--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


This shows you the differences between two versions of the page.

Link to this comparison view

novellclientinstall [2013/05/12 09:50] (current)
sjoerd created
Line 1: Line 1:
 += Novell Client Install =
 +This article will tell you how you can create a custom Novell client setup, and will tell you how you can adjust the environment to support that new setup. This is including:
 +* Contextless login
 +* Using DHCP to get the tree and server information
 +* Using the Novell Client Installation Manager to create the final custom install
 +* Rollout
 +At the end of the article there will be some extra remarks about the use of a dynamic local user, SLP settings and extra login information you might find useful to fully understand the login process.
 +All these steps are tested on netware 6.5.5, eDirectory and the Novell client 4.91.4.
 +== The Obvious First Step ==
 +Is to get the latest Novell client software from the [[http://​​|Novell website]]. Extract the software and install it. Don't delete the extracted files, you'll need them later on.
 +== Contextless Login ==
 +[[http://​​documentation/​noclienu/​noclienu/​index.html?​page=/​documentation/​noclienu/​noclienu/​data/​ahpxzr7.html|Novell documentation]] ​
 +=== Prepare eDirectory ===
 +In order to be able to login contextless you need to be able to search the tree for your user account. Although this can be accomplished by using the [PUBLIC] object this has the disadvantage that the rights flow through to all users. It's better to use a proxy account which can be used in the same way but without the mentioned disadvantage. An anonymous proxy user gives you a few extra key features:
 +* All LDAP client access through anonymous binds is assigned through the proxy user object.
 +* The proxy user must have a null password and must not have any password restrictions (such as password change intervals). Do not force the password to expire or allow the proxy user to change passwords.
 +* You can limit the locations that the proxy user can log in from by setting address restrictions for the proxy user object.
 +* The proxy user object must be created in eDirectory and assigned rights to the eDirectory objects you want to publish. The default user rights provide read access to a limited set of objects and attributes. Assign the proxy user read and search rights to all objects and attributes in each subtree where access is needed.
 +* The proxy user object must be enabled on the general page of the LDAP group object that configures LDAP services for eDirectory. Because of this, there is only one proxy user object for all servers in an LDAP group.
 +* You can grant a proxy user object rights to 'All Properties (default)'​ or '​Selected Properties'​. In order for contextless login or treeless login to work, the read right must be granted so that LDAP can search the container or tree for the User object. Typically, you assign the proxy user rights to the [ROOT] of the tree so that LDAP can view the attributes of the user objects throughout the tree. However, you might want to restrict access by assigning the read right only to individual organizational units that you want LDAP to search. ​
 +So, these steps include:
 +# Create a proxy user
 +# Assign rights to [ROOT] for that proxy user
 +# Setup the LDAP group object
 +==== Create a Proxy User ====
 +Don't forget to assign an empty (null) password: \\
 +{{proxyuserpassword.jpg}} \\
 +Setup your password policy for the proxy user like this: \\
 +{{proxyuserrestrictions.jpg}} \\
 +==== Assign Permissions to [ROOT] For Proxy User ====
 +Assign the correct rights for the proxy user: \\
 +{{proxyusertreerights.jpg}} \\
 +==== Setup the LDAP Group Object ====
 +Modify the LDAP Group to use the ldap proxy user: \\
 +{{proxyuserldapgroup.jpg}} \\
 +=== Prepare DNS ===
 +In the steps to come you'll have to tell the Novell client to use a LDAP server to perform your contextless login. To prepare for future server replacements we won't do that on IP address but with a nice DNS name. We won't go into detail about how to create a DNS record, you should know that and it depends on your DNS server.
 +You need two records if possible, in that case the novell client will continue with the second server if the first one is not available. Name your records like:
 +You could use both A records or CNAME records to do the job. CNAME should have your preference.
 +=== Novell Client Settings ===
 +Setup the Novell client to use LDAP contextless login by going to the properties of your installed Novell client (right click on the red N on your taskbar and select '​Novell Client Properties'​). Go to the 'LDAP Contextless Login' tab: \\
 +{{ldapcontextlesslogin1.jpg}} \\
 +Check '​Enable LDAP Contextless Login' and '​Enable LDAP Context Search Scope' and add a tree: \\
 +{{ldapcontextlesslogin2.jpg}} \\
 +You'll immediately receive a new screen to define your search scope. Notice that you'll need LDAP syntax: \\
