News aggregator
Using DNS Aliases with SPNEGO
Using DNS Aliases with SPNEGO
06-Nov-2009 05:46 PM
One of the great features of Novell Access Manager is the integrated single sign-on capability from Microsoft Active Directory (AD) domain member workstations. Through the use of Kerberos and the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), the Access Manager Identity Server (IdS) can seamlessly authenticate a Windows desktop.
Users logon to the desktop using their normal credentials and then when they attempt to access an Access Manager protected site, they are not required to login again. Instead, a token is passed to the Access Manager IdS from the workstation. The IdS then verifies that token and allows the user access per the policies as defined in Access Manager.
Complete details on configuring Access Manager can be found in the product documentation. This basically works by the client requesting a service ticket from the domain controller for the IdS. The actual name it passes to the domain controller is known as the Service Principal Name (SPN).
The SPN is made up of three components, the protocol, the fully qualified domain name of the IdS and the clients own AD domain name (known as the realm). So, for example, lets say that the DNS name of our IdS (the Base URL) is ids1.appdomain.com and our AD domain (the realm) is ad.appdomain.com. This would make our SPN, as sent by the workstation, the following:
HTTP/ids1.appdomain.com@AD.APPDOMAIN.COM This is what would be sent to the domain controller (the protocol is always listed as HTTP even if it is HTTPS). The client gets back a token that has information about the user in a service ticket encrypted within the token. This is passed in the header to the IdS where it is decrypted (using the shared secret in the nidpkey.keytab file). At this point the user is authenticated and Access Manager will grant or deny access as appropriate.
This all works fine as long as the fully qualified domain name used to build the SPN matches the actual DNS host record (A record) returned when the Windows desktop does a DNS query for ids1.appdomain.com. But what happens if a DNS alias record (CNAME record) is used? Lets say now that the actual hostname of the server acting as the IdS is linux1.appdomain.com and that the DNS record for ids1.appdomain.com is actually a CNAME pointing at linux1.appdomain.com:
linux1.appdomain.com. IN A 10.1.1.1 ids1.appdomain.com. IN CNAME linux1.appdomain.com. What happens in this scenario? When the client builds the SPN, it will look up ids1.appdomain.com which results in the CNAME being returned. It will then take the actual host record and use that to build the SPN, resulting in:
HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM This will be sent to the domain controller and will obviously fail since the SPN is incorrect, resulting in the browser being presented with a basic authentication dialog box (the IdS falls back to NTLM authentication).
The preferred solution to this problem is to put in a second host entry for the IdS, not a CNAME:
linux1.appdomain.com. IN A 10.1.1.1 ids1.appdomain.com. IN A 10.1.1.1This would result in a host record being returned to the client when it looks up ids1.appdomain.com and that is the value that would be used to build the SPN. However, there are situations where it may not be possible to enter another host record in DNS. For example, some fault tolerant layer-4 switching solutions provide for management of DNS entries as well in order to support disaster recovery scenarios (such as F5 Networks Global Traffic Manager). In this case, the switch may be managing and changing the DNS entries for the virtual IP addresses. Some organizations might use a dedicated or unique zone name for this and therefore have all application names referencing the switch managed entries thorough DNS aliases. In this case, a CNAME must be used.
This will work with Access Manager as long as the true, resolvable, host entry is used for the SPN. So in this example, if a CNAME is used for ids1, the value of linux1.appdomain.com would need to be used for the user ID in AD, in the Kerberos class properties (see figure 1), and in the bcsLogin.conf on the IdS server as shown below:
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required debug="true" useTicketCache="true" ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache" doNotPrompt="true" principal="HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM" useKeyTab="true" keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab" storeKey="true"; }; http://www.novell.com/communities/fi...s_Config_0.png
Figure 1: Kerberos Class Properties
Click to view.
However, the URL listed in the local trusted site list in the browser must still be the actual IdS base URL (ids1.appdomain.com in this example), not the true hostname as referenced in the A record.
Using the Kerberos feature in Access Manager is a great way to provide seamless single sign-on to Windows desktops. But it is important to understand how the client is resolving the IdS and building the SPN in order to ensure it functions reliably.
More...
06-Nov-2009 05:46 PM
One of the great features of Novell Access Manager is the integrated single sign-on capability from Microsoft Active Directory (AD) domain member workstations. Through the use of Kerberos and the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), the Access Manager Identity Server (IdS) can seamlessly authenticate a Windows desktop.
Users logon to the desktop using their normal credentials and then when they attempt to access an Access Manager protected site, they are not required to login again. Instead, a token is passed to the Access Manager IdS from the workstation. The IdS then verifies that token and allows the user access per the policies as defined in Access Manager.
Complete details on configuring Access Manager can be found in the product documentation. This basically works by the client requesting a service ticket from the domain controller for the IdS. The actual name it passes to the domain controller is known as the Service Principal Name (SPN).
The SPN is made up of three components, the protocol, the fully qualified domain name of the IdS and the clients own AD domain name (known as the realm). So, for example, lets say that the DNS name of our IdS (the Base URL) is ids1.appdomain.com and our AD domain (the realm) is ad.appdomain.com. This would make our SPN, as sent by the workstation, the following:
HTTP/ids1.appdomain.com@AD.APPDOMAIN.COM This is what would be sent to the domain controller (the protocol is always listed as HTTP even if it is HTTPS). The client gets back a token that has information about the user in a service ticket encrypted within the token. This is passed in the header to the IdS where it is decrypted (using the shared secret in the nidpkey.keytab file). At this point the user is authenticated and Access Manager will grant or deny access as appropriate.
