[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Create login account in NDS via LDAP
On Fri, 12 Nov 1999, Richard Ellerbrock wrote:
> Subject: Re: Create login account in NDS via LDAP
Herein, references to "NetWare" mean version 5.0 and newer whilst references
to "NDS" mean NDS 8 and newer (incl. NDS 8 Update). Also note that I'm not a
NetWare admin - what I'm writing (and have written) is what I've learnt from
Novell's Web sites, documentation and by experimenting against live servers;
ergo, treat it as a guide, not canon.
Okay - first, you have to remember that Novell's NDS has its own namespace for
object classes and attribute types; both NDS and LDAP are ultimately derived
from the X.500 model, but they are not 100% identical in every area. This
means you need to provide some form of "mapping" between NDS classes/types and
LDAP classes/types. When you install LDAP on NetWare, some mappings are
provided by default - others you will need to configure yourself using NetWare
admin tools.
Novell's developer Web site includes descriptions of the NDS schema, including
some of the default mappings. For example, when our NetWare admins create
user objects in the NDS using NetWare tools, those users were of the (NDS)
class "User". The inheritence hierarchy within NDS leading to the "User"
object class is (incl. the equivalent LDAP classes):
NDS Object Class LDAP Object Class
TOP top
ndsLoginProperties (n/a?)
Person person
Organizational Person organizationalPerson
User inetOrgPerson
Ergo, to create an NDS "User" via LDAP, we just added an object that conformed
to the correctly mapped object classes and attribute types; for example:
dn: cn=daveb,ou=Users,o=UWS
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: David
sn: Begley
description: Sample user.
cn: daveb
Despite the mappings, the NDS and LDAP schemata are not 100% identical; for
example, NDS users appear to often contain a "Full Name" attribute ("fullName"
via LDAP) - this is in the NDS "Person" class, but not in the LDAP "person"
class. This is only an issue if you're trying to keep strictly to the
standards, and/or if you're using the same LDIF for other (non-NetWare) LDAP
servers. Otherwise, since the attribute is valid for NDS you can use it
anyway:
dn: cn=daveb,ou=Users,o=UWS
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
fullName: David Begley
givenName: David
sn: Begley
description: Sample user.
cn: daveb
Note, the DN doesn't include the NDS tree name. You can look through the
other mappings in NetWare and add the appropriate attributes to the LDIF and
they'll be imported correctly. Passwords can be set by adding a cleartext
password value in a "userPassword" attribute type - again, NDS just silently
does the right thing, even though it has no concept of a single password.
We've used both BULKLOAD for LDIFs and the LDAP protocol (ldapadd/ldapmodify)
for adding users - both work fine.
> You have not maybe manipulated Groupwise info via LDAP? Can it be done? I
> want to be able to create distribution lists on the fly without having to
> use the Groupwise admin utils.
No, sorry - we don't use Groupwise. I seem to recall reading on one of the
Novell newsgroups (nntp://forums.novell.com/novell.directoryservices.ldap)
that Groupwise doesn't actually use NDS, it uses its own database and thus you
may have to do something different to add users to Groupwise (if at all).
I'd suggest double-checking with the Novell newsgroups for that one.
Hope this helps..
dave