Securing Transactions between ILM 2007 and eDirectory
I had a client that required that I connect securely between ILM and eDirectory for provisioning and synchronization of Active Directory to eDirectory user objects. To use TLS there are two options. First, certificate services can be utilized to provide the necessary security for making the connection. Second, secure tunnel (stunnel) can be utilized from the ILM server to provide the encryption. Because of its ease of use, and the fact that the customer did not want to mess with PKI, we went with the latter option.
But before we go down the securing path, we need to make sure the eDirectory Management Agent can connect to the eDirectory server. The LDAP Server object for that server needs to be modified to support the connection. The following steps will need to be performed from Novell ConsoleOne:
1. Double-Click on the LDAP Server object of the server that the eDirectory Management Agent will be connecting
2. On the “General” tab, select the Enable old ADSI and Netscape schema output checkbox and click the Refresh NLDAP Server Now button
3. Click OK
4. Close ConsoleOne
Then it becomes time to install and configure Stunnel. Quote from the website, they can tell you better than I can, what Stunnel is about. “Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.” Oh yea, it is open source under the GNU General Public License.
1. Download the latest Stunnel binaries from http://www.stunnel.org/download/binaries.html to the ILM server
2. Double-Click the installation executable. For example, stunnel-4.27-installer.exe
3. Click Run on the Security Warning
4. Click I Agree, on the License Agreement
5. Accept the defaults and click Next
6. Accept the default installation folder and click Install
7. Click Close when completed
8. Edit c:\program files\stunnel\stunnel.conf by using only the following information. Delete all other information:
*Note: The connect = 192.168.1.18:636 will need to be changed to reflect the production eDirectory server.
9. Close and save
10. Click Start > stunnel > Service install
11. Click OK on Service installed
12. Start the stunnel service
Wouldn't it have just been easier to use Novell Identity Manager??? Would have taken less time too.
We were removing DirXML from the environment, along with NetWare.