Failover server details to NSL to be able to have High Availability for eDirectory server. This can be easily achieved by adding the details of LDAP Failover server IP-Address along with secure port details to a location which NSL can read and use.
NSL always stores the LDAP Server details in Windows registry : My Computer\ HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\Servers. When you install NSL in any LDAP Modes, NSL will create registry entry “server1” of type multi string value ( MULTI_REG_SZ) which will have the default value which is IP-Address of eDirectory server along with port provided during installation.
Figure 1: LDAP Server IP-Address of Primary eDirectory Server provided during installation.
For NSL to work in LDAP Failover scenario, you should add one more registry “server2” entry of type multi string value ( MULTI_REG_SZ) along with IP-Address of Failover server and the secure port configured for secure LDAP connection on that server. Once you are done with this when you use NSL in LDAP Modes when primary LDAP server is not accessible , NSL will automatically pick the IP-address of Failover server to authenticate with eDirectory and access credentials of NSL for that user. In this way user will be able to experience High Availability of eDirectory server when primary server goes down by authenticating against Failover LDAP Server in that same tree.
Figure 2: Failover server eDirectory Server IP-Address added to have High Availability with NSL.
NSL can be used with eDirectory in LDAP Failover scenario in following modes:
While using NSL in all LDAP Modes with eDirectory.(GINA Mode, Credential Manager Mode and Application Mode)
While using NSL in LDAP Credential Manager Mode and Application Mode when Novell Client is present on the workstation.
NSL – Novell SecureLogin
SSO- Single Sign On
LDAP- Lightweight Directory Access Protocol
GINA- Graphical Identification aNd Authentication
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.