Step 1 - Designing the form layout
1. LDAP Enable SSL: Set to true to enable SSL support for the Novell eDirectory server
2. LDAP SSL Port: The TCP port used to access the LDAP Server. Default LDAP SSL port: 636.
3. LDAP:keyMaterialName: The name of the SSL certificate used by the LDAP Server. By default, a certificate is specified that is issued by the Certification Authority of the Novell eDirectory server.
By default, the SSL support is enabled on port 636 and a certificate is configured. If you want to use a different port or certificate, you need to update the attributes.
Exporting the Novell eDirectory root certificate
To export the root certificate, select the LDAP Server certificate from eDirectory.
Figure 8: Novell ConsoleOne: LDAP Server SSL attributes.
UMRA Help
163 Access the properties of the certificate and navigate to the Trusted root certificate of the certificate. Click Export.
Figure 9: Novell ConsoleOne: Properties of trusted root certificate.
Follow the instruction to export the root certificate to a file in binary DER format. Do not include the private key of the certificate.
Importing the certificate on the UMRA computer
To complete, you need to import the exported certificate on the computer that runs the LDAP Client, e.g. the UMRA software. The UMRA software that communicates with the LDAP Server is either the UMRA Console application or the UMRA Service. For each software module, the procedure to import the certificate is different. For the UMRA Console application, the certificate is imported for the logged on user account. For the UMRA Service, the certificate must be imported for the computer that runs the service.
Importing the certificate for the UMRA Console
In Microsoft Internet Explorer 6, select Tools, Internet options…, Content, Certificates. Press Import… and follow the instructions of the wizard. When asked, select the option Automatically select the certificate store based on the type of certificate.
When completed, you can check the list with Trusted Root Certification Authorities. The list must contain the new entry.
Figure 10: List with Trusted Root Certification Authorities showing the imported LDAP Server certificate
164 Importing the certificate for the UMRA Service
On the computer that runs the UMRA Service, start the Microsoft Management Console by selecting menu option Start, Run. Enter MMC and press Enter. Add the management snap-in to manage certificates with menu option File, Add/Remove snap-in. Press Add and select snap-in Certificates.
Figure 11: Add Certificates snap-in to Microsoft Management Console in order to import the certificate for UMRA Service.
Click Add and select the option to manage certificates for the Computer account. Next select the Local computer and exit the configuration dialogs. With the MMC you can now manage the certificates of the local computer.
Figure 12: The MMC configured to manage the certificates of the local computer as used by the UMRA Service.
To add the certificate, browse to the item Certificates of the Trusted Root Certification Authorities and select menu option All tasks, Import… and follow the instructions of the wizard. When asked, select the option Automatically select the certificate store based on the type of certificate. When completed, you can check the list with Trusted Root Certification Authorities. The list must contain the new entry.
UMRA Help
165 Testing the certificate configuration
You can test the SSL configuration with the tool LDP.EXE, part of the Windows Support Tools from Microsoft Windows Server 2003. (Note: the LDP.EXE tool part of the Windows Support Tools from Microsoft Windows 2000 does not support SSL). When the Windows Support Tools for Microsoft Windows Server 2003 are installed, start the tool by entering LDP.EXE on the command prompt. Select menu option Connection, Connect…. Specify the connection settings and enable SSL.
Figure 13: LDAP.EXE connection settings
When the SSL certificates are not installed successfully, the connection cannot be established.
Figure 14: LDP.EXE failure when SSL certificates are not or incorrectly configured.
When the SSL are correctly installed, the connection is established with the LDAP Server.
Figure 15: LDP.EXE successful connection setup using SSL.
When successfully configured, the UMRA software can communicate with the LDAP Server using SSL.
Creating user accounts in Novell eDirectory
This example describes a mass project that is used to import a number of user accounts from a csv-file into Novell eDirectory. The script of the project is deliberately limited to the essential actions that deal with user account creation in Novell eDirectory with UMRA using LDAP. A similar script can be used with UMRA Form and Automation projects.
Example project
The example project can be found at the following location relative to the UMRA Console program directory:
166 .\Example Projects\LDAP\Novell\AddUserMass\Novell_eDir_CreateUserAccountMass.upj
The example project contains embedded input data representing user accounts. For each line of the input data, the script does the following:
1. Setup a secure LDAP session with the LDAP Server;
2. Setup the LDAP modification data to add the user account;
3. Add the account.
The following section describes the project in detail.
Figure 16: Example project to import bulk user accounts in Novell eDirectory using UMRA and secure LDAP (SSL).
Setting up an LDAP session
The LDAP session is setup with the LDAP Server, in this case the computer that runs Novell eDirectory: pacific.tools4ever.local2.
Figure 17: Setup LDAP session script action
The LDAP server is specified using a DNS name or TCP/IP address. The LDAP port only needs to be specified when it does not equal the default port (LDAP, no SSL: 389, LDAP with SSL: 636). The SSL encryption flag is set to enable secure communication.
When SSL is used, certificates need to be installed on both the LDAP Server and Client side. The User name depends on the directory service implementation. In this case, an organization O=Servers contains the administrator account admin that is used to access the data. The password is not actually shown.
When the action is successfully executed, the session is initialized. The session object is stored in a variable with default name:
%LdapSession%. This session is variable is used in subsequent actions of the script.
Note: When the action is executed, the password specified is send over the line. When SSL is enabled, the password is
automatically encrypted since all communication with the LDAP Server is encrypted. When SSL is not used, the password is send as clear text.
UMRA Help
167 Loading LDAP modification data
With the next action, the data structure used to add the user account is prepared. This data structure contains a number of attributes, each with one or more values. The exact attributes used to add a user account vary for each directory service implementation that supports LDAP.
Figure 18: Load LDAP modification data script action.
The resulting data structure is stored in a variable. In this example, the default variable name %LdapData% is used to store the structure. The variable is used in subsequent script actions.
According to the Novell eDirectory schema documentation, a user account must have the following attributes defined:
1. objectClass: This attribute must get 3 values, top, person and inetOrgPerson to make the new object a user account.