ACCESSBUILDER™ SECURITY
PACKAGE -- NETWARE/WORKGROUP
USER GUIDE
Software Version 1.2
Part No. 09-0704-001
Published May 1995
3Com Corporation ■ 5400 Bayfront Plaza ■ Santa Clara, California ■ 95052-8145
© 3Com Corporation, 1994. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty of any kind, either implied or expressed, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.
UNITED STATES GOVERNMENT LEGENDS:
If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following restricted rights:
For units of the Department of Defense:
Restricted Rights Legend: Use, duplication or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) for restricted Rights in Technical Data and Computer Software clause at 48 C.F.R. 52.227-7013. 3Com Corporation, 5400 Bayfront Plaza, Santa Clara, California 95052-8145.
For civilian agencies:
Restricted Rights Legend: Use, reproduction or disclosure is subject to restrictions set forth in subparagraph (a) through (d) of the Commercial Computer Software - Restricted Rights Clause at 48 C.F.R. 52.227-19 and the limitations set forth in 3Com;s standard commercial agreement for the software. Unpublished rights reserved under the copyright laws of the United States.
3ComFacts, Ask3Com, CardFacts, NetFacts, and CardBoard are service marks of 3Com Corporation.
3Com, AccessBuilder, LanScanner, LinkBuilder, NETBuilder, NETBuilder II, ViewBuilder, EtherDisk, EtherLink, EtherLink Plus, EtherLink II, TokenLink, TokenLink Plus, and TokenDisk are registered trademarks of 3Com Corporation. 3Com Laser Library, 3TECH, Boundary Routing, CacheCard, FDDILink,NetProbe, Parallel Tasking, SmartAgent, Star-Tek, and Transcend are also trademarks of 3Com Corporation.
CompuServe is a registered trademark of CompuServe, Inc.
Other brand and product names may be registered trademarks or trademarks of their respective holders.
Guide written and produced by Gary Halverson.
ACCESSBUILDER SECURITY
PACKAGE -- NETWARE/WORKGROUP
USER GUIDE
(Software Version 1.2)
CONTENTS
1 |
INTRODUCTION |
|
|
||
|
General Information |
1–1 |
|
||
|
1.1. Three Security Client Types |
1–1 |
|||
|
NetWare Applications |
1–2 |
|
||
|
Workgroup Applications 1–2 |
||||
|
1.2. Compatibility |
1–2 |
|
|
|
|
1.3. Limitations |
1–3 |
|
|
|
2 |
|
|
|
||
NOVELL NETWARE |
|
|
|||
|
BINDERY/NDS SECURITY CLIENTS |
||||
|
2.1 Overview 2–1 |
|
|
||
|
2.2. Installation |
2–1 |
|
|
|
|
SNDS Usage |
2–5 |
|
|
|
|
2.3. De-installation 2–5 |
|
|
||
|
2.4. AccessBuilder Configuration |
2–6 |
|||
|
2.5. Usage |
2–6 |
|
|
|
|
Client |
2–6 |
|
|
|
3 ACCESSBUILDER NAME SERVER
|
3.1. Overview 3–1 |
|
|
|
|
|
|
3.2. Installation Steps |
|
3–2 |
|
|
|
|
SUN OS 4.1x Installation 3–2 |
|
||||
|
DOS Installation |
3–3 |
|
|
||
|
Launching the Name Server |
3–3 |
|
|||
|
3.3. Command Options |
|
3–4 |
|
|
|
|
3.4. Database Conversion |
3–4 |
|
|
||
|
3.5. AccessBuilder Configuration |
3–5 |
|
|||
|
|
|||||
4 NAME SERVER DATABASE UTILITIES |
||||||
|
4.1. General Information |
4–1 |
|
|
||
|
4.2. User Record Contents |
4–1 |
|
|
||
|
4.3. The Database Utilities User Interface |
4–2 |
||||
|
4.4. The Main Menu |
4–2 |
|
|
||
|
Add a User Record |
4–2 |
|
|
||
|
Modify User Record |
|
4–3 |
|
|
|
|
Delete User Record |
4–3 |
|
|
||
|
Display User Records |
4–3 |
|
|
||
|
Save User Records into ASCII Files |
4–4 |
||||
|
Backup Database |
|
4–5 |
|
|
|
|
Restore Database |
|
4–5 |
|
|
|
|
Change Database Password |
4–6 |
|
|||
|
4.5. PATH 4–6 |
|
|
|
|
|
ADATABASE UTILITIES ERROR MESSAGES
BNAME SERVER ERROR MESSAGES
CTECHNICAL SUPPORT
LIMITED WARRANTY
1
General The AccessBuilder Security Package is a model for flexible multi-vendor Information security interoperation that is consistent with preliminary IETF (Internet
Engineering Task Force) work. The AccessBuilder Security Package software provides the network administrator with the means to control network access by remote users through an existing network security mechanism.
