iFolder Configuration

 

1/13/2006
Eric Low

iFolder is a feature of Netware that allows users with the iFolder client (or even with just a web browser) installed to access their files remotely and automatically synchronize them with the files that are ultimately stored on the server. There are various encryption algorithms in place to keep data secure, both during transmission and when stored on the user's local drive.

The iFolder Installation and Administration Guide can be found here.

I had selected to install iFolder in my initial Netware installation, so that part was already done. Otherwise, from X on the console, select Novell->Install->Add, then select Postinst.ni on the Products CD (mounted as a volume), select Clear All, then select the iFolder option and click Next and Copy Files.

To install the iFolder Client, browse to http://server.ip/iFolder and click on the Download link. If you do not have a client installed, you can also click Login from this screen to access your files.

Now, to configure the server side of iFolder, browse to https://server.ip/iFolderServer/Admin.

Under Global Policies -> Client Policies, if a policy is enforced or enabled, the user can see it but not change it. If it is not enabled, the user can change the setting for themselves. If a policy is hidden, the user cannot see it (and by default, that hidden policy is enforced).

I set the following options under Client Policies:

Encryption On Enforced Hidden
Save Password Off Enforced Hidden
Save Pass Phrase Off Enforced Hidden
Recover Pass Phrase On Enforced  
Automatic Sync On    
Conflict Bin 50MB    

The Password is what they use to log into iFolder, while the Pass Phrase is what they use to encrypt their files/filenames/directory names.

If I had chosen to disable encryption, all of the options relating to the Pass Phrase would be moot. Because iFolder traffic (from iFolder Client to iFolder Server) is always transferred via insecure HTTP port 80, file data is sent in the clear. Therefore, the only way to make iFolder transmit the data securely (outside of a tunnel, of course) is to turn on encryption. Doing so will cause the client to encrypt the data before it leaves the client, and decrypt downloaded data after it reaches the client. Of course, it also means that files are stored encrypted on the server but unencrypted on the client computer. This seems backwards to me, as they should really be encrypted on the client's local drive more than anything. Who cares if they are encrypted on the server, as long as you already have the appropriate security measures in place?? Nonetheless, I had to enable encryption to prevent snooping.

I did not want any of my users to be able to save the password or pass phrase on their local computer. Security means typing it each and every time. I also wanted to be able to look up their pass phrase should the need arise, so I made sure to turn that on and enforce it. I left all other options at the default. I then saved the options by clicking on the Update Client Policy button.

Next, I clicked on Update Security Pass Phrase button, and typed in a pass phrase. I'm not sure what happens if you don't set it, but I made sure to set it to something long and secure. This pass phrase is used to look up an individual user's pass phrase, by going to the User Management section of the iFolder Management Console and clicking the Recover iFolder User Pass Phrase button down at the bottom. The Conflict Bin holds files being used locally that are concurrently overwritten or deleted on the server. The bigger this is, the better, since it provides a good temporary backup of data.

** Note that if Encryption is checked here, the users can encrypt files in their iFolder server storage space, but they are also stored encrypted on the server - and as the administrator, you may not be able to break that encryption!

Next, I went to Server Policies and set the space quota and timeout. I left the client space quota at the default of 200MB but turned the timeout down to 30 minutes. I left Debug Output checked, for now.

Under Admin Names, I added the users that I wanted to be able to adminster iFolder. By default, the admin account is the only one there. I left the admin name in there and also typed in a couple other users who should be able to administer this. Neither a Group or an Organizational Role seemed to work here! Members were still not allowed to log into the iFolder Manager. Seperate the user names by semicolons but no spaces, and leave out any context info (they must all be in the same context as the server).

Next, I clicked on iFolder Servers to check what was there. I clicked on iFolder_server01 (default) and tried clearing the Port box, so that only the Secure Port (443) would exist, but it gave me a "Required field has been left empty !" error. I'm not sure why you can't clear that (because who likes anything to be unsecure??), but you can't. I then left the defaults, which looked like the following:

iFolder_server01 (Default)s3.datastat.com (80,443)

 

Now to add users. If you click on User LDAP's (under Global Settings), you will simply see the account that iFolder uses to access LDAP (or, to put it another way, the LDAP servers that you have identified to iFolder). The only user that is in there to start should be the default, iFolder_ldap01. This is not where you want to add iFolder users though.

If you click on User Management -> Add, it will create an entirely new user account in eDirectory and automatically enable that account for iFolder.

If a user already has an existing account in eDirectory, click on User Management -> Search and enter the user name that you are looking for (or, just leave the text box blank and click Search to display all users in the server context). Click on the username, then click Enable. If you were to look a the user's properties in NDS after that, they would have an iFolderServerName attribute (the value of which may be *, which means that they can use any iFolder server that exists in NDS; otherwise, it should be the actual NDS name of the iFolder Server Object) as well an iFolderUser entry under the Object Class Attribute.

According to the Novