DeveloperNet Labs Compatibility Testing Virtual Resources, NDS, and Security Test Procedures Company: ____________________________________________________________ Product Name & Version: _____________________________________________ Tester: ________________________________ Phone: _____________________ Testing Date: _______________________________________________________ Instructions: 1. This testing procedure is for applications that access Novell Directory Services (NDS) through NDS APIs. 2. To view the complete testing procedures, tools and documentation visit: http://developer.novell.com/ndk/ctk/index.htm and download the Novell Software Test Tools or just the Docs. 3. For technical questions about this checklist please call 1-800-REDWORD (1-800-733-9673). Register Virtual Resources 1. If you have not yet done so, go to http://developer.novell.com/devres/ss/resource.htm and register the following virtual resources:  Static IPX/SPX socket numbers.  Service Advertising Protocol (SAP)identification numbers.  NetWare Core Protocol (NCP) extensions, identification numbers, and names. Ensure that each of the virtual resources listed above has a title letter. Pass:_____ Fail:_____ Comments/Exceptions: 2.If you have not yet done so, go to http://developer.novell.com/engsup/schreg2c.htm and register to get your NDS Schema extension prefix and associed ASN1 OID. If you already have an ASN1 OID assigned to your company, just register your prefix with Novell and we will store your OID along with your prefix in our database to avoid naming confilcts. ASN1 OID usage: Base ASN1 OID: 2.16.840.1.113719.2.... Where: 2=Joint-iso-ccitt, 16=country, 840=US, 1=Organization, 113719=Novell, 2=External, =Your company's assigned number, T=Type where: 6=Class or 4=Attribute, =Your self assigned attribute or class number, =The version of your self assigned attribute or class. Ensure that each of the virtual resources listed above has a title letter. Pass:_____ Fail:_____ Comments/Exceptions: 3.Ensure that all NDS Schema extensions in your product use the company prefix that you have registered with DeveloperNet, and that they use the following naming convention: For example: Old format: NOVELL:New Attribute Name 1 New format: novellNewAttributeName1 NOTE: For NDS-LDAP compatibility, you should only use ASCII (single byte) alpha-numeric characters. The "-" (minus, dash, or hyphen) character can be used but is not recommended. Please use lower case for the company prefix, followed by the first letter of each word capitalized. The maximum length of a schema name is 32 characters. (See also RFC-2252) Pass:_____ Fail:_____ Comments/Exceptions: 4.Ensure that the naming convention for the following items incorporates the company prefix that DeveloperNet has assigned to your company:  NLM Names  Exported symbol names  Server screen names or  Console commands Pass:_____ Fail:_____ Comments/Exceptions: Perform NDS Installation Test 1. Verify that the application can be installed in any container, not just the root. Verify that users other than ADMIN can install the application using ADMIN rights. a. Make note of the existing objects at the root of the NDS tree. b. Create a new container other than root. c. Create a new user with ADMIN rights. d. Log in as the new user. e. Install your application into the new container. f. Verify that the installation worked properly. g. Verify your application works normally. h. Verify no new objects were created in the NDS root. Pass:_____ Fail:_____ Comments/Exceptions: 2. Exit the application. 3. If the application extends the NDS schema and creates classes or attributes that reference (point to) objects in the NDS tree, do the following: a. Create an instance of the newly defined object class in an existing container, if it does not already exist. b. Create a new container object. c. Move the object referenced in the newly created class to the new container object using the NetWare Administrator utility. d. Use NetWare Administrator to verify that the object referenced in the newly created class indicates its new location. e. Restart the application. f. Verify that the application is able to use the object that was moved to the new container. g. Verify that all features of your application still function correctly. Pass:_____ Fail:_____ Comments/Exceptions: Perform NDS API Usage Test 1. NDS applications (on NetWare 4.x/5.x servers) must not use bindery services. Examine your application's source code, using a utility such as Grep, to verify that none of the following bindery APIs are being used. The following are illegal APIs: • NWAddObjectToSet • NWChangeObjectPassword • NWChangeObjectSecurity • NWChangePropertySecurity • NWCloseBindery • NWCreateObject • NWCreateProperty • NWDeleteObject • NWDeleteObjectFromSet • NWDeleteProperty • NWDisallowObjectPassword • NWGetBinderyAccessLevel • NWGetObjectDiskSpaceLeft • NWGetObjectEffectiveRights • NWGetObjectID • NWGetObjectName • NWIsObjectInSet • NWOpenBindery • NWReadPropertyValue • NWRenameObject • NWScanObject • NWScanObjectTrusteePaths • NWScanProperty • NWVerifyObjectPassword • NWWritePropertyValue Pass: _____ Fail:_____ Comments/Exceptions: 2. Examine your source code and verify that you are not searching the entire NDS tree (i.e., NWDSSearch(context,"[Root]",2,...) ). Searches of the tree should be limited to small segments. Pass: _____ Fail:_____ Comments/Exceptions: 3. Examine your application's source code and verify that "compare" APIs such as NWDSCompare rather than "read" APIs (listed below) are being used wherever possible. The "read" APIs force a reference to the main NDS tree and adversely affect the performance of NDS. NWDSRead APIs include: • NWDSRead • NWDSReadAttrDef • NWDSReadClassDef • NWDSReadObjectDSIInfo • NWDSReadObjectInfo • NWDSReadReferences • NWDSReadSyntaxDef • NWDSReadSyntaxes Pass: _____ Fail:_____ Comments/Exceptions: 4. Verify that the application does not poll DS objects, but does use a registered event to signal an attribute change. Polling has a negative effect on performance. Examine your source code to see if you are checking periodically for a value change associated with an object in the NDS tree. If you are, then you need to modify your program to register for an event (NWDSERegisterfForEvent) notification, signaling your application that the object has been modified. Not only does this benefit NDS, but it makes your program faster and simpler. Pass: _____ Fail:_____ Comments/Exceptions: 5. Verify that the application references the directory objects it creates. This is a requirement for an application to be truly NDS Aware. Examine your source code to verify that you are meeting this criteria. Pass: _____ Fail:_____ Comments/Exceptions: 6. Verify that the application does not duplicate information (i.e., maintain its own user list) already stored in NDS. It is better to leverage the data that already exists, improving the performance of your application and NDS. Examine your source code to see if you are meeting this criteria. Pass: _____ Fail:_____ Comments/Exceptions: Perform NDS Authentication Test 1. Verify that the application authenticates exclusively through NDS. Examine your source code to see if you are meeting this criteria. Pass: _____ Fail:_____ Comments/Exceptions: Perform Security Test 1. Inspect your code for any "back doors" that would enable access to the program's supervisory rights without logging in. Pass:_____ Fail:_____ Comments/Exceptions: 2. Inspect any NDS objects that your product creates/extends and verify that they do not pose a security threat to the system. Pass:_____ Fail:_____ Comments/Exceptions: 3. Verify that the application does not save NDS passwords,or leave the passwords in memory for any length of time. Pass:_____ Fail:_____ Comments/Exceptions: 4. If the product includes a user interface that enables access to files, NDS, etc., do the following: a. Create a user. b. Using NetWare Administrator, verify that the user you created does not have rights to the test server. c. Ensure that your product is unable to access the server's files and edit NDS or Bindery objects. Pass:_____ Fail:_____ Comments/Exceptions: 5. Verify that the application does not create or use an object at the root of the tree that might cause security issues, network administration difficulties, or inconvenience to users that have insufficient rights to the root of the NDS tree. This must be accomplished without reducing the security level of the NDS root, or employing object specific security rights at the root of the tree. a. Log in as a user without ADMIN rights. b. Start the application. c. Exercise all the features of the application, including such things as printing, opening, modifying and saving files; modifying configuration settings, and any other features that would access directory (NDS) information. Pass:_____ Fail:_____ Comments/Exceptions: 6. Security testing specifics differ from product to product. Robustly test the product and verify that your product does not threaten the security of the network in any way. Pass:_____ Fail:_____ Comments/Exceptions: I verify that the above procedures have been completed and that the results are accurately displayed. Name:__________________________ Date:____________ To submit the completed checklist for review please email to: With "NDS Checklist - - " as the Subject