Booches.nl

Secure LDAP between Softerra and Novell NDS

Softerra LDAP Browser is a powerful tool for browsing servers, which support LDAP. Using Softerra LDAP Browser against a Novell NDS with secure LDAP is a different story. A secure LDAP connection is a connection which uses SSL certificates to encrypt the data stream.

I had to use my LDAP Browser to query a Novell NDS over a secure LDAP connection. After some searching, troubleshooting and cursing, I finally had a working situation. Here are the steps to perform this task:

1. Download and install NetScape Communicator 4.8: I hear you think, but you have to install this specific version to retrieve the SSL certificate from the NDS server;
2. Browse with NetScape to the NDS server: if the NDS server has the IP address 10.10.10.10 and secure LDAP is running on TCP port 636, you should browse to the following URL https://10.10.10.10:636 and accept the certificate;
3. Retrieve the cert7.db and key3.db files from NetScape and copy to Softerra: after accepting the certificate, two new files are generated in the install directory from NetScape. These files are cert7.db and key3.db. The specific folder, in my situation, is: %install directory%\Users\default\. These files should be copied to the install directory from the Softerra LDAP Browser;
4. Configure Softerra LDAP Browser: the last step is configuring Softerra LDAP Browser to connect to the NDS server over a secure LDAP connection. When using the correct parameters, the secure LDAP connection should be accessible and you are ready to browse;

802.1Q between Catalyst 3750 en PowerConnect 6226

Configuring a 802.1Q connection isn’t that difficult, but you need to know the command line interface and the appropriate commands. Today I configured a 802.1Q connection between a Cisco Catalyst 3750G and a Dell PowerConnect 6226, while configuring I played a little with the trunking options on the PowerConnect and I noticed the following:

• The Dell PowerConnect 6226 doesn’t support the configuration of a native vlan in switchport mode trunk

To solve this problem you should use the switchport mode general commands. I configured the 802.1Q connection on the Dell PowerConnect 6226 with the following commands:

interface ethernet 1/g24
description ’802.1Q C3750G’
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan remove 1
switchport general allowed vlan add 10 untagged
switchport general allowed vlan add 255 tagged
switchport general allowed vlan add 1128 tagged
switchport general allowed vlan add 1129 tagged
exit

The command no switchport general acceptable-frame-type tagged-only prevents the switch from discarding untagged frames at ingress. I configured the Cisco Catalyst 3750 with the following commands:

interface GigabitEthernet1/0/4
description 802.1Q DELL POWERCONNECT 6226
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,255,1128,1129
switchport mode trunk
switchport nonegotiate
no ip address
no mdix auto
end

The above configuration is working perfectly. Packets from VLAN 10 are sent untagged over the link and all other VLAN’s are sent tagged over the link. I guess it would be easier if the switch supported the configuration of a native VLAN in trunking mode.

Strange VPDN-GROUP behavior

I noticed some strange behavior in a vpdn-group configuration on a Cisco 876 router. I have a router with the following vpdn-group configuration:

vpdn-group pptp-group
! Default PPTP VPDN group
description pptp vpn users
accept-dialin
protocol pptp
virtual-template 10

The configuration is working perfectly and users can dialin using a PPTP connection. Backups of the configuration are made by Kiwi CatTools. Lately I noticed that the following command l2tp tunnel receive-window 256 is added to the configuration, like displayed below:

Cisco has the following explanation for the command:

“Use the l2tp tunnel receive-window command to set the size of the advertised control channel receive window. The receive window size controls the number of L2TP control packets that can be queued by the system for processing. Increasing the size of the control channel receive window allows the system to open PPP sessions more quickly; a smaller size is desirable on networks that cannot handle large bursts of traffic… Source”

Two days later the command is gone again. I asked the network engineers if they made any changes to the configuration, but they didn’t. I looked at the configuration and tried to add the command, but I am not able to add the command.

cisco-876(config)#vpdn-group pptp-group
cisco-876(config-vpdn)#l2tp tunnel receive-windows 256
^
% Invalid input detected at ‘^’ marker.

cisco-876(config-vpdn)#

I searched a little further and the command can only be added, when the dial-in protocol is changed from pptp to l2tp. Looking at the configuration above, you can see clearly that the dial-in protocol pptp is configured and the l2tp command is added.

I cannot explain this behavior. I hope some of you can…….