FAQ

Novell SSO LDAP extension--Novell-proprietary extension limited info

FAQ ID:    FAQ910
Version:    2.0
Status:    Published
Published date:    07/23/2010
Updated:    07/23/2010
 

Answer

Blecoat is using a Novell-proprietary extension to monitor events. Because this extension is proprietary, there is only limited documentation from Novell.

Bluecoat ship the Novell LDAP SDK binaries with BCAAA. BCAAA invokes the LDAP extension by calling ldap_monitor_events_filtered, which is implemented in Novell's ldapx.dll library.

This extension uses one or more of the following LDAP OIDs (from Novell's ldapx.h header):

#define NLDAP_MONITOR_EVENTS_REQUEST        "2.16.840.1.113719.1.27.100.79"
#define NLDAP_MONITOR_EVENTS_RESPONSE        "2.16.840.1.113719.1.27.100.80"
#define NLDAP_EVENT_NOTIFICATION        "2.16.840.1.113719.1.27.100.81"
#define NLDAP_FILTERED_MONITOR_EVENTS_REQUEST    "2.16.840.1.113719.1.27.100.84"

Take a pcap of an unencrypted connection, there is one or more of these OIDs on the wire. However, there is no documentation on the data fields that this extension sends on the wire.

The customer has this extension. It's part of a base eDirectory installation. that the server-end of the extension is implemented in the ldapxs library (C:\Novell\NDS\ldapxs.dll on normal Windows box).

While it's good to make sure the customer has the latest eDirectory patches, which prevent any memory leak. One way to find out is to enable the LDAP options in DSTrace. (The trace options for LDAP have to be enabled both in iManager/iMonitor and in DSTrace.) If eDirectory is running out of memory, then LDAP will report failed memory allocations. How to run DSTrace for LDAP, see:
http://support.novell.com/docs/Tids/Solutions/10062292.html

Need to find out how the customer's tree is partitioned? The documentation on this LDAP extension is limited. However, based on the eDirectory architecture, BCAAA would have to be monitoring a server which holds a replica containing the user object in order to receive login and logout notifications. BCAAA is actually monitoring for changes to the user's networkAddress attribute, and if the server doesn't hold a replica of the user's partition, then the server wouldn't get notified when this attribute changes. If the customer has partitioned up their tree, then they might need to be monitoring more than one server. See detail in Bluecoat Congiuration and Management Guide:
Chapter 14: Novell Single Sign-on Authentication and Authorization
About Novell SSO Realms

More info on the LDAP extension is below.
Section 1.7.1 in the link below contains an overview of how this extension works:
http://developer.novell.com/documentation/cldap/ldaplibc/index.html?page=/documentation/cldap/ldaplibc/data/ag7cvjp.html

Here's the Novell's documentation for the API BLuecoat use to invoke the extension:
http://developer.novell.com/documentation/cldap/ldaplibc/index.html?page=/documentation/cldap/ldaplibc/data/ak7dhv3.html

More info on the LDAP extension is below.

Section 1.7.1 in the link below contains an overview of how this extension works:

http://developer.novell.com/documentation/cldap/ldaplibc/index.html?page=/documentation/cldap/ldaplibc/data/ag7cvjp.html


Here's the Novell's documentation for the API BLuecoat use to invoke the extension:

http://developer.novell.com/documentation/cldap/ldaplibc/index.html?page=/documentation/cldap/ldaplibc/data/ak7dhv3.html

 

 

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question