Tuesday, September 18, 2007

WNA and Firefox

Where IE supports Windows Native Authentication sort of 'Out of the Box', Firefox does not. Here's how to enable Windows Native Authentication (WNA) in forefox:
- type 'about:config' in the address bar
- navigate to the entry 'network.negotiate-auth.trusted-uris' (tip: set the search filter to "network.negotiate"
- enter the domains you want WNA to act upon, e.g. "home.local".
Multiple domains are to be separated by commas; e.g. "home.local,home.networked" - earlier releases indicate that a leading dot is required (e.g. ".home.local" instaed of "home.local")

Wednesday, September 12, 2007

ldapbindssl

Trying to get password synchronisation from Active Directory to Oracle internet Directory (OID) to work. The password filter is a bit hard to find ("CD 1 of the Application Server"), actually it is in de utils directory of this download.
Looks great, upto the part where I try ldapbindssl.
The first attempt resulted in

D:\>ldapbindssl -h idmhost -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 997
LDAP Error Code: 52
Error Message: Server Unavailable

I realized, idmhost was not enough, and changed that to the fully qualified name. This changed the error codes returned:

D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1396
LDAP Error Code: 52
Error Message: Server Unavailable

Not very helpful at all. Searching the internet resulted in just one reference.

However, the System Error Codes are actually Microsoft error codes. So, the 1396 error actually means
ERROR_WRONG_TARGET_NAME (Logon Failure: The target account name is incorrect.)

And - there is a note on that one (and a bug...): Mealink note 430907.1.

Unfortunately, the note just explains you made a mistake in the Subject of your certificate, there is no example of how it should look. Created a new certicificate (self-signed) with the subject cn=idmhost.home.local. Imported that, but now the error is:

D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1790
LDAP Error Code: 52

And error 1790 means ERROR_TRUST_FAILURE (Network logon failed)

Still have to figure that one out...
Edit: Apparently, someone picked this up - just read the note again, and it now says:
For Example, if the OID server hostname is "oid.oracle.com" then the SUBJECT attribute of the server certificate must also be "oid.oracle.com".
Edit: Managed to get things working, this is the condensed how-to:
On the OID server:
- Create the wallet:

orapki wallet create -wallet ./ -auto_login

- Add the request:

orapki wallet add -wallet ./ -dn "cn=idmhost.home.local" -keysize 1024

- you can now export the request, and have it sent to a CA:

orapki wallet export -wallet ./ -dn "cn=idmhost.home.local" -request ./idmhost.req

- or, simply sign the request:

orapki wallet add -wallet ./ -dn "cn=idmhost.home.local" -keysize 1024 -self_signed -validity 3650

- Now, export the self-signed certificate:

orapki wallet export -wallet ./ -dn "cn=idmhost.home.local" -cert ./idmhost.cert


Get this certificate over to the MS Windows machine (I used cut-n-paste, and saved in a cer-file), and use the certificate wizard (click on the .cer file).
After that, the test went OK:

D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Bind Successful