Network Computingwww.networkcomputing.com

Novell has breached the multiplatform boundary, embracing not only Microsoft Windows NT, but now Linux and Sun Microsystems Solaris as well, with other platforms being supported in the near future. To the company's credit, Novell appears finally to be getting it and is traveling down a new path. However, Novell's track record with noncore technology is far from stellar--anyone familiar with its pathetically slow migration to IP knows this all too well.

Even so, we set out to test Novell's claims that NDS is no longer just for NetWare--and test we did. Our goal was simple: to create in our Chicago lab a distributed, redundant, multiplatform authentication environment in which users of Linux, Solaris and Windows workstations could log in using a single authentication data source. Simple in theory, but far from simple in practice.

After overcoming several stumbling blocks and getting around Novell's lack of support for Linux and Solaris, we found the product actually lived up to its promises. Given some time and quite a bit more support, NDS actually has the potential to put Novell back in the workplace, including some new areas it hasn't penetrated previously. (NDS eDirectory also impressed us earlier in the year, capturing our Well-Connected award as the top enterprise directory service.)

Navigating Through the Land of Confusion

Our first challenge was to figure out exactly what products were needed to get everything working. As silly as this may sound, it was not an easy task. Fortunately, we got a head start when we performed our Linux testing earlier this year (see "The Linux Challenge.") We knew that we needed two fundamental components:

• The modules or services required to redirect login requests from the native operating systems (Linux, Solaris, Windows NT and so on) to NDS.
• The services and subsystems required to house the NDS services (the directory service) themselves on non-NetWare platforms.

We don't normally take it upon ourselves to elaborate on vendors' product descriptions (the vendors usually have that covered), but in this case we'll make an exception. For the record, Novell offers three core multiplatform products: NDS eDirectory lets companies store actual copies of the NDS directory database on multiple platforms. In years past, NDS could be used by other platforms (including Microsoft Windows), but the actual back-end directory (where user names and passwords, among other things, are stored) had to reside only on NetWare-based servers. NDS eDirectory removes the necessity of the NetWare component by finally giving NDS the necessary foundation to exist on other platforms. NDS eDirectory is supported on a variety of systems, including NetWare, Red Hat Linux, Sun Microsystems Solaris, and Microsoft Windows 2000 and Windows NT 4. The product is further enhanced by its integration of LDAP over SSL (Secure Sockets Layer) and PKCS (Public Key Cryptography Standards) for secure communications both internally and externally over the Internet.

NDS Corporate Edition provides the components that replace or augment the native authentication mechanisms found on the various alternative platforms. On Linux and Solaris, for example, it installs the necessary PAM (Pluggable Authentication Modules) components needed to let Solaris and Linux use NDS as their back-end authentication source (as opposed to /etc/passwd and /etc/shadow). NDS Corporate Edition provides this functionality via a component it calls UAM (User Authentication Module)/Redirection. In addition to the UAM components, NDS Corporate Edition also includes the components of the eDirectory package, so you can place NDS itself on multiple platforms (NetWare, Red Hat Linux, Solaris, and Windows 2000 and NT). All NDS administration is then performed through ConsoleOne, NWAdmin, NDS Manager and an assortment of other utilities specific to each platform. In theory, ConsoleOne should handle all administration chores, but you also must use other tools because not all of ConsoleOne is rock solid as of yet (for more on ConsoleOne and other NDS-speak, see our glossary).

Novell SSO removes the necessity for users to log in every time a secure resource is requested. Through the use of a "secret store," SSO stores and automatically retrieves frequently used passwords when requested. Passwords in the secret store are secured using 3DES encryption. Once a user authenticates to NDS, all requests for authentication are routed to NDS automatically and approved or disapproved behind the scenes--the user doesn't have to retype his or her user name or password. Whether using a Web resource, a mainframe application or a corporate database, users are authenticated to their resources automatically.

Based on our goals, we determined the NDS Corporate Edition would satisfy our needs. Note that we cover only NDS Corporate Edition here, as it incorporates the eDirectory product as well.

We began our testing by creating four autonomous environments. The Windows NT 4 environment comprised one PDC (primary domain controller), one BDC (backup domain controller), one Windows 2000 server, one Windows NT 4.0 member server and one Windows 98 machine. The Linux environment comprised several Red Hat Linux 6.2-based workstations, each with its own local set of users. We decided not to use NIS (Network Information Services), which would have complicated things without providing any benefit. The Solaris environment was similar to Linux's: It comprised several Solaris 8 servers, which also maintained their own individual user-name and password combinations.

Finally, we created a NetWare environment comprising one basic NetWare 5.1 server with the minimal selection of installed packages and an assortment of Windows-based machines with the NetWare client installed: one Windows 98, one Windows NT server and one Windows NT workstation. Once we confirmed that all systems were operational within their contained environments, we began our transformation.