Juniper Netscreen 1000 SSL authenticating with Domino server via LDAP

Posted on 2005-05-05
Last Modified: 2013-12-18
Hi there

I've been trying to get our new Juniper Netscreen 1000 SSL box to authenticate remote users to our Domino servers via LDAP but having little success. I can get the Juniper to talk to the Windows 2003 LDAP but Notes refuses to speak to it. This will soon become apparent anyway, but a point worth bearing in mind when reading this is that I am not at all hot on Notes!

Using an LDAP browser I can communicate with our Notes servers fine. Using LDP.exe (free microsoft LDAP browser) or Softerra's free browser, I can see the top level which appears to be named DN and then all the entries below that. I've also found that if I give the browser a DN of "ou=uk,o=abc" I can get it to just show a section of the users. This is all fine but the juniper box still refuses to speak using the settings I give it. Also the logging on the Juniper is pretty poor so all I get is the below line. I haven't managed to work out how to switch on LDAP logging on the Notes servers either as that could give me some more info:

Juniper log reads:
"Login failed using auth server Domino1. Reason: Failed"

I've been speaking to Juniper themselves on several occasions, but they seem to know little about this particular setup. It seems to me that I need a Notes guru rather than someone that knows the Juniper!

The main settings I can give the juniper box are as follows:

Basic settings:

Name:               (friendly name)
LDAP Server:       (tried both hostname & IP address although guessing it won't matter which I use)
LDAP Port:       (the notes server is using 390 instead of 389)

LDAP Server Type:        (drop down: Generic, Active Directory, iPlanet, Novel eDirectory - i've obviously been setting this to generic)
Connection:           (unencrypted or LDAPS - i'm guessing that LDAPS would only be used on port 636 for secure LDAP so I've set it as unencrypted)

Athentication required?
Password:      (Not sure if I need to fill out this section or not, and if I do exactly how to fill it out. Also if the adminDN field needs filling out, does it require an admin account or basic user?)

Finding user entries
Specify how to find a user entry
Base DN:             example: dc=sales,dc=com      (tried both dn & ou=uk,o=abc in this field)
Filter:               example: cn=<USER>        (You seem to have to put something=<USER> where <USER> is how the Juniper box expects the user name returned. Thats my impression of how it works anyway! I've tried various things such as cn=<USER>, fullname=<USER>, uid=<USER> but nothing works)

I've not touched the following section yet as I have no idea how to fill it out:

Determining group membership
If group membership is NOT reflected as attributes of a user's entry, specify how to find a group entries. Note that these are default settings that you can override on a per-group basis in the Server Catalog.        
Base DN:             example: dc=sales,dc=com
Filter:             example: cn=<GROUPNAME>
Member Attribute:             Attribute used to identify members of a static group
Query Attribute:             Attribute used to determine members of a dynamic group
Nested Group Level:             Maximum depth of nested group
Nested Group Search:       Nested groups in Server Catalog       Faster, but less flexible
        Search all nested groups       Slower, but more flexible


Bind options
If this server will be used to authenticate users, select one of the following methods for binding.
Bind method:             Simple bind              StartTLS bind  (i've left it as 'simple bind'

Many thanks in advance! Please let me know if more info is required.

Mike Penny

Question by:mpjpenny
    LVL 46

    Expert Comment

    by:Sjef Bosman
    Is there anything in the Domino logfile pertaining this setup, I mean, when you get the error Login failed, what does the log database say??

    Author Comment

    Nothing at all! (at least nothing pertaining to the failed LDAP attempts) Apparently you need to switch on LDAP logging on the Notes side but so far i've been unable to work out how to do that. Any thoughts on how to set that up would be appreciated.
    LVL 46

    Expert Comment

    by:Sjef Bosman
    Silly question maybe, but the documents you found searchin Google on "authenticate domino ldap ssl" were no success? There seem to be some pretty interesting ones.

    Author Comment

    Silly answer to your silly question: I have been on Google for the last two days and no I have not found the answer there so far. No offence meant, but I use Experts Exchange to receive an answer from an expert, not to be told to Google it.


     I've now managed to switch on logging on the Notes LDAP service, but whilst it appears to log when the Juniper box itself fails to authenticate, it appears to log nothing when it IS authenticating. I.E. Notes now isnt logging anything but its still failing. Unless i'm looking in the wrong place for the activity log entries. I'm checking the log.nsf.

    It seems to me that the main problem could be that I do not know how to retrieve the correct DN from the Domino server. Is there an area that I can retrieve the correct DN or is it not that simple?

    LVL 46

    Accepted Solution

    Yeah, yeah, sorry... :$ I know nothing about Junipers, but I'm willing to think along with you.

    There must be something completely wrong. Does the Juniper box give an indication why the Login fails? Are you sure there is network activity from the box to the Domino server? On the right port?

    There is a Network Monitor available on Win2003, you might be able to analyse network traffic with it. See also: http:Q_21411404.html

    Author Comment

    No probs! =)

    The Junipers logging (in this case at least) is about as much use as an ashtray on a motorbike. This is all I get: "Login failed using auth server Domino1. Reason: Failed" I believe there is network activity as I did get the activity log on the Notes box to show an LDAP authentication error when I purposely got the login details wrong. Once those are correct though the Notes box logs nothing else.

    I like the idea of the Sniffer thanks. Didn't think of that. I guess it must be clear text if its standard LDAP? I have a good sniffer installed on my laptop so I might stick the juniper on a hub and give that a go later.

    We were under a lot of pressure to get this finished so I have a Notes expert in today. Will post again / award etc later on if necessary!


    Author Comment

    You are a god! I sniffed it and whilst the juniper box was happily sending packets with another LDAP profile i'd setup to a Windows box, it wasn't sending a thing when a logon attempt was made whilst set to use the Notes server for LDAP. I deleted the Notes profile, recreated it and it started sending packets on logon attempts straight away. A couple of minor tweaks later and its all working!

    Many thanks!
    LVL 46

    Expert Comment

    by:Sjef Bosman
    You're welcome!

    Sjef :)

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    For beginners of Lotus Notes user this is important to know about the types of files and their location supported by IBM Notes. Mostly users are unaware about how many file types are created and what their usages are. This Article is fully dedicated…
    Notes Document Link used by IBM Notes is a link file which aids in the sharing of links to documents in email and webpages. The posts describe the importance and steps to create a Lotus Notes NDL file in brief.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now