This all works fine as long as the fully qualified domain name used to build the SPN matches the actual DNS host record (A record) returned when the Windows desktop does a DNS query for ids1.appdomain.com. But what happens if a DNS alias record (CNAME record) is used? Lets say now that the actual hostname of the server acting as the IdS is linux1.appdomain.com and that the DNS record for ids1.appdomain.com is actually a CNAME pointing at linux1.appdomain.com:
linux1.appdomain.com. IN A 10.1.1.1 ids1.appdomain.com. IN CNAME linux1.appdomain.com. What happens in this scenario? When the client builds the SPN, it will look up ids1.appdomain.com which results in the CNAME being returned. It will then take the actual host record and use that to build the SPN, resulting in:
HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM This will be sent to the domain controller and will obviously fail since the SPN is incorrect, resulting in the browser being presented with a basic authentication dialog box (the IdS falls back to NTLM authentication).
The preferred solution to this problem is to put in a second host entry for the IdS, not a CNAME:
linux1.appdomain.com. IN A 10.1.1.1 ids1.appdomain.com. IN A 10.1.1.1This would result in a host record being returned to the client when it looks up ids1.appdomain.com and that is the value that would be used to build the SPN. However, there are situations where it may not be possible to enter another host record in DNS. For example, some fault tolerant layer-4 switching solutions provide for management of DNS entries as well in order to support disaster recovery scenarios (such as F5 Networks Global Traffic Manager). In this case, the switch may be managing and changing the DNS entries for the virtual IP addresses. Some organizations might use a dedicated or unique zone name for this and therefore have all application names referencing the switch managed entries thorough DNS aliases. In this case, a CNAME must be used.
This will work with Access Manager as long as the true, resolvable, host entry is used for the SPN. So in this example, if a CNAME is used for ids1, the value of linux1.appdomain.com would need to be used for the user ID in AD, in the Kerberos class properties (see figure 1), and in the bcsLogin.conf on the IdS server as shown below:
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required debug="true" useTicketCache="true" ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache" doNotPrompt="true" principal="HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM" useKeyTab="true" keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab" storeKey="true"; }; http://www.novell.com/communities/fi...s_Config_0.png
Figure 1: Kerberos Class Properties
Click to view.
However, the URL listed in the local trusted site list in the browser must still be the actual IdS base URL (ids1.appdomain.com in this example), not the true hostname as referenced in the A record.
Using the Kerberos feature in Access Manager is a great way to provide seamless single sign-on to Windows desktops. But it is important to understand how the client is resolving the IdS and building the SPN in order to ensure it functions reliably.
More...
Categories: Novell Support Forums - New Posts
Field Memo: Windows 7 Support on EUC Products
Field Memo: Windows 7 Support on EUC Products
05-Nov-2009 08:50 PM
Podcast: Windows 7 Support on EUC Products
Randal covers which End-User Computing products currently have Windows 7 support and when others will support Windows 7. He also gives you some tips on how you can support Novell's customer communication effort around Windows 7. Want to listen to podcasts on your BlackBerry? Check this out.
Your Time Investment: (4:44 audio)
Localized: No
Good Selling,
The End-User Computing Enablement Team
Partners, visit our Wiki where you can find everything you need to be enabled on selling End-User Computing Solutions!
EUC Enablement Resources:
Wiki: http://tr.im/novell_euc
More...
05-Nov-2009 08:50 PM
Podcast: Windows 7 Support on EUC Products
Randal covers which End-User Computing products currently have Windows 7 support and when others will support Windows 7. He also gives you some tips on how you can support Novell's customer communication effort around Windows 7. Want to listen to podcasts on your BlackBerry? Check this out.
Your Time Investment: (4:44 audio)
Localized: No
Good Selling,
The End-User Computing Enablement Team
Partners, visit our Wiki where you can find everything you need to be enabled on selling End-User Computing Solutions!
EUC Enablement Resources:
Wiki: http://tr.im/novell_euc
More...
Categories: Novell Support Forums - New Posts
Example walk through of using XPATH in Identity Manager
Example walk through of using XPATH in Identity Manager
06-Nov-2009 12:41 PM
Example of using XPATH in Identity Manager:
Novell Identity Manager originally started as Novell DirXML and required all work to be done in XSLT (XML Style sheets). XSLT is powerful language but not my personal favorite to work in.
With the release of Novell NSure Identity Manager 2.0 we saw the advent of DirXML Script an XML based language designed for the task of managing XML event documents. With each release of Identity Manager since, it has gotten better and better.
Just for the heck of it, I even wrote this article trying to track down what you can only do in XSLT at the moment, with the goal of chipping away at that list, where possible!
Open Call: What Can You Do in XSLT that You Cannot Do in DirXML Script?
There have been new features that make life a lot easier, and new tokens that are very powerful.
The nicest thing about using DirXML Script is that the management tools, iManager with the Identity Manager snapins, or Designer for Identity Manager (an Eclipse based tool for offline editing of a project) parse the XML into a really nice GUI interface that allows you to type it free form in XML, manipulate it in a GUI, or any combination of both. In fact, sometimes, due to the way nested items (if then code blocks, or for each loops) are shown in the GUI it is easier to fix things by switching over to the XML view and working there.
