Juniper Netscreen 1000 SSL authenticating with Domino server via LDAP
Posted on 2005-05-05
I've been trying to get our new Juniper Netscreen 1000 SSL box to authenticate remote users to our Domino servers via LDAP but having little success. I can get the Juniper to talk to the Windows 2003 LDAP but Notes refuses to speak to it. This will soon become apparent anyway, but a point worth bearing in mind when reading this is that I am not at all hot on Notes!
Using an LDAP browser I can communicate with our Notes servers fine. Using LDP.exe (free microsoft LDAP browser) or Softerra's free browser, I can see the top level which appears to be named DN and then all the entries below that. I've also found that if I give the browser a DN of "ou=uk,o=abc" I can get it to just show a section of the users. This is all fine but the juniper box still refuses to speak using the settings I give it. Also the logging on the Juniper is pretty poor so all I get is the below line. I haven't managed to work out how to switch on LDAP logging on the Notes servers either as that could give me some more info:
Juniper log reads:
"Login failed using auth server Domino1. Reason: Failed"
I've been speaking to Juniper themselves on several occasions, but they seem to know little about this particular setup. It seems to me that I need a Notes guru rather than someone that knows the Juniper!
The main settings I can give the juniper box are as follows:
Name: (friendly name)
LDAP Server: (tried both hostname & IP address although guessing it won't matter which I use)
LDAP Port: (the notes server is using 390 instead of 389)
LDAP Server Type: (drop down: Generic, Active Directory, iPlanet, Novel eDirectory - i've obviously been setting this to generic)
Connection: (unencrypted or LDAPS - i'm guessing that LDAPS would only be used on port 636 for secure LDAP so I've set it as unencrypted)
Password: (Not sure if I need to fill out this section or not, and if I do exactly how to fill it out. Also if the adminDN field needs filling out, does it require an admin account or basic user?)
Finding user entries
Specify how to find a user entry
Base DN: example: dc=sales,dc=com (tried both dn & ou=uk,o=abc in this field)
Filter: example: cn=<USER> (You seem to have to put something=<USER> where <USER> is how the Juniper box expects the user name returned. Thats my impression of how it works anyway! I've tried various things such as cn=<USER>, fullname=<USER>, uid=<USER> but nothing works)
I've not touched the following section yet as I have no idea how to fill it out:
Determining group membership
If group membership is NOT reflected as attributes of a user's entry, specify how to find a group entries. Note that these are default settings that you can override on a per-group basis in the Server Catalog.
Base DN: example: dc=sales,dc=com
Filter: example: cn=<GROUPNAME>
Member Attribute: Attribute used to identify members of a static group
Query Attribute: Attribute used to determine members of a dynamic group
Nested Group Level: Maximum depth of nested group
Nested Group Search: Nested groups in Server Catalog Faster, but less flexible
Search all nested groups Slower, but more flexible
If this server will be used to authenticate users, select one of the following methods for binding.
Bind method: Simple bind StartTLS bind (i've left it as 'simple bind'
Many thanks in advance! Please let me know if more info is required.