NetIQ LDAP Proxy 1.5 for Linux

June 2014

1.0 Documentation

LDAP Proxy 1.5 is a powerful application that acts as a middleware layer between LDAP clients and LDAP directory servers. The benefits of using this proxy server include enhanced security, scalability, high availability, and direct access control to directory services.

For a full list of all issues resolved in LDAP Proxy 1.5, refer to TID 7016328, “History of Issues Resolved in LDAP Proxy 1.5”.

For information about what’s new in previous releases, see the “Previous Releases” section in the LDAP Proxy Documentation Web site.

To download this product, see the NetIQ Downloads Web site. For more information about LDAP Proxy, see the LDAP Proxy Documentation Web site.

For information about services and components bundled with LDAP Proxy 1.5, see Section 4.0, Additional Documentation.

2.0 Installation

2.1 System Requirements

Ensure that you have the following operating system and hardware requirements for installing the LDAP Proxy:

Operating Systems Requirements

Install the LDAP Proxy Server and NLPManager on the following 64-bit operating systems:

    • SUSE Linux Enterprise Server (SLES) 11 SP3

    • Red Hat Enterprise Linux (RHEL) 6.5

Hardware Requirements

Ensure that you have the following resource requirements to install and configure the LDAP Proxy Server and the NLPManager:

  • For LDAP Proxy Server:

    • A minimum of 128 MB of RAM

    • A minimum of 30 MB of disk space

  • For NLPManager:

    • A minimum of 1 GB RAM

    • A minimum of 256 MB disk space

    IMPORTANT:You must install the libstdc++.so.5 and libstdc++.so.6 libraries on your system before installing LDAP Proxy.

2.2 Installing the LDAP Proxy

Use the nlp-install command in the ldapproxy directory for installing the NetIQ LDAP Proxy:

./nlp-install

For more information about how to install NetIQ LDAP Proxy, refer to the NetIQ LDAP Proxy 1.5 Installation Guide.

2.3 Installing NLPManager

You can download NetIQ NLPManager from the NetIQ Downloads.

For more information about how to install NLPManager, refer to the NetIQ LDAP Proxy 1.5 Administration Guide.

3.0 Known Issues

3.1 Unable to Block Search Selection Attribute

If you have configured the proxy to allow a specific search selection attribute, and if this attribute is concatenated with restricted attributes, the search results also contain the restricted attributes. For example, the following policy node is configured to allow only cn as a search selection attribute. In such a case, a search request with the selection attribute sn is rejected. However, a search request with the search selection attribute list as cn sn returns the values with sn.

<policy-connection-route id-policy="multi-value RDNs">
  <rule>
  <conditions>
   <or>
     <if-bind-dn op="equal">cn=john+uid=3517,ou=eng_dept1,o=my_company</if-bind-dn>
   <if-bind-dn op="equal">uid=3517+cn=john,ou=eng_dept1,o=my_company</if-bind-dn>
   </or>
  </conditions>
  <actions>
   <do-deny/>
  </actions>
  <actions-default>
   <do-nothing/>
  </actions-default>
 </rule>
</policy-connection-route>

<policy-search-request id-policy="testing738911" disabled="false"> <description>search restriction operation to test if-srch-selection-attrcase-ignore equals cn</description> <rule> <conditions> <if-srch-selection-attr op="not-equal"match="case-ignore">cn</if-srch-selection-attr> </conditions> <actions> <do-deny /></actions> <actions-default> <do-allow /></actions-default> </rule> </policy-search-request>

3.2 Using SSL Clients When There are Many Incoming Connections

If the connection between the proxy and the backend server is configured for SSL, the performance of the proxy server could potentially degrade if the number of incoming connections is high.

3.3 Using a Connection Pool

When a connection pool is enabled, the LDAP Proxy sends an anonymous bind request to the backend server to nullify the connection identity. If the backend server is not configured for anonymous bind, the connection pool feature does not work.

For the connection pool feature to work, anonymous bind must be enabled on the backend server.

3.4 NLPManager Throws a NullPointerException Error

In certain cases, in NLPManager, when you try to close multiple instances of the Listeners, Backend servers, or Backend Server Groups tabs in the editor pane, the application throws the NullPointerException error. It is safe to ignore this exception because it does not cause any loss of functionality.

