Issue
How do I use Novell NDS with Mirapoint software?
Solution
Managing Novell NDS
There are several applications available for managing Novell content and topology. For managing topology and infrastructure NDS Manager is useful, with its interface for creating directory partitions and replication agreements. ConsoleOne is good for managing database content; it facilitates schema administration and NDS to LDAP class and attribute mappings.
About the Schema
For the most part Novell NDS is Mirapoint-ready out of the box. The built-in NDS schema contains attribute and class extensions for Netscape Messaging Server. These extensions have an NSCP prefix and are roughly equivalent to the Netscape mail schema extension. For example, these NDS and Netscape attributes are equivalent:
NSCP:MailRecipient = mailRecipient
NSCP:MailRecipient is an auxiliary class and cannot be used to create new entries. Auxiliary classes only make it possible to add one or more attributes to an existing entry. The NSCP:MailRecipient class is defined as follows:
The allowable attributes in the NDS definition differ only slightly from those in the Netscape definition. NDS lacks an attribute that corresponds to multiLineDescription.
It is important to note that LDAP mappings are simply pointers to the actual attribute type used internally by NDS. The full list of Netscape to NDS mappings can be found on the properties page of the ldapGroup object, a special entry that is created during installation and holds information about schema mappings, referral handling and authentication methods.
In Release 2.7, all accesses, except for verification of user credentials, are performed anonymously on behalf of the requesting subsystem (SMTP, POP, IMAP, or Webmail) by a query agent. The exception is the verification of user credentials by an LDAP bind request. This means that all information needed by the query agent to accomplish routing, switched logins, and so forth, must be available to everyone. That is, attributes must be defined with the publicly readable flag set.
The directory information requested by the Mirapoint query agent is used to construct what is called a user mail profile. This profile includes the user's published (or public) email address, the name of the system that holds the user's mailbox, and the addresses used internally to route the user's email to the location from which it can be retrieved. These attributes are specified using the Ldap Setquery command and are mapped internally to objects used by the Mirapoint query agent. For example, the following commands create mappings between the query object used by the Mirapoint query agent and the attribute name as known to the directory:
Ldap Setquery user:Mailhost BaseDN filter mailhost ""
Ldap Setquery user:Routingaddr BaseDN filter mailroutingaddress ""
Ldap Setquery user:Publishedname BaseDN filter mail ""
Ldap Setquery user:Quota BaseDN filter mailquota ""
In the penultimate argument, mailhost, mailRoutingaddress, mailQuota, and mail attributes must all be publicly readable[1] so that Mirapoint software can construct a complete mail profile that can be used immediately and stored in system memory for later use. Publicly readable means the attributes are viewable by all clients that bind anonymously or otherwise.
In NDS, the NSCP:AMailHost, NSCP:MailRoutingAddress, and NSCP:MailQuota attributes are not publicly readable, and are therefore not eligible for mapping and use by Mirapoint software. Instead, you should redefine LDAP mappings as follows:
- Extend the schema by creating new publicly readable attributes and the auxiliary class to hold them
- Redefine corresponding attribute mappings to point at newly created attributes, and remap mailRecipient to point at the newly created auxiliary class.
The above recommendation is detailed in the two sections below.
Extending the Schema
To extend the LDAP schema in NDS, follow these steps:
- From ConsoleOne, select Tools > Schema Manager.
- Select the Attribute tab and click Create.
- When the Create Attribute Schema wizard appears, click Next on the Start page.
You are asked for an attribute name and attribute OID. The following table gives specific information about the new attributes:
Once you have created the above attributes, also create the MI:MailRecipient NDS class extension.
Redefining Attribute and Class Mappings
To redefine attribute mappings and the auxiliary class, follow these steps:
- In ConsoleOne, double-click the LDAP Group object in the current Administrative area. From the properties page select the Attribute Map tab.
- Find the Attribute mappings for mailhost, mailroutingaddress and mailquota. Click Delete from the side panel. This does not delete the schema extensions, only the mapping.
- For each of the attributes created in the first step, click the Add button on the side panel and map the Mirapoint NDS extension to the attribute maps deleted in the previous step.
- Select the Class Map tab on the LDAP Group properties page. Delete the mailRecipient Mapping and create a new mapping between the MI:MirapointPerson NDS Class and the mailRecipient LDAP Class.
Novell users can now be created using the built-in user metaClass definition and the Mirapoint schema extensions, either through ConsoleOne or programmatically using the LDAP API. Entries take the following form:
dn: uid=x, _dnbase_
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ndsLoginProperties [2]
objectclass: mirapointPerson
cn: name
sn: surname
mail: user@domain
mailhost: hostname
mailroutingaddress: address
uid: uid
userPassword: password
mailquota: quota
The Mirapoint OID for schema extensions is 1.3.6.1.4.1.3246.249.4 and includes the following sub-trees for NDS:
4.1 ldapNDS Attributes
4.2 ldapNDS ObjectClasses
4.3 ldapNDS Syntaxes
Notes:
[1] Future releases of Mirapoint software will include a mechanism to define non-anonymous credentials for communicating with the directory.
[2] The ndsLoginProperties class is an operational class used internally by Novell NDS to manage the user sessionObject. It is automatically inserted into all person entries. Do not add this class when creating entries.
Comments
0 comments
Please sign in to leave a comment.