Some examples of the various tokens and things that can be done with DirXML Script are:
However there is just not enough out there in terms of how to use XPATH in an Identity Manager context for people learning Identity Manager.
I have been working hard on that topic, and you can read some of my articles on the topic at:
XPATH General Concepts:
For those who do not know, Designer has an XPATH tool built in. It is not perfect, we are told in the forums that there is one or two major issues that make it not 100% complaint with the way Identity Manager views XPATH, but for 99% of the things you need to do in XPATH in Identity Manager it should be fine.
Whenever you use an XPATH related token (strip by XPATH expression, if XPATH expression condition token, clone by XPATH expression, or the XPATH token in Argument Builder) you get a little icon to the right of the text box, that pops open the XPATH tool.
http://www.novell.com/communities/fi...gBuilder_0.jpg
Click to view.
I will try and include some screen shots to make it clear what I mean, where it makes sense.
So what problem was I working on? Well we are syncing POSIX attributes (that is uidNumber, gidNumber, gecos, homeDirectory, loginShell and so on) between two trees. However, the posixAccount auxiliary class that often is used to contain the POSIX attributes that Unix and Linux need to define a user, has some mandatory values.
On a side note, it is a really bad idea in general to make an Auxiliary class have mandatory attributes. It makes it a ROYAL pain to work with! You cannot just add the class to an object by editing say Object Class, in Console One, since you need to save that change, before the UI will let you add one of the new attributes, but if the new attribute is mandatory, you cannot add the Object Class value without the mandatory attribute!
I do not dispute the logic behind this specific case, since it makes little sense to have just uidNumber without gidNumber, from a Unix server perspective, nonetheless it is really annoying.
Now in this particular tree, somehow the base class User got extended with the needed posixAccount attributes. Thus when we originally set this up and populated the tree, all was good, as we could add the POSIX attributes without problem to users in either tree. It was just part of base schema, no need for a posixAccount attribute.
Then things got strange. We found that some LDAP applications, I think it was AIX's equivalent to PAM on Linux, (Pluggable Authentication Modules, which I was sure AIX called LAM, but the AIX guy says he has never heard of that, not that it matters) when doing an LDAP bind to get user information we found that NMAS was throwing a strange failure error, and it looks like you explicitly require the posixAccount object class on the user for it to work. It is not enough to just have all the needed attribute, even though the query does not look for posixAccount. But if the object class does not include posixAccount it does not work. Crazy, but easy to fix.
Thus to fix it, we started adding posixAccount to users. However, we had a couple of edge cases where we should not have been sending it and I wanted to strip out the add object class for posixAccount. Usually when we are missing one of the POSIX attributes, in which case the entire event fails with a 609 Missing Mandatory error. (Because we are missing a mandatory attribute, that posixAccount requires)
Well you say, thats easy, that is what the token, strip operational attribute is for. Just do a strip operational attribute Object Class, and all will be fine.
Well there are way more instances where this might occur, and in fact there are legal cases where there might be several object class changes in one document, so what I really want is just to strip the specific object class add value of posixAccount.
Well thats what strip by XPATH expression is for. So what is my XPATH expression to remove the add of the value posixAccount into the Object Class attribute.
Off the top of my head, I tried the following XPATH statement:
modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount] I opened it in the XPATH editor, (here is what it looks like empty)
http://www.novell.com/communities/fi...Builder2_0.jpg
Click to view.
and tracked down an example event document, to paste into the sample document on the left hand side in the XML source tab:
DirXML Novell, Inc. {2F95C242-557F-3c40-A3B8-2F95C242557F} LDAPTEST@acme.corp posixAccount http://www.novell.com/communities/fi...Builder3_0.jpg
Click to view.
</p> Before we start using the XPATH editor for real, lets make sure we can get it to work at all! So lets try a simple common XPATH selection. Lets select the src-dn XML attribute of the node. With XPATH, you can do a couple of very different things, which sometimes gets confusing, and the different uses depend on the context of tier use, which makes it more confusing.
Basically you can use XPATH to select a node, value, or attribute. That is the sort of thing you do in a set local variable kind of context. Makes sense, you want to set a variable to something in the event document.
Conversely you also can use XPATH to do math, and some string functions, in which case, you might also in a set local variable context try to add 86400 seconds to a Time value, to set the value to tomorrows time. erPrincipalName"] but wanted the value before the @ sign. Well you could combine the two into something like substring-before( attr[@attr-name="userPrincipalName"], "@") to get what you wanted.
Back to our example, lets make sure we can get the XPATH editor working with a simple test or two, starting with our @src-dn, which KNOW will work, since it is the most common example used in Identity Manager.
http://www.novell.com/communities/fi...Builder4_0.jpg
Click to view.
Ok, so I have my event doc on the left hand side, looks good, type in @src-dn as my expression, hit the arrow button to Go, and no nodes are found. What the dickens?
Well this stymied me for the longest time, and I just assumed this was broken, but it is really the simplest thing to resolve. The XPATH editor is a very generic XPATH editor. Identity Manager is a specific XPATH usage case, and it all comes down to the context node!
Its almost as easy to show it, as it to explain it... Look at this screen shot:
http://www.novell.com/communities/fi...Builder5_0.jpg
Click to view.
