Before configuring the Novell NDS connector, install the latest version of the Novell NDS client on the WebMarshal server. The latest version is always freely available from Novell’s website (http://download.novell.com/).
Experience with the version of NDS included with NetWare has shown the following:
By default the [Public] account can browse all users and groups in the tree (unless the NDS administrator locks down the site).
By default the [Public] account can get a list of user groups but cannot retrieve the members of the list; therefore a user account is required to import users. Furthermore the user group ‘description’ is only available if the chosen account is an administrator.
It is possible to broaden the [Public] access to a NDS tree by adding permission for the [Public] account to access the ‘Group Membership’ property. This is performed from the ‘Tree’ item in ConsoleOne.
If an account logon to the NDS tree is required, remember that the Windows Novell client logs on as a Windows user as well. This user can be either a local account in your NT user database or a NT domain user. Therefore each NDS user actually has a dual identity. Most sites resolve this by creating an NT account and a NDS account with the same name and password.
The NDS client has a limitation in that it only allows one NDS logon per logged on NT user. This means for example that it is not possible to logon to NDS as ‘Bob’ and then run another application as ‘Bill’. By default, the WebMarshal engine service runs under the NT LocalSystem account. Because this is different to the NT account that is used by the interactive user, the engine should have the freedom to log in as any NDS account that it chooses.
It is not recommended therefore that you modify the account used by any of the WebMarshal services from the default of LocalSystem. If you did you could create the possibility of a clash between the interactive user and the WebMarshal services. (For example, when the interactive user logged out he might also log out the WebMarshal services from NDS as well).
By default NDS uses names as in the following example to refer to user and group objects in the tree:
CN=Bob.OU=Marketing.O=NewYork
WebMarshal also supports abbreviating this format to:
Bob.Marketing.NewYork
To convert from the shortened form back to the full form, WebMarshal uses the following rule: The left-most component (up to the period) is a CN=. The right most component is an O=. Everything in between is OU=.
If you import a user group, WebMarshal will fetch the members of that group. If you import an organizational unit (OU) or context (O) then WebMarshal will perform a directory search of all user accounts located in the tree under that object.