Web based file manager Free Installation assistance Manual Home page

Novell eDirectory integration

HTTP Commander may use Novell eDirectory directory service for authentication. In Novell eDirectory mode, you use eDirectory users to log into HTTP Commander. You may use group membership to assign folders. HTTP Commander does not impersonate eDirectory users, all requests are processed in the context of application pool account, as it normally works in Form-based web applications.

Limitation HTTP Commander uses isolated user name to identify users. It does not distinguish users having the same name but residing in different containers in directory tree. For example, users with the following distinguished names are identical for application: cn=user1,O=ELEMIT and cn=user1,ou=OU1,O=ELEMIT.

Configuring HTTP Commander for Novell eDirectory mode

Ldap path

Ldap path structure: LDAP://<server>/<context>.

Examples: "LDAP://10.10.10.141", "LDAP://10.10.10.141:636", "LDAP://dep.server.com/ou=cinci,o=KPOrg".

Ldap path must start with "LDAP://". Any other variants are invalid. For example, "ldap://", "ldaps://" are invalid. Do not append slash to Ldap path. "LDAP://10.10.10.141/" - is a invalid Ldap path.

By default, HTTP Commander use SSL/TLS protocol to connect to eDirectory. There is no option to change this now, that is you cannot disable SSL. The default port is 636, so you may omit the port number. For example, LDAPContainer may be "LDAP://10.10.10.141" or "LDAP://10.10.10.141:636". Since SSL is used, the server certificate must be valid from the Windows point of view.

That means

  1. the current date in the range of the certificate valid interval
  2. the certificate issuer is trusted
  3. server part of Ldap part matches subject name of the certificate

If server certificate is invalid for whatever reason, HTTP Commander refuses to establish connection to the server.

If your server certificate is self-signed, the certificate issuer is not trusted. You need to import the certificate into "Trusted Root Certification Authorities" sub-store of the "local machine" certificate store, on the machine where HTTP Commander is running.

Ldap path may end with server name, like "LDAP://{ip-address}". You may specify a particular container in eDirectory, for example, ou=cinci,o=KPOrg, to restrict search scope. Append DN of the container after server name, like "LDAP://{DNS or IP or NetBIOS}/ou=cinci,o=KPOrg". We suggest to use an LDAP browser to find the exact spelling of the context part. In eDirectory the top level object normally has type Organization, hence naming context includes "o=".

testEDirectory project

Assigning correct value to LDAPContainer parameter may be tricky. To help with troubleshooting eDirectory binding issues, we developed a small project named testEDirectory. You do not need to have Visual Studio 2017 to use it, but Visual Studio simplifies troubleshooting a little bit.

Unpack testEDirectory on the Web server and convert it to application with IIS manager. For example, you may unpack the project into c:\inetpub\wwwroot\testEDirectory. Then open IIS manager, find the testEDirectory folder under Default Web Site node, right-click the folder and select "Convert to application". Enable anonymous authentication for the application. Other authentication types will do to, the anonymous authentication is better simply because it does not require for you to under credentials - simplifying troubleshooting.

Open testEDirectory\App_Code\EDirectory.cs in a text editor. You need to assign three variables in this file, namely LDAPContainer, EDirectoryBindUserDN, EDirectoryBindUserPassword. They have the same meaning as in HTTP Commander.

Open the web application page in web browser, for example, you may open URL: http://localhost/testEDirectory/

If connection to eDirectory server succeeds, you'll see a list of user DNs on the page. Otherwise you'll get an exception.

Unfortunately, the exception normally is too general, it does not explain what exactly went wrong. You normally get "COMException (0x8007203a): Server not operational." error. The only conclusion we can draw from this error is that the bind operation failed.

Step 1. SSL-less bind

To simplify troubleshooting process, let's get rid of SSL for a while. We start with a simple clear text bind to eDirectory. In this case user password will be sent unencrypted over network. That is OK for testing purpose, but should not be used in enterprise environment. Once simple bind to eDirectory succeeds, we may proceed to troubleshoot SSL bind.

Follow the instructions below to test simple bind to eDirectory.

  1. Configure eDirectory to accept clear text passwords. (The steps below are for Novell ConsoleOne)
  2. Changes in testEDirectory project

    In the testEDirectory project, in EDirectory.cs file change the last parameter of the DirectoryEntry constructor: AuthenticationTypes.SecureSocketsLayer -> AuthenticationTypes.None.

    You do not need to change anything else in the project. Updating the last parameter of the DirectoryEntry constructor is the only change required to switch between SSL and simple bind.

    Now try to open the the Default.aspx page. If you see a list of users, then the problem is related to SSL. Otherwise inspect the LDAPContainer, EDirectoryBindUserDN, EDirectoryBindUserPassword parameters.