Here you can see I switched over to the XML Tree view on the left has side. The most important thing is I clicked on the Modify node. This sets the current context to the modify node (Which the XPATH Select Context bit on the right says is now /nds/input/modify) which is the default context in an Identity Manager example. Now suddenly we see a result! Once you do this, it starts being a really useful tool!
Back to my actual example now, and I had thought that this ought to be close:
modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount] Well first thing the editor complained about where my typos. Miss matched the " and ' around the Object Class, and missed a close " at the end of posixAccount.
http://www.novell.com/communities/fi...Builder6_0.jpg
Click to view.
That left me with:
modify-attr/add-attr[@attr-name="Object Class" and value/text()="posixAccount"] I switched the left hand pane to the tree node view of the sample XML event document and start looking at the actual document, and I realized my memory stinks!
First off, I got an and event mixed up. In an event, you get add-attr nodes, with an attr-name attribute, and then an add-value node and then a value node, or something like that. But in a modify, you get a modify-attr node, with an XML attribute of attr-name and then an add-value or remove-value (or remove-all-values) node under that, followed by a value node.
Thus no need for the add-attr, and the predicate (the stuff in square brackets []) needs to be on the modify-attr node.
That gets me closer with:
modify-attr[@attr-name="Object Class" and value/text()="posixAccount"] But I get nothing the XPATH Editor, since nothing matches that criteria, and as I looked closer I realized I forgot that there is an add-value node to include in there. That leads me closer with:
http://www.novell.com/communities/fi...Builder7_0.jpg
Click to view.
modify-attr[@attr-name="Object Class"]/add-value/value="posixAccount"] But there is an error at the end I am told. Oops, left a trailing ] and then I take that off and still an error.
Well I think I need to put a predicate on the add-value test, so that it looks more like:
modify-attr[@attr-name="Object Class"]/add-value[value/text()="posixAccount"] So lets parse that out. Select the modify-attr node that matches the condition where the XML attribute attr-name is equal to the string "Object Class" and then under that node, lets select a add-value node, who has a value whose text string is equal to "posixAccount".
Now you can see the in the XPATH editor what it should look like:
http://www.novell.com/communities/fi...Builder8_0.jpg
Click to view.
I switched tabs over to the XML Source view, since in this case it is more useful when looking at results. Then you can see on the right hand side the XPATH Selected Context is still /nds/input/modify, which is what we want, and the XPATH expression is what I typed above, and in the results section, it selected an element, lines 16-18.
Look over the to the left hand side, and you can see that lines 16-18 is the node to the close version of . In this case I selected a node set, and it since what I originally wanted was to strip this out by XPATH, that looks to be what I wanted. This way if there is more than one Object class change, I will only remove this one node, and it is the only one, it leaves an empty modify-attr node, which usually gets cleaned up by the engine.
Tada. See was that so hard? Well yes, a little bit, but it gets a lot easier as you do it more often, and get better at it.
More...
06-Nov-2009 12:41 PM
Example of using XPATH in Identity Manager:
Novell Identity Manager originally started as Novell DirXML and required all work to be done in XSLT (XML Style sheets). XSLT is powerful language but not my personal favorite to work in.
With the release of Novell NSure Identity Manager 2.0 we saw the advent of DirXML Script an XML based language designed for the task of managing XML event documents. With each release of Identity Manager since, it has gotten better and better.
Just for the heck of it, I even wrote this article trying to track down what you can only do in XSLT at the moment, with the goal of chipping away at that list, where possible!
Open Call: What Can You Do in XSLT that You Cannot Do in DirXML Script?
There have been new features that make life a lot easier, and new tokens that are very powerful.
The nicest thing about using DirXML Script is that the management tools, iManager with the Identity Manager snapins, or Designer for Identity Manager (an Eclipse based tool for offline editing of a project) parse the XML into a really nice GUI interface that allows you to type it free form in XML, manipulate it in a GUI, or any combination of both. In fact, sometimes, due to the way nested items (if then code blocks, or for each loops) are shown in the GUI it is easier to fix things by switching over to the XML view and working there.
Some examples of the various tokens and things that can be done with DirXML Script are:
- New IDM 3.6 enhancement to do-find-matching-object
- Examples of using the ParseDN Token in Identity Manager
- The different attribute options in Identity Manager
- More thoughts on Source/Destination/Operation attribute tokens in Identity Manager
- The Query token in Identity Manager
- Unique Name Token Functionality in IDM 3.5
- Reformat Operation Attribute
- Using the Time Tokens in IDM 3.5
- IDM 3.5 - Update on New Features
- Troubleshooting IF-THEN-ELSE Blocks with IDM Code
- Mapping tables and Render browsed DN relative to policy option
However there is just not enough out there in terms of how to use XPATH in an Identity Manager context for people learning Identity Manager.
I have been working hard on that topic, and you can read some of my articles on the topic at:
XPATH General Concepts:
- Some thoughts on XPATH in Novell Identity Manager
- XPATH and the context node
- XPATH and math
- Using String Compares in XPATH Statements
- Another attempt at explaining the XPATH Context Node
- Using XPATH to examine Association values
- Cool tricks using XPATH on nodesets
- Using Global Configuration Values in XPATH
- Using XPATH to Get the Position of a Node in a Node Set
For those who do not know, Designer has an XPATH tool built in. It is not perfect, we are told in the forums that there is one or two major issues that make it not 100% complaint with the way Identity Manager views XPATH, but for 99% of the things you need to do in XPATH in Identity Manager it should be fine.