 +{{ldapcontextlesslogin3.jpg}} \\
 +Then add a server. I only have one: \\
 +{{ldapcontextlesslogin4.jpg}} \\
 +And you'll immediately receive a new screen regarding the properties of the server. In most environments the defaults will do just fine: \\
 +{{ldapcontextlesslogin5.jpg}} \\
 +Finally you'll have to set the LDAP search settings. ONe you'll like is to allow wildcards, but the display and search options will vary in every environment and you'll have to edit them to your own needs: \\
 +{{ldapcontextlesslogin6.jpg}} \\
 +== DHCP usage ==
 +=== Preparations ===
 +Because we're doing a contextless login and not a treeless login it would be nice if we wouldn'​t have to fill in the tree name. DHCP has some options to do that for you. You have to add option 85 and 86 to your dhcp options: \\
 +{{dhcpoptionsserver.jpg}} \\
 +{{dhcpoptionstree.jpg}} \\
 +Depending on your version of netware and DHCP the server only reads the necessary information from eDirectory on startup. To be sure stop and start the DHCP service:
 +* unload dhcpsrvr
 +* load dhcpsrvr
 +The option
 +* load dhcpsrvr -d1 
 +turns on a background screen log of DHCP packets.
 +=== Novell Client Settings ===
 +Setup the Novell client to use these settings by going to the properties of your installed Novell client (right click on the red N on your taskbar and select '​Novell Client Properties'​). Go to the 'DHCP Settings'​ tab and check these items: \\
 +{{dhcpsettings.jpg}} \\
 +The binary data check tells the client that the server info delivered is an IP address. This will prevent some [[http://​​support/​php/​​cmd=displayKC&​docType=kc&​externalId=10088647&​sliceId=&​docTypeID=DT_TID_1_1&​dialogID=59769603&​stateId=0%200%2059771633|errors]].
 +== Novell Client Installation Manager ==
 +After you have [[http://​​|downloaded]] and installed the Novell Client and setup the previous settings it's finally time to create an unattend file to automate the setup on other workstations. To do so return to the extracted software you created in step one. Go to the admin folder and doubleclick the '​nciman.exe'​ utility: \\
 +{{nciman.jpg}} \\
 +To import the settings you created during the previous steps click the '​Import Registry'​ button. After that you can further enhance your installation. My recommendation would be to adjust at least these settings:
 +* Installation Setup
 +** Don't Display initial screen
 +** Accept license agreement
 +** Don't Create Windows System Restore Point
 +** Protocol IP only and remove IPX if present
 +** Install the NDPS Component
 +* Client
 +** Location Profiles -> Default -> Properties -> Properties
 +*** Adjust here which tabs should be shown and their default values
 +Of course there'​s more to adjust but that depends on your own preferences and your environment.
 +There is one more setting you can look into, the acu version. In case you change something in the settings of the Novell client but not in the software itself, you could change the acu version so the new settings get distributed as well: \\
 +{{acuversion.jpg}} \\
 +== Unattend File Example ==
 +!LoginServiceDWOn0="​Default","​Save On Exit"
 +!LoginServiceDWOn1="​Default","​Password Enable"​
 +!LoginServiceDWOff0="​Default\Tab1","​Clear Connections"​
 +!LoginServiceDWOn2="​Default\Tab2","​Login Script"​
 +!LoginServiceDWOff1="​Default\Tab2","​Display Results"​
 +!LoginServiceDWOn3="​Default\Tab2","​Close Results"​
 +!LoginServiceSZ3="​Default\Tab3","​Tab","​NT Credentials"​
 +NW_NWFS=NovellNetwareClientParameters,​ \$OEM$\NET\NTCLIENT\I386
 +== Rollout
 +You can rollout the custom install by editing the acu.ini file and then starting the acu.exe.
 +Acu.ini, adjust the first three settings:
 +; Novell ACU for Windows 2000/XP File
 +; Novell ACU INI File
 +;​VeRsIoN=v2.7 Novell ACU - Configuration INI
 +;​CoPyRiGhT=copyright 1999-2006, ​ by Novell, Inc. All rights reserved.
 +; Launch=Yes
 +; Specifies whether Setup is launched after acu.exe
 +; determines that the installation is necessary.
 +; Display=Yes
 +; Specifies whether users are prompted to begin the upgrade.
 +; Specifies whether a configuration (unattend) file is used
 +; and where it is located.
 +== Extra Information ==
 +[[http://​​documentation/​noclienu/​index.html|Novell Client Documentation]] \\
 +An other service which could be useful to adjust your login expercience - and your entire login experience - is SLP. SLP is too big to be included in this article, that's why I wrote a article specifically about it: [[slpedirectory]] \\
 +If you login on a windows workstation using the Novell client you are only logged into eDirectory. Not into the workstation itself. That's why you get a second login window, to login into windows. To prevent that from happening (the double login, that is) you could enable dynamic local user services. That is a ZENworks feature and is covered in this article: [[dynamiclocaluser]] \\
novellclientinstall.txt ยท Last modified: 2013/05/12 09:50 by sjoerd