S 3.30 Training on the use of Novell eDirectory client software

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Supervisor, Head of IT

For use on an intranet, the eDirectory is installed on one server or (normally) on several servers. The users and user groups configured in the eDirectory can then access the directory service using appropriate eDirectory client software, in accordance with the rights assigned to them in the eDirectory.

Depending on the type of client software used, accessing eDirectory is transparent for the users, and it is therefore unnecessary for users to be trained in aspects of the software specific to the eDirectory. If, however, the client used requires user authentication for the eDirectory, as for example in Novell Client for Windows, then users must be trained in the subjects listed below as a minimum:

• Function and use of the relevant login mechanism
• Use of passwords
• Use of SSL authentication with user certificate or password

If an LDAP client which allows the user to browse through the hierarchical directory tree or to specify his/her own search queries at the level of LDAP attributes is used, additional training must be provided in the following subjects:

• eDirectory information model
• Efficient wording of search queries

In addition to the general client directory service (Novell Client for Windows and libraries for UNIX operating systems) there is another class of client applications for eDirectory, which are used specifically for user administration in IT environments (including heterogeneous ones): the Novell Account Management module. These applications are integrated into the login procedure for the corresponding operating systems and thus assume user authentication tasks. In addition, NDS AS (NDS Authentication Service) is available for a number of platforms (Linux, FreeBSD, HP-UX, MVS, OS/390, Solaris). NDS AS requires the use of Netware (version 5.0, SP 4A or above).

Authentication is a major aspect of the secure operation of eDirectory. From the point of view of the directory service, steps should be taken to ensure that not only is the client authenticated to the system but the user to the client as well. Following successful authentication, eDirectory offers automatic access to all objects and services to which access is permitted (so-called background authentication). In this manner single sign-on is implemented.

Authentication thus entails the following sequence: the user enters his/her user name on the Novell client and this is passed directly to eDirectory. eDirectory searches through its directory for the relevant private key and encrypts the key. Both the user password and a client secret are involved in this encryption. This encrypted private key is passed to the requesting client. The user is then asked to enter his/her password which he/she communicates to the client. Using this password and the client proof of authority, the client then decrypts the private key and keeps it in its working memory. On the basis of this private key and the certificate counterpart, the real authentication with eDirectory now takes place using a challenge-response procedure. If this is successful, the user is logged on and the private key of the user is deleted from the working memory of the client.

Outwardly, the system thus appears to be using a password-protected authentication scheme, but inwardly, asymmetric cryptography mechanisms are being employed.

The security of the data stored on eDirectory servers is also largely dependent on users correctly handling the security mechanisms. Users of eDirectory client software should therefore be given appropriate training in their effective use.

Security mechanisms from the user's perspective

In terms of using eDirectory client software, users can be relieved of many of the security-related set-up work through appropriate preliminary work and definition of default settings by the administrator. Such an approach is imperative if clients are to be configured in a manner that is uniform and can be checked. Nevertheless, some security-related settings have to be made by users themselves. These normally include rights of access to a user's own files and directories at operating system level. Rights of access to files with eDirectory resources can only be directly administrated for file servers based on the Netware operating system. Access rights to files on other platforms can be administrated indirectly via the organisational roles.

Training course content

The key points set out below summarise the subjects that need to be covered in training courses. The application scenario should be considered when selecting the course contents.

• Function and use of the relevant login mechanism
• Use of passwords
• Use of SSL authentication with user certificate or password
• eDirectory information model
• Efficient wording of search queries
• Basic knowledge of the underlying operating systems and their security configuration
• Secure deletion of files (see also e.g. S 4.56 Secure deletion under Windows operating systems).

Review questions:

• User authentication for the eDirectory required: Are users trained in eDirectory?
• If users can assign rights of access to their own directory objects, have they been trained in the necessary policies and mechanisms?