Whenever you use an XPATH related token (strip by XPATH expression, if XPATH expression condition token, clone by XPATH expression, or the XPATH token in Argument Builder) you get a little icon to the right of the text box, that pops open the XPATH tool.
http://www.novell.com/communities/fi...gBuilder_0.jpg
Click to view.
I will try and include some screen shots to make it clear what I mean, where it makes sense.
So what problem was I working on? Well we are syncing POSIX attributes (that is uidNumber, gidNumber, gecos, homeDirectory, loginShell and so on) between two trees. However, the posixAccount auxiliary class that often is used to contain the POSIX attributes that Unix and Linux need to define a user, has some mandatory values.
On a side note, it is a really bad idea in general to make an Auxiliary class have mandatory attributes. It makes it a ROYAL pain to work with! You cannot just add the class to an object by editing say Object Class, in Console One, since you need to save that change, before the UI will let you add one of the new attributes, but if the new attribute is mandatory, you cannot add the Object Class value without the mandatory attribute!
I do not dispute the logic behind this specific case, since it makes little sense to have just uidNumber without gidNumber, from a Unix server perspective, nonetheless it is really annoying.
Now in this particular tree, somehow the base class User got extended with the needed posixAccount attributes. Thus when we originally set this up and populated the tree, all was good, as we could add the POSIX attributes without problem to users in either tree. It was just part of base schema, no need for a posixAccount attribute.
Then things got strange. We found that some LDAP applications, I think it was AIX's equivalent to PAM on Linux, (Pluggable Authentication Modules, which I was sure AIX called LAM, but the AIX guy says he has never heard of that, not that it matters) when doing an LDAP bind to get user information we found that NMAS was throwing a strange failure error, and it looks like you explicitly require the posixAccount object class on the user for it to work. It is not enough to just have all the needed attribute, even though the query does not look for posixAccount. But if the object class does not include posixAccount it does not work. Crazy, but easy to fix.
Thus to fix it, we started adding posixAccount to users. However, we had a couple of edge cases where we should not have been sending it and I wanted to strip out the add object class for posixAccount. Usually when we are missing one of the POSIX attributes, in which case the entire event fails with a 609 Missing Mandatory error. (Because we are missing a mandatory attribute, that posixAccount requires)
Well you say, thats easy, that is what the token, strip operational attribute is for. Just do a strip operational attribute Object Class, and all will be fine.
Well there are way more instances where this might occur, and in fact there are legal cases where there might be several object class changes in one document, so what I really want is just to strip the specific object class add value of posixAccount.
Well thats what strip by XPATH expression is for. So what is my XPATH expression to remove the add of the value posixAccount into the Object Class attribute.
Off the top of my head, I tried the following XPATH statement:
modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount] I opened it in the XPATH editor, (here is what it looks like empty)
http://www.novell.com/communities/fi...Builder2_0.jpg
Click to view.
and tracked down an example event document, to paste into the sample document on the left hand side in the XML source tab:
DirXML Novell, Inc. {2F95C242-557F-3c40-A3B8-2F95C242557F} LDAPTEST@acme.corp posixAccount http://www.novell.com/communities/fi...Builder3_0.jpg
Click to view.
</p> Before we start using the XPATH editor for real, lets make sure we can get it to work at all! So lets try a simple common XPATH selection. Lets select the src-dn XML attribute of the node. With XPATH, you can do a couple of very different things, which sometimes gets confusing, and the different uses depend on the context of tier use, which makes it more confusing.
Basically you can use XPATH to select a node, value, or attribute. That is the sort of thing you do in a set local variable kind of context. Makes sense, you want to set a variable to something in the event document.
Conversely you also can use XPATH to do math, and some string functions, in which case, you might also in a set local variable context try to add 86400 seconds to a Time value, to set the value to tomorrows time. erPrincipalName"] but wanted the value before the @ sign. Well you could combine the two into something like substring-before( attr[@attr-name="userPrincipalName"], "@") to get what you wanted.
Back to our example, lets make sure we can get the XPATH editor working with a simple test or two, starting with our @src-dn, which KNOW will work, since it is the most common example used in Identity Manager.
http://www.novell.com/communities/fi...Builder4_0.jpg
Click to view.
Ok, so I have my event doc on the left hand side, looks good, type in @src-dn as my expression, hit the arrow button to Go, and no nodes are found. What the dickens?
Well this stymied me for the longest time, and I just assumed this was broken, but it is really the simplest thing to resolve. The XPATH editor is a very generic XPATH editor. Identity Manager is a specific XPATH usage case, and it all comes down to the context node!
Its almost as easy to show it, as it to explain it... Look at this screen shot:
http://www.novell.com/communities/fi...Builder5_0.jpg
Click to view.
Here you can see I switched over to the XML Tree view on the left has side. The most important thing is I clicked on the Modify node. This sets the current context to the modify node (Which the XPATH Select Context bit on the right says is now /nds/input/modify) which is the default context in an Identity Manager example. Now suddenly we see a result! Once you do this, it starts being a really useful tool!
Back to my actual example now, and I had thought that this ought to be close:
modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount] Well first thing the editor complained about where my typos. Miss matched the " and ' around the Object Class, and missed a close " at the end of posixAccount.
http://www.novell.com/communities/fi...Builder6_0.jpg
Click to view.
