Border Manager Authentication with Linux

Getting a Linux server or workstation to work nicely with Novell's Border Manager can be very difficult. Novell have recently brought out a Linux version of their clntrust.exe application for Linux workstations (available in Border Manager 3.8 SP4) but this requires Gnome and the Novell Linux Client. If you are running a server (or use a non-Novell supported Linux distro) meeting these requirements can be difficult. Fortunately there is cl4others which authenticates to the Border Manager through simple command line instructions in a far more flexible manner. Documentation for cl4others is pretty sparse so I have written this little tutorial on how to get it set up and running.

This solution is really intended for servers where shell access by normal users is limited as Border Manager authentication is not handled on a per user basis. For web and file servers such a setup is fine but if you require per user authentication to the Border Manager you should probably look at the Gnome/Netware Linux Client/clntrust stack from Novell.

NOTE: For instructions 1-9 you will need to have root privileges.

1. Install ncp for your distribution.
The easiest way to find the rpm is through rpmfind or if you are running SuSE you will find ftp.suse.com has an rpm for your specific version.

2. Extract the cl4others x86 binary and copy it to /usr/bin.
Make sure its permissions are set so that it can be executed by non-root users.

chmod a+x /usr/bin/cl4others

3. Make a directory in /mnt called bordermanager so that you can mount the volume to it.

4. Edit /etc/fstab and add the following entry: (all on one line)

NW_SERVER/NW_USER /mnt/bordermanager ncp defaults,ro,mode=400,uid=root,gid=root,owner=root,ipserver=NW_SERVERIP,
passwdfile=/root/.ncppasswd,multiple 0 0

Replace the following with your network details:
NW_SERVER = Netware BorderManager server name
NW_SERVERIP = Netware BorderManager IP/DNS name
NW_USER = Netware user you will be accessing the proxy as

This mounts the Border Manager volume read-only with all files owned by root with read access to the files only granted to root. This means if one of your server accounts gets compromised (other than root) your Border Manager files will be safe and away from prying eyes.

NOTE: In order for cl4others to work you must have read access to the BorderManager SYS volume. Remember to set a Border Manager access rule for the user you are connecting attempting to access the Internet as.

5. Now create a file for storing the login password to the server:

pico /root/.ncppasswd

Add the following entry:

NW_SERVER/NW_USER:Your Password

Change the file so that it can only be read by root:

chmod og-rwx /root/.ncppasswd

6. Mount the Border Manager volume:

mount /mnt/bordermanager

(This should mount the SYS volume of the BM server

7. If you have a firewall running you will need to open port 3024 for UDP traffic.
For SuSE edit edit /etc/sysconfig/SuSEfirewall2 and add an entry:

FW_SERVICES_EXT_UDP="3024"

Restart the firewall, for SuSE:

rcSuSEfirewall2 restart

8. Now as root start cl4others (I have had mixed results starting it as any other user).

cl4others /mnt/bordermanager &

9. With Yast setup the proxy. You don't need to specify any user just point the proxy to the url of the proxy server. Save the changes. In order for them to take effect you will need to logout of the console and log back in again.

You should be able to access websites now through the Border Manager proxy with any of the Linux accounts.

10 .Test it by downloading an html file:

wget http://www.stress-free.co.nz/sites/default/files/images/whichdoctor.jpg

Hopefully if everything works correctly you should be authenticating and using your Border Manager proxy with Linux.