The AccessBuilder Security Package model allows integration of Novell NetWare security solutions while keeping the AccessBuilder open to future security options. The AccessBuilder Security Client is thus designed for maximum flexibility and investment protection for 3Com AccessBuilder customers.
This document provides an overview of the Novell NetWare Bindery/NDS Security, a description of the installation procedures, and a summary of limitations.
Also provided is documentation and installation procedures for AccessBuilder Name Server, a self-contained security database operating on a Sun workstation. The AccessBuilder Name Server has application in a wide variety of workgroup environments.
1.1. Three
Security Client
Types
The AccessBuilder Security Package - NetWare/Workgroup Version 1.2 software provides compatibility with two major types of Novell network-based user authentication environments and one self-contained security database package:
■AccessBuilder Security Client for Novell NetWare Bindery Services
■AccessBuilder Security Client for Novell NetWare Directory Services
■AccessBuilder Name Server for networks running SunOS 4.1.x
1-2 CHAPTER 1: INTRODUCTION
|
The AccessBuilder Security Package - NetWare/Workgroup software |
|
modules are designed to reside on their respective server or client |
|
workstations where they provide the appropriate agent software to |
|
interface between the AccessBuilder and the respective security server or |
|
database. |
NetWare |
The AccessBuilder Security Client for Novell NetWare Bindery/NDS Security |
Applications |
Clients work with the AccessBuilder server software Version 5.0 (or later) to |
|
enable remote user access authentication to be handled automatically from |
|
an existing Novell security database. The AccessBuilder login/password |
|
information is validated directly against the selected Novell security service. |
|
Each version is furnished on a single diskette. |
|
The AccessBuilder Security Client for Novell NetWare bindery/NDS uses a |
|
designated user database maintained by Novell NetWare Bindery or |
|
NetWare Directory Services. It is designed to perform the authentication |
|
process using these services. |
Workgroup |
The “AccessBuilder Name Server” module executes on a Sun Sparc station |
Applications |
running SunOS 4.1.x to provide integrated LAN-based security through its |
|
own user database. The security database can then be used for automatic |
|
validation of remote users logging into one or more AccessBuilder. This |
|
software module is intended to reside on a network node where the |
|
AccessBuilder can query the security database through the AccessBuilder |
|
UDP/IP-based protocol. Also, a set of tools for managing the security |
|
database is provided to facilitate database administration. |
|
|
1.2. |
The AccessBuilder Security Client for Novell NetWare works with |
Compatibility |
AccessBuilder server software version 5.0 or later and Remote Client |
|
software version 5.0 or later. |
1.3. Limitations |
1-3 |
Table 1-1 AccessBuilder Server and Security Client Version Compatibility Matrix
Security Clients
|
1.0 |
1.2 |
|
|
|
4.0 |
|
|
|
|
|
4.1 |
● |
|
|
|
|
5.0 |
● |
● |
|
|
|
1.3. Limitations
Novell NetWare Security Client related limitations include:
■ ARA and PPP clients using CHAP authentication are not supported
Limitations applying to both NetWare Security Client and Name Server
include:
■No space characters are allowed in the user ID and password fields
■When the AccessBuilder (Version 5.0) Security Access feature is enabled, the user id and password fields are case sensitive. Also, when the remote client is using the AccessBuilder Remote Client software, version 5.0 or later must be used.
1-4 CHAPTER 1: INTRODUCTION
NOVELL NETWARE
2 BINDERY/NDS SECURITY
CLIENTS
If you are not using the Novell NetWare Bindery/NDS Security Client, you may skip this section.
The NDS (Netware Directory Services) Security Client is a Novell NLM that runs on Novell Netware Server 4.X.
The Bindery Security Client is a Novell NLM runs on Novell NetWare Server 3.11 or 4.X.