That left me with:
modify-attr/add-attr[@attr-name="Object Class" and value/text()="posixAccount"] I switched the left hand pane to the tree node view of the sample XML event document and start looking at the actual document, and I realized my memory stinks!
First off, I got an and event mixed up. In an event, you get add-attr nodes, with an attr-name attribute, and then an add-value node and then a value node, or something like that. But in a modify, you get a modify-attr node, with an XML attribute of attr-name and then an add-value or remove-value (or remove-all-values) node under that, followed by a value node.
Thus no need for the add-attr, and the predicate (the stuff in square brackets []) needs to be on the modify-attr node.
That gets me closer with:
modify-attr[@attr-name="Object Class" and value/text()="posixAccount"] But I get nothing the XPATH Editor, since nothing matches that criteria, and as I looked closer I realized I forgot that there is an add-value node to include in there. That leads me closer with:
http://www.novell.com/communities/fi...Builder7_0.jpg
Click to view.
modify-attr[@attr-name="Object Class"]/add-value/value="posixAccount"] But there is an error at the end I am told. Oops, left a trailing ] and then I take that off and still an error.
Well I think I need to put a predicate on the add-value test, so that it looks more like:
modify-attr[@attr-name="Object Class"]/add-value[value/text()="posixAccount"] So lets parse that out. Select the modify-attr node that matches the condition where the XML attribute attr-name is equal to the string "Object Class" and then under that node, lets select a add-value node, who has a value whose text string is equal to "posixAccount".
Now you can see the in the XPATH editor what it should look like:
http://www.novell.com/communities/fi...Builder8_0.jpg
Click to view.
I switched tabs over to the XML Source view, since in this case it is more useful when looking at results. Then you can see on the right hand side the XPATH Selected Context is still /nds/input/modify, which is what we want, and the XPATH expression is what I typed above, and in the results section, it selected an element, lines 16-18.
Look over the to the left hand side, and you can see that lines 16-18 is the node to the close version of . In this case I selected a node set, and it since what I originally wanted was to strip this out by XPATH, that looks to be what I wanted. This way if there is more than one Object class change, I will only remove this one node, and it is the only one, it leaves an empty modify-attr node, which usually gets cleaned up by the engine.
Tada. See was that so hard? Well yes, a little bit, but it gets a lot easier as you do it more often, and get better at it.
More...
Categories: Novell Support Forums - New Posts
Early Bird Discount: Save $300 on BrainShare
Early Bird Discount: Save $300 on BrainShare
06-Nov-2009 02:31 PM
Novell has taken steps to make BrainShare more affordable by dropping the full price of the conference from US$1,895.00 to US$1,695.00. You can save an additional $300 with the "early bird" registration. The "early bird" rate of US$1,395.00 will be available until February 19, 2010. Learn more at http://www.novell.com/brainshare
More...
06-Nov-2009 02:31 PM
Novell has taken steps to make BrainShare more affordable by dropping the full price of the conference from US$1,895.00 to US$1,695.00. You can save an additional $300 with the "early bird" registration. The "early bird" rate of US$1,395.00 will be available until February 19, 2010. Learn more at http://www.novell.com/brainshare
More...
Categories: Novell Support Forums - New Posts
Webinar - The Novell Integrated Help Desk and Free BrainShar
Webinar - The Novell Integrated Help Desk and Free BrainShare passes for eligible purchases
06-Nov-2009 03:07 PM
Are you planning on attending BrainShare this year and can't quite get the budget to attend? Are you in need of a help desk that integrates with your Novell environment? GroupLink would like to help you out!
GroupLink's everything HelpDesk solution, the Novell Integrated Help Desk Solution, features critical Novell integration:
- Schedule appointments, tasks and receive email notifications with GroupWise email and calendaring integration
- Manage your assests with NEW! powerful ZEN 10 integration
- Authenticate your users with essential eDirectory integration
- Lower overall costs by leveraging your current Novell technology
If you purchase at least 3 technician licenses of everything HelpDesk before the end of the year, you will receive a free BrainShare pass*. To kick off this great promotion and to learn more about how this solution can benefit your organization we have planned a special webinar. This webinar will feature Angie Veach, from Carrol Consolidated School Corp. She will discuss how this Novell integration has helped her organization be more effective and lower overall costs.
Date: December 3
Time: 11:00 am Eastern
Link: http://www.grouplink.net/redir.asp?id=2009102902
* of for new customers only, cannot be combined with any other promotion or discount.
More...
06-Nov-2009 03:07 PM
Are you planning on attending BrainShare this year and can't quite get the budget to attend? Are you in need of a help desk that integrates with your Novell environment? GroupLink would like to help you out!
GroupLink's everything HelpDesk solution, the Novell Integrated Help Desk Solution, features critical Novell integration:
- Schedule appointments, tasks and receive email notifications with GroupWise email and calendaring integration
- Manage your assests with NEW! powerful ZEN 10 integration
- Authenticate your users with essential eDirectory integration
- Lower overall costs by leveraging your current Novell technology
If you purchase at least 3 technician licenses of everything HelpDesk before the end of the year, you will receive a free BrainShare pass*. To kick off this great promotion and to learn more about how this solution can benefit your organization we have planned a special webinar. This webinar will feature Angie Veach, from Carrol Consolidated School Corp. She will discuss how this Novell integration has helped her organization be more effective and lower overall costs.
