2.4 Authenticating to an EBA-Enabled eDirectory Server

To access an EBA-enabled eDirectory from an EBA-enabled iManager, the EBA CA certificate must reside in the EBA trusted certificate store of iManager. The .eba.p12 file contains the EBA CA certificate of the tree. To download the EBA CA certificate on the computer running iManager, use ebaclientinit. ebaclientinit is a new command line utility bundled in the iManager installation package.

When you run ebaclientinit, this utility generates an .eba.p12 file for a particular user for a particular tree. This file is hidden and resides in the user's home directory ($HOME) on Linux and user's profile directory (%USERPROFILE%) on Windows.

IMPORTANT:EBA requires that the time is synchronized on all EBA-enabled servers and clients in your eDirectory environment. If you do not synchronize the time, EBA might not function properly.

The following table lists the command line options available with the ebaclientinit utility:

Command Line Options

Description

--user-dn

DN of the user in dot format.

--password

Password of the EBA-enabled user.

--address

Address of an NCP server in the tree. The syntax is <IP address>:<port>.

For example, ebaclientinit --mechanism ebatls --user-dn john.foo.org --password p@$$w0rd --address 111.111.11.1:524

Depending on your platform, run ebaclientinit by using one of the following methods:

Linux: iManager runs as a novlwww user on Linux. Therefore, run ebaclientinit as a novlwww user by using this command:

sudo -u novlwww -H LD_LIBRARY_PATH=/var/opt/novell/iManager/nps/WEB-INF/bin/linux /var/opt/novell/iManager/nps/WEB-INF/bin/linux/ebaclientinit --mechanism ebatls

Windows: Perform the following actions:

  1. Log in to iManager as any user other than the System user.

  2. Run ebaclientinit from C:\Program Files\Novell\Tomcat\webapps\nps\WEBINF\bin\windows\ebaclientinit.exe --mechanism ebatls.

    This will place the .eba.p12 file in the user's home directory.

  3. Copy the .eba.p12 file to C:\Windows\System32\config\systemprofile.

    You need to perform this because iManager runs as a System user in Windows.

Alternatively, you can run ebaclientinit by using the psexec tool as a System user.

  1. Download the psexec tool from the Microsoft Download page.

  2. From the command prompt, navigate to the directory containing psexec and run the following command:

    psexec -i -s -d cmd 
  3. In the command prompt, run ebaclientinit by using the following command:

    C:\Windows\system32\Program Files\Novell\Tomcat\webapps\nps\WEBINF\bin\windows\ebaclientinit.exe --mechanism ebatls

NOTE:If iManager does not find the EBA CA certificate for the tree in the .eba.p12 file or if .eba.p12 file is not present, the EBA plug-in of iManager prompts you for the sadmin credentials of the server acting as EBA CA. However, NetIQ does not recommend you to use sadmin.