Ensure that certificate service is installed on the directory server.
Export a copy of the server certificate file to a temporary location for user deployment.
When you export the certificate, ensure that the encoding format you select is DER encoded binary X.509 or Base-64 encoded X.509.
Manually change the certificate filename extension to .der or .b64 (depending on the encoding format you select).
For details on certificate service, refer to the section of the documentation for the directory server you use.
By default, anonymous queries are not enabled on some of the directory servers (including Active Directory).
If you use Active Directory, make sure that you have set the Anonymous Login rights on the user container and that the settings have taken effect on all User objects within that container.
For more details, refer to AppNote: Configuring Active Directory to Allow Anonymous Queries for NSL LDAP Client.
Following are the minimum permissions to be granted for Anonymous Login:
Table 9-2 Setting Permissions for Anonymous Login
User Object |
Permissions |
Inheritance |
Permission Type |
---|---|---|---|
ANONYMOUS LOGON |
List Contents |
This object and all child objects |
Object |
ANONYMOUS LOGON |
Read name |
This object and all child objects |
Property |
ANONYMOUS LOGON |
Read Name |
This object and all child objects |
Property |
ANONYMOUS LOGON |
Read objectClass |
This object and all child objects |
Property |
Servers (except Active Directory): Extend the LDAP directory schema for all directory servers other than Active Directory. While extending LDAP schema, ensure that you have chosen the appropriate directory mode. For details, refer to Extending the Schema.
You must extend the LDAP schema on all servers if you want them to act as failover servers.
Active Directory: Extend the Active Directory schema.
Extending an LDAP directory schema on Active Directory can lead to improper configuration resulting in authentication failure.
Copy the server certificate file to your workstation.
Specify the certificate file path by adding the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP
Under the above registry key, specify the following value:
CertFilePath REG_SZ full_path_of_cert_file
The certificate filename extension must be either .der or .b64, as in the following examples:
Name |
Type |
Data |
---|---|---|
CertFilePath |
REG_SZ |
C:\ad_cert.der |
CertFilePath |
REG_SZ |
C:\ad_cert.b64 |