Date: December 3
Time: 11:00 am Eastern
Link: http://www.grouplink.net/redir.asp?id=2009102902
* of for new customers only, cannot be combined with any other promotion or discount.
More...
Categories: Novell Support Forums - New Posts
Leicester City Council Success Story
Leicester City Council Success Story
06-Nov-2009 04:12 PM
Challenge:
Leicester City Council wanted to migrate to a more modern and flexible operating system for core services such as file serving, print management, user management and networking.
Equally, the Council wanted to replace its existing Pegasus Mail solution, which lacked integrated calendaring and collaboration tools, and left users reliant on e-mail to set up internal and external meetings.
Novell Solution:
Leicester City Council opted to migrate its existing network, file and print services to Novell Open Enterprise Server running on SUSE® Linux Enterprise. The Council deployed the software on new HP servers with HP EVA storage arrays.
"Novell Open Enterprise Server running on Linux gave us continuity with our previous ways of working, combined with new options for the future," said Kamal Kotecha, Server Manager for Leicester City Council. "We were able to continue using the rich set of Novell tools to manage our network resources, which meant that the transition and training costs were low."
For its new e-mail and collaboration platform, Leicester City Council chose to implement Novell GroupWise. For all office-based employees and the many staff based in social welfare centres, museums and leisure centres, Novell GroupWise provides a single, integrated personal workspace for e-mail, calendaring and collaboration.
Read the complete success story here –>
http://www.novell.com/success/leicester.html
More...
06-Nov-2009 04:12 PM
Challenge:
Leicester City Council wanted to migrate to a more modern and flexible operating system for core services such as file serving, print management, user management and networking.
Equally, the Council wanted to replace its existing Pegasus Mail solution, which lacked integrated calendaring and collaboration tools, and left users reliant on e-mail to set up internal and external meetings.
Novell Solution:
Leicester City Council opted to migrate its existing network, file and print services to Novell Open Enterprise Server running on SUSE® Linux Enterprise. The Council deployed the software on new HP servers with HP EVA storage arrays.
"Novell Open Enterprise Server running on Linux gave us continuity with our previous ways of working, combined with new options for the future," said Kamal Kotecha, Server Manager for Leicester City Council. "We were able to continue using the rich set of Novell tools to manage our network resources, which meant that the transition and training costs were low."
For its new e-mail and collaboration platform, Leicester City Council chose to implement Novell GroupWise. For all office-based employees and the many staff based in social welfare centres, museums and leisure centres, Novell GroupWise provides a single, integrated personal workspace for e-mail, calendaring and collaboration.
Read the complete success story here –>
http://www.novell.com/success/leicester.html
More...
Categories: Novell Support Forums - New Posts
DBCOPY Cleanup Tool
DBCOPY Cleanup Tool
06-Nov-2009 05:30 PM
BACKGROUND:
We use DBCOPY to stage our GroupWise backups to a different location on the server. This function works just fine in the background. The problem is that the files from the target server are not deleted if they no longer exist in the source server. So they will just stay there over time. Until now.
Using a tool called AutoDelete from Cyber-D, you can now schedule the older files to be purged from your staging area. Simply download this free utility at http://cyber-d.blogspot.com/2005/10/cyber-ds-auto-... (yup, free). Configure the paths for the folder structure that you want pruned, set the period of time that you want to search for (since we perform daily DBCOPYs, there's no need to keep anything older than 2 days).
Our DBCOPY kicks off at 8pm and our AutoDelete will kick off daily at 2am, pruning anything older than two days. DBCOPY runs from our NetWare servers, but I am setting up AutoDelete on one of our GroupWise servers running on Windows to prune all of the other NetWare servers.
WARNING:
If we request a restore to the DBCOPY area from tape, the Cyber-D AutoDelete tool will wipe that area clean of old files, so our restores need to be finished before the 8pm DBCOPY and the 2AM AutoDelete.
I initially found this tool to remove files in a folder that were older than 30 days and it has done a great job in doing so. I then used it on a folder that normally gets files deleted after 30 days, but I was finding that it needed to be cleaned out more frequently. Since I could not alter the purging period of the existing tool, AutoDelete came in really handy.
You'll find other uses for this tool in no time!
This is Freeware, please consider donating (I have no affiliation with this product or company). I believing in supporting companies who produce tools that work.
More...
06-Nov-2009 05:30 PM
BACKGROUND:
We use DBCOPY to stage our GroupWise backups to a different location on the server. This function works just fine in the background. The problem is that the files from the target server are not deleted if they no longer exist in the source server. So they will just stay there over time. Until now.
Using a tool called AutoDelete from Cyber-D, you can now schedule the older files to be purged from your staging area. Simply download this free utility at http://cyber-d.blogspot.com/2005/10/cyber-ds-auto-... (yup, free). Configure the paths for the folder structure that you want pruned, set the period of time that you want to search for (since we perform daily DBCOPYs, there's no need to keep anything older than 2 days).
Our DBCOPY kicks off at 8pm and our AutoDelete will kick off daily at 2am, pruning anything older than two days. DBCOPY runs from our NetWare servers, but I am setting up AutoDelete on one of our GroupWise servers running on Windows to prune all of the other NetWare servers.
