Juniper Netscreen 1000 SSL authenticating with Domino server via LDAP

Posted on 2005-05-05
Medium Priority
Last Modified: 2013-12-18
Hi there

I've been trying to get our new Juniper Netscreen 1000 SSL box to authenticate remote users to our Domino servers via LDAP but having little success. I can get the Juniper to talk to the Windows 2003 LDAP but Notes refuses to speak to it. This will soon become apparent anyway, but a point worth bearing in mind when reading this is that I am not at all hot on Notes!

Using an LDAP browser I can communicate with our Notes servers fine. Using LDP.exe (free microsoft LDAP browser) or Softerra's free browser, I can see the top level which appears to be named DN and then all the entries below that. I've also found that if I give the browser a DN of "ou=uk,o=abc" I can get it to just show a section of the users. This is all fine but the juniper box still refuses to speak using the settings I give it. Also the logging on the Juniper is pretty poor so all I get is the below line. I haven't managed to work out how to switch on LDAP logging on the Notes servers either as that could give me some more info:

Juniper log reads:
"Login failed using auth server Domino1. Reason: Failed"

I've been speaking to Juniper themselves on several occasions, but they seem to know little about this particular setup. It seems to me that I need a Notes guru rather than someone that knows the Juniper!

The main settings I can give the juniper box are as follows:

Basic settings:

Name:               (friendly name)
LDAP Server:       (tried both hostname & IP address although guessing it won't matter which I use)
LDAP Port:       (the notes server is using 390 instead of 389)

LDAP Server Type:        (drop down: Generic, Active Directory, iPlanet, Novel eDirectory - i've obviously been setting this to generic)
Connection:           (unencrypted or LDAPS - i'm guessing that LDAPS would only be used on port 636 for secure LDAP so I've set it as unencrypted)

Athentication required?
Password:      (Not sure if I need to fill out this section or not, and if I do exactly how to fill it out. Also if the adminDN field needs filling out, does it require an admin account or basic user?)

Finding user entries
Specify how to find a user entry
Base DN:             example: dc=sales,dc=com      (tried both dn & ou=uk,o=abc in this field)
Filter:               example: cn=<USER>        (You seem to have to put something=<USER> where <USER> is how the Juniper box expects the user name returned. Thats my impression of how it works anyway! I've tried various things such as cn=<USER>, fullname=<USER>, uid=<USER> but nothing works)

I've not touched the following section yet as I have no idea how to fill it out:

Determining group membership
If group membership is NOT reflected as attributes of a user's entry, specify how to find a group entries. Note that these are default settings that you can override on a per-group basis in the Server Catalog.        
Base DN:             example: dc=sales,dc=com
Filter:             example: cn=<GROUPNAME>
Member Attribute:             Attribute used to identify members of a static group
Query Attribute:             Attribute used to determine members of a dynamic group
Nested Group Level:             Maximum depth of nested group
Nested Group Search:       Nested groups in Server Catalog       Faster, but less flexible
        Search all nested groups       Slower, but more flexible


Bind options
If this server will be used to authenticate users, select one of the following methods for binding.
Bind method:             Simple bind              StartTLS bind  (i've left it as 'simple bind'

Many thanks in advance! Please let me know if more info is required.

Mike Penny

Question by:mpjpenny
  • 4
  • 4
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13935912
Is there anything in the Domino logfile pertaining this setup, I mean, when you get the error Login failed, what does the log database say??

Author Comment

ID: 13936325
Nothing at all! (at least nothing pertaining to the failed LDAP attempts) Apparently you need to switch on LDAP logging on the Notes side but so far i've been unable to work out how to do that. Any thoughts on how to set that up would be appreciated.
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13936455
Silly question maybe, but the documents you found searchin Google on "authenticate domino ldap ssl" were no success? There seem to be some pretty interesting ones.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 13937817
Silly answer to your silly question: I have been on Google for the last two days and no I have not found the answer there so far. No offence meant, but I use Experts Exchange to receive an answer from an expert, not to be told to Google it.


 I've now managed to switch on logging on the Notes LDAP service, but whilst it appears to log when the Juniper box itself fails to authenticate, it appears to log nothing when it IS authenticating. I.E. Notes now isnt logging anything but its still failing. Unless i'm looking in the wrong place for the activity log entries. I'm checking the log.nsf.

It seems to me that the main problem could be that I do not know how to retrieve the correct DN from the Domino server. Is there an area that I can retrieve the correct DN or is it not that simple?

LVL 46

Accepted Solution

Sjef Bosman earned 2000 total points
ID: 13943320
Yeah, yeah, sorry... :$ I know nothing about Junipers, but I'm willing to think along with you.

There must be something completely wrong. Does the Juniper box give an indication why the Login fails? Are you sure there is network activity from the box to the Domino server? On the right port?

There is a Network Monitor available on Win2003, you might be able to analyse network traffic with it. See also: http:Q_21411404.html

Author Comment

ID: 13943783
No probs! =)

The Junipers logging (in this case at least) is about as much use as an ashtray on a motorbike. This is all I get: "Login failed using auth server Domino1. Reason: Failed" I believe there is network activity as I did get the activity log on the Notes box to show an LDAP authentication error when I purposely got the login details wrong. Once those are correct though the Notes box logs nothing else.

I like the idea of the Sniffer thanks. Didn't think of that. I guess it must be clear text if its standard LDAP? I have a good sniffer installed on my laptop so I might stick the juniper on a hub and give that a go later.

We were under a lot of pressure to get this finished so I have a Notes expert in today. Will post again / award etc later on if necessary!


Author Comment

ID: 13944122
You are a god! I sniffed it and whilst the juniper box was happily sending packets with another LDAP profile i'd setup to a Windows box, it wasn't sending a thing when a logon attempt was made whilst set to use the Notes server for LDAP. I deleted the Notes profile, recreated it and it started sending packets on logon attempts straight away. A couple of minor tweaks later and its all working!

Many thanks!
LVL 46

Expert Comment

by:Sjef Bosman
ID: 13944222
You're welcome!

Sjef :)

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
Integration Management Part 2
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question