When a remote user dials into an AccessBuilder and provides the login information, the AccessBuilder server generates a validation request to the Bindery/NDS Security Client. The Bindery/NDS Security Client then initiates an authentication session with the Novell Netware server Bindery/NDS services. Based on the result of the authentication session, the Bindery/NDS security Client sends a validation response back to the AccessBuilder server and indicates to the user that the authentication has failed or passed.
1Verify that TCPIP NLM is running (by verifying the autoexec.ncf file).
If not, verify that Ethernet_II frame type is used. Bind IP to Ethernet_II frame type. Following this, at the server prompt load TCPIP NLM.
The following are examples of an autoexec.ncf file which loads NetWare Bindery Services, and NetWare Directory Services security clients:
2-2 CHAPTER 2: NOVELL NETWARE BINDERY/NDS SECURITY CLIENTS
(NetWare Bindery example)
set Time Zone = PST8PDT |
|
|
||||
set Daylight Savings Time Offset = 1:00:00 |
|
|
||||
set |
Start Of Daylight Savings Time = (APRIL SUNDAY FIRST |
2:00:00 |
AM) |
|||
set |
End Of Daylight |
Savings Time = (OCTOBER SUNDAY LAST |
2:00:00 |
AM) |
||
set Default Time Server Type = SINGLE |
|
|
||||
set Bindery Context = O=b010 |
|
|
||||
file |
server |
name |
SATURN |
|
|
|
ipx |
internal |
net |
af0bfed9 |
|
|
|
load |
clib |
|
|
|
|
|
load |
tcpip |
|
|
|
|
|
load |
conlog |
|
|
|
|
|
load 3C5X9 slot=5 frame=ETHERNET_802.2 NAME=3C5X9_1 |
|
|
||||
bind IPX to 3C5X9_1 |
net=AA440000 |
|
|
|||
load 3c5x9 slot=5 frame=ETHERNET_II name=3c5x9_2 |
|
|
||||
bind ipx to 3c5x9_2 |
net=cc100001 |
|
|
|||
load 3C5X9 slot=5 frame=ETHERNET_802.3 NAME=3C5X9_3 |
|
|
||||
bind IPX to 3C5X9_3 |
net=AA330000 |
|
|
|||
load 3c5x9 slot=5 frame=ETHERNET_SNAP name=3c5x9_4 |
|
|
||||
bind ipx to 3c5x9_4 |
net=AA550000 |
|
|
|||
bind |
IP to 3c5x9_2 |
addr=192.147.72.3 mask=255.255.255.0 |
|
|
set maximum concurrent directory cache writes = 50 set maximum directory cache buffers = 4000
load cpqhlth load cdrom cpqsnmp mount all
unload conlog load monitor
#######################################################################
# AccessBuilder NetWare Security Client Software
#######################################################################
load sbindery 3com
2.2. Installation |
2-3 |
(NetWare Directory example)
set Time Zone = PST8PDT |
|
|
||||
set Daylight Savings Time Offset = 1:00:00 |
|
|
||||
set |
Start Of Daylight Savings Time = (APRIL SUNDAY FIRST |
2:00:00 |
AM) |
|||
set |
End Of Daylight |
Savings Time = (OCTOBER SUNDAY LAST |
2:00:00 |
AM) |
||
set Default Time Server Type = SINGLE |
|
|
||||
set Bindery Context = O=b010 |
|
|
||||
file |
server |
name |
SATURN |
|
|
|
ipx |
internal |
net |
af0bfed9 |
|
|
|
load |
clib |
|
|
|
|
|
load |
tcpip |
|
|
|
|
|
load |
conlog |
|
|
|
|
|
load 3C5X9 slot=5 frame=ETHERNET_802.2 NAME=3C5X9_1 |
|
|
||||
bind IPX to 3C5X9_1 |
net=AA440000 |
|
|
|||
load 3c5x9 slot=5 frame=ETHERNET_II name=3c5x9_2 |
|
|
||||
bind ipx to 3c5x9_2 |
net=cc100001 |
|
|
|||
load 3C5X9 slot=5 frame=ETHERNET_802.3 NAME=3C5X9_3 |
|
|
||||
bind IPX to 3C5X9_3 |
net=AA330000 |
|
|
|||
load 3c5x9 slot=5 frame=ETHERNET_SNAP name=3c5x9_4 |
|
|
||||
bind ipx to 3c5x9_4 |
net=AA550000 |
|
|
|||
bind |
IP to 3c5x9_2 |
addr=192.147.72.3 mask=255.255.255.0 |
|
|
set maximum concurrent directory cache writes = 50 set maximum directory cache buffers = 4000
load cpqhlth load cdrom cpqsnmp mount all
unload conlog load monitor load dsapi
#######################################################################
# AccessBuilder NetWare Security Client Software
#######################################################################
load snds 3com
2For NetWare Directory Services, be sure the line load dsapi.nlm occurs before load snds.nlm (AccessBuilder Security Client).