WARNING:
If we request a restore to the DBCOPY area from tape, the Cyber-D AutoDelete tool will wipe that area clean of old files, so our restores need to be finished before the 8pm DBCOPY and the 2AM AutoDelete.
I initially found this tool to remove files in a folder that were older than 30 days and it has done a great job in doing so. I then used it on a folder that normally gets files deleted after 30 days, but I was finding that it needed to be cleaned out more frequently. Since I could not alter the purging period of the existing tool, AutoDelete came in really handy.
You'll find other uses for this tool in no time!
This is Freeware, please consider donating (I have no affiliation with this product or company). I believing in supporting companies who produce tools that work.
More...
Categories: Novell Support Forums - New Posts
3421576: How to get ZENworks imaging to automatically recogn
3421576: How to get ZENworks imaging to automatically recognize new NICs
05-Nov-2009 09:33 PM
Applies to: ZENworks Desktop Management
More...
05-Nov-2009 09:33 PM
Applies to: ZENworks Desktop Management
More...
Categories: Novell Support Forums - New Posts
7003451: ZCM 10.2 schema upgrade failures and missing elemen
7003451: ZCM 10.2 schema upgrade failures and missing elements in ZCC
05-Nov-2009 11:18 PM
Applies to: ZENworks Configuration Management
More...
05-Nov-2009 11:18 PM
Applies to: ZENworks Configuration Management
More...
Categories: Novell Support Forums - New Posts
7920273: Drive mapping does not work properly when convertin
7920273: Drive mapping does not work properly when converting to a Target Physical Machine
06-Nov-2009 02:34 AM
Applies to: PlateSpin Forge, PlateSpin Migrate, PlateSpin Protect
More...
06-Nov-2009 02:34 AM
Applies to: PlateSpin Forge, PlateSpin Migrate, PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts
7920274: Windows 2000 physical target server hangs with blin
7920274: Windows 2000 physical target server hangs with blinking cursor after conversion
06-Nov-2009 02:37 AM
Applies to: PlateSpin Migrate, PlateSpin Protect, PlateSpin Forge
More...
06-Nov-2009 02:37 AM
Applies to: PlateSpin Migrate, PlateSpin Protect, PlateSpin Forge
More...
Categories: Novell Support Forums - New Posts
7920276: WinPE does not detect 2 or more processors on a phy
7920276: WinPE does not detect 2 or more processors on a physical target server
06-Nov-2009 02:40 AM
Applies to: PlateSpin Forge, PlateSpin Migrate, PlateSpin Protect
More...
06-Nov-2009 02:40 AM
Applies to: PlateSpin Forge, PlateSpin Migrate, PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts
7921037: Recoverable Error: FailedToConnectToVimWebService
7921037: Recoverable Error: FailedToConnectToVimWebService
06-Nov-2009 02:41 AM
Applies to: PlateSpin Forge
More...
06-Nov-2009 02:41 AM
Applies to: PlateSpin Forge
More...
Categories: Novell Support Forums - New Posts
7920862: All jobs hang at 'Scheduled' on the first step
7920862: All jobs hang at 'Scheduled' on the first step
06-Nov-2009 02:43 AM
Applies to: PlateSpin Forge, PlateSpin Migrate, PlateSpin Protect
More...
06-Nov-2009 02:43 AM
Applies to: PlateSpin Forge, PlateSpin Migrate, PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts
7920359: Virtual Machine loads with IRQL_NOT_LESS_OR_EQUAL,
7920359: Virtual Machine loads with IRQL_NOT_LESS_OR_EQUAL, Stop 0x0000000A error during configuration
06-Nov-2009 02:45 AM
Applies to: PlateSpin Protect
More...
06-Nov-2009 02:45 AM
Applies to: PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts
7920776: Access denied. The root credentials provided cannot
7920776: Access denied. The root credentials provided cannot be used to connect to the server [MACHINE]
06-Nov-2009 02:48 AM
Applies to: PlateSpin Migrate, PlateSpin Protect
More...
06-Nov-2009 02:48 AM
Applies to: PlateSpin Migrate, PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts
7920777: Unable to use SSH session on [MACHINE], even though
7920777: Unable to use SSH session on [MACHINE], even though a connection was opened successfully
06-Nov-2009 02:49 AM
Applies to: PlateSpin Protect
More...
06-Nov-2009 02:49 AM
Applies to: PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts
7920832: How to perform an unattended registration of a targ
7920832: How to perform an unattended registration of a target physical machine
06-Nov-2009 02:51 AM
Applies to: PlateSpin Migrate, PlateSpin Protect
More...
06-Nov-2009 02:51 AM
Applies to: PlateSpin Migrate, PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts
7920835: Installing Controller on Source Server enters recov
7920835: Installing Controller on Source Server enters recoverable error at Verifying Controller Connection step
06-Nov-2009 02:54 AM
Applies to: PlateSpin Forge, PlateSpin Migrate, PlateSpin Protect
More...
06-Nov-2009 02:54 AM
Applies to: PlateSpin Forge, PlateSpin Migrate, PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts
7920837: "Insufficient disk space on datastore" error during
7920837: "Insufficient disk space on datastore" error during "Create Virtual Machine"
06-Nov-2009 02:57 AM
Applies to: PlateSpin Migrate, PlateSpin Protect
More...
06-Nov-2009 02:57 AM
Applies to: PlateSpin Migrate, PlateSpin Protect
More...
Categories: Novell Support Forums - New Posts