    Note We suggest to start testing without naming context, like LDAPContainer="LDAP://10.10.10.141", then append context like "LDAP://10.10.10.141/o=cspo,ou=usa_sti".

    More on SSL In my test environment the certificate is bound to machine NetBIOS name. I may connect to the eDirectory server only when LDAPContainer is set to 'LDAP://{NetBIOS name}'. If LDAPContainer is set to 'LDAP://{ip address}', connection fails with 'The Server is not operational' error.

Step 2. SSL bind

As soon as simple bind succeeds, you may proceed with SSL bind.

Restore the original setting in EDirectory.cs (you changed it when you test simple bind in the previous step). In the testEDirectory project, in EDirectory.cs file change the last parameter of the DirectoryEntry constructor: AuthenticationTypes.None -> AuthenticationTypes.SecureSocketsLayer.

Note The steps bellow are for Novell ConsoleOne

What certificate is used by eDirectory

Verify certificate

Certificate subject name

Certificate subject name must match the server name part of Ldap path you use to connect to eDirectory (that may be DNS, NetBIOS name or IP address).

Where to find the certificate subject name

In my case subject name is 'O=ELEMIT.CN=kub-win2003ent'1. Then LDAPContainer must be "LDAP://kub-win2003ent". You may append context to the LDAPContainer like "LDAP://kub-win2003ent/o=ELEMIT", but the server part cannot be changed. You cannot replace it with IP address or alternative server name, it must be 'kub-win2003ent'.

Subject name may be based on IP address, like 'O=ELEMIT.CN=10.10.1.200'1, in this case LDAPContainer must be "LDAP://10.10.1.200/...". A certificate may include a number of alternative subject names. That gives you some freedom of selecting server name in Ldap path. Unfortunately, Novell ConsoleOne does not show alternative subject names, you need to export certificate and use an external tool to inspect this field.

Note 1 Novell ConsoleOne uses dot to separate elements of DN, while naming context in Ldap path uses comma for the same purpose.

Export certificate

Note 'Trusted Root Certificate' is the issuer of the 'Public Key Certificate'. You need to import the 'Trusted Root Certificate' into the HttpCommander machine. 'Public Key Certificate' - this certificate will be used in SSL connection to eDirectory.

Import the certificate to the HTTP Commander machine

You need to import the 'Trusted Root Certificate' certificate to the machine where HTTP Commander (or testEdirectory application) is running.

Note If your certificate is issued by VeriSign, Thawte, or other well-known authority, that already present in the "Trusted Root Certification Authorities" list, you may skip this step.

We just imported the 'Trusted Root Certificate' certificate to 'Trusted Root Certification Authorities' for machine account. Now the machine account 'trusts' to certificates issued by this authorities, it trusts to 'Public Key Certificate' that is used in SSL connection to eDirectory.

Check 'Public Key Certificate' certificate

Note The steps bellow are for HTTP Commander machine

I add two examples of the certutil output. One before importing the "Trusted Root Certificate" and one after. Pay attention to the lines with 'dwErrorStatus'. CERT_TRUST_REVOCATION_STATUS_UNKNOWN is not a problem, AFAICS. I successfully connect to eDirectory despite this error. Note the line starting with 'ERROR: '.

For more details on interpreting the output of the command, see Troubleshooting LDAP Over SSL.

certutil output before importing "Trusted Root Certificate"

Issuer:
    O=ELEMIT
    OU=Organizational CA
Subject:
    CN=kub-win2003ent
    O=ELEMIT
Cert Serial Number: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: CN=kub-win2003ent, O=ELEMIT
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
Missing Issuer: O=ELEMIT, OU=Organizational CA
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: CN=kub-win2003ent, O=ELEMIT
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
    O=ELEMIT, OU=Organizational CA

ERROR: Verifying leaf certificate revocation status returned 
The revocation function was unable to check revocation because the revocation 
server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the 
revocation server was offline.

CertUtil: -verify command completed successfully.

certutil output after importing "Trusted Root Certificate"

Issuer:
    O=ELEMIT
    OU=Organizational CA
Subject:
    CN=kub-win2003ent
    O=ELEMIT
Cert Serial Number: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: CN=kub-win2003ent, O=ELEMIT
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  --------------------------------

CertContext[0][1]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: O=ELEMIT, OU=Organizational CA
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020105c6ef
  65 ef b8 67 12 11 0f c3 9d a9 76 af 6c da 33 68 48 b3 9b d4
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
Full chain:
  44 17 50 ad 42 43 d1 63 81 e5 11 7a 7f 81 e6 7b 17 82 da 7c
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: CN=kub-win2003ent, O=ELEMIT
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)
------------------------------------
Revocation check skipped -- no revocation information available
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

How to restart LDAP service

See Refreshing the LDAP Server.

I do the following (I'm not sure this is the right way, but it works for me).

Note In my case Novell eDirectory is installed on Windows Server 2003.