3.5 NLPManager Throws an Application Error

In certain cases, NLPManager throws an application error when you launch and close the application for the first time. This error is displayed in the Error Log tab when you launch the application again. The error does not occur subsequently and does not affect the functionality of the application. You can either delete the error from the error log or ignore it.

3.6 Launching NLPManager on Another Linux System

NLPManager throws an application error message indicating Error Line : org.eclipse.swt.SWTError: No more handles [gtk_init_check() failed]when you try to log in to another Linux system and launch NLPManager without the -X option. This is an informational error that can be ignored.

However, you must always use the -X option while logging in to another Linux system where NLPManager is installed.

3.7 Handling a Start TLS Extended Request

When the LDAP Proxy receives a Start TLS extended request, it forwards the request to the backend server. Any Start TLS error from the backend server is ignored.

3.8 Starting NLPManager on RHEL

When you try to start NLPManager on RHEL, an error message indicating “Cannot restore segment prot after reloc: Permission denied. appears.

This is caused by the SeLinux security extension. SeLinux is active in the newer distributions of Linux with 2.6. kernels. It changes some default system behavior, including the shared library loading.

To temporarily disable enforcement on a running system, run the following command:

/usr/sbin/setenforce 0

To permanently disable enforcement during a system startup:

Set SELINUX=disabled at /etc/selinux/config and reboot the machine.

3.9 Disabled Policies Are Processed

The LDAP Proxy processes disabled policies without checking their disabled status.

3.10 The Search Base Is Not Modified in the LDAPSearch Response

The Search Request policy does not change the requested search base in the LDAP search response.

To modify the search base, use the Replace String policy.

3.11 The Schema Map Policy Does Not Map the Attribute Values

The Schema Map policy maps only the DN and the attribute names of the attributes it is mapping.

3.12 The String Replacement Policy Does Not Replace the Object Identifiers by the Attribute Types

The String Replacement policy does not map the object identifiers with the corresponding attribute types.

To resolve this issue, configure a different replacement pattern in the String Replacement policy.

To replace o=organization with o=example, you can add an extra pattern with object identifiers. For example, you can change 2.5.4.10=organization to 2.5.4.10=example.

<replace> 
     <from>o=organization</from> 
     <to>o=example</to> 
</replace> 
<replace> 
     <from>2.5.4.10=organization</from> 
     <to>2.5.4.10=example</to> 
</replace>

3.13 Configuring a Search Policy for op="show-only" Containers

The filter is not replaced if a search policy is configured for op="show-only" containers. The Replace String policy does not use the filter that is internally created by the Restrict View to query the LDAP server. The attribute values in the filter created by the Restrict View policy are not replaced.

To work around this issue, configure the Restrict View policy to use the actual DNs present in the LDAP server.

3.14 Listener Issues

Using the Same Listener Name in the NLPManager

In the NLPManager, the LDAP Proxy does not check for the existing listener names. It allows users to use the same name for more than one listener.

Using an Empty Listener Name

The LDAP Proxy allows empty listener names. If you specify a name for a listener that was saved earlier with an empty name, the new value is not accepted. The listener name field remains empty.

To work around this issue, manually add the listener name value in the configuration file.

3.15 LDAP Proxy Binds to the Same Server Again After Receiving Server Information from modDNcache

While performing a search operation, if the URL of the server returned by modDNcache and the URL of the server on which the bind occurred are the same, LDAP proxy rebinds to the same server.

3.16 The ldapsearch Operation on Proxy Hangs if the Backend Server is Configured on Clear Text Port

The startTLS request fails and causes LDAP proxy to hang when you configure an LDAP Proxy listener on a clear text port with a certificate and a backend server on a non-SSL port, and then do not include the server certificate in the /etc/opt/novell/ldapproxy/conf/ssl/trustedcert folder.

4.0 Additional Documentation

4.1 NLP Manager

For information about NLP Manager, refer to the NetIQ LDAP Proxy 1.5 Administration Guide.

4.2 Certificate Server

For Certificate Server information, refer to the Certificate Server online documentation.

4.3 NICI 2.7.7

For NICI information, refer to the NICI online documentation.

5.0 Legal Notices

NetIQ Corporation has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more U.S. patents and one or more additional patents or pending patent applications in the U.S. and in other countries.

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

© 2014 NetIQ Corporation. All Rights Reserved.

For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.