3Add a UDP port for the Bindery/NDS Security Client into \etc\services with the service name "crsecacc", 888 is the default port number in the AccessBuilder server.
ex. add "crsecacc 888/udp" at the bottom of \etc\services as shown in the following example:
2-4 CHAPTER 2: NOVELL NETWARE BINDERY/NDS SECURITY CLIENTS
(\etc\services example)
# SYS:ETC\SERVICES |
|
|
|
|
|
|
|
|
# |
|
|
|
|
|
|
|
|
# |
Network |
service mappings. Maps |
service names to |
transport |
||||
# |
protocol |
and transport protocol |
ports. |
|
|
|
|
|
# |
|
|
|
|
|
|
|
|
echo |
7/tcp |
|
|
|
|
|
|
|
discard |
9/tcp |
sink null |
|
|
|
|
|
|
systat |
11/tcp |
|
|
|
|
|
|
|
daytime |
13/tcp |
|
|
|
|
|
|
|
netstat |
15/tcp |
|
|
|
|
|
|
|
ftp-data |
20/tcp |
|
|
|
|
|
|
|
ftp |
21/tcp |
|
|
|
|
|
|
|
telnet |
23/tcp |
|
|
|
|
|
|
|
smtp |
25/tcp |
|
|
|
|
|
|
|
time |
37/udp |
timserver |
|
|
|
|
|
|
name |
42/udp |
nameserver |
|
|
|
|
|
|
whois |
43/tcp |
nicname |
# |
usually |
to |
sri-nic |
||
domain |
53/tcp |
|
|
|
|
|
|
|
hostnames |
101/tcp |
hostname |
# |
usually |
to |
sri-nic |
||
sunrpc |
111/udp |
|
|
|
|
|
|
|
# |
|
|
|
|
|
|
|
|
# Host specific functions |
|
|
|
|
|
|
||
# |
|
|
|
|
|
|
|
|
tftp |
69/udp |
|
|
|
|
|
|
|
finger |
79/tcp |
|
|
|
|
|
|
|
link |
87/tcp |
ttylink |
|
|
|
|
|
|
x400 |
103/tcp |
|
# |
ISO |
|
|
||
x400-snd |
104/tcp |
|
|
|
|
|
|
|
csnet-ns |
105/tcp |
|
|
|
|
|
|
|
pop-2 |
109/tcp |
|
# |
Post |
Office |
|
|
|
uucp-path |
117/tcp |
|
|
|
|
|
|
|
nntp |
119/tcp |
usenet |
# |
Network |
News |
Transfer |
||
ntp |
123/tcp |
|
# |
Network |
Time |
Protocol |
||
NeWS |
144/tcp |
news |
# |
Window |
System |
|||
# |
|
|
|
|
|
|
|
|
#UNIX specific services
#these are NOT officially assigned
exec |
512/tcp |
|
|
|
|
login |
513/tcp |
|
|
|
|
shell |
514/tcp |
cmd |
# |
no passwords used |
|
printer |
515/tcp |
spooler # |
experimental |
||
courier |
530/tcp |
rpc |
|
# |
experimental |
biff |
512/udp |
comsat |
|
|
|
who |
513/udp |
whod |
|
|
|
syslog |
514/udp |
|
|
|
|
talk |
517/udp |
|
|
|
|
route |
520/udp |
router |
routed |
|
|
new-rwho |
550/udp |
new-who |
|
# |
experimental |
rmonitor |
560/udp |
rmonitord |
# |
experimental |
|
monitor |
561/udp |
|
|
# |
experimental |
ingreslock |
1524/tcp |
|
|
|
|
snmp |
161/udp |
|
|
# Simple Network Mgmt Protocol |
|
snmp-trap |
162/udp |
snmptrap |
# |
SNMP trap (event) messages |
|
crsecacc |
888/udp |
|
|
|
|
? |
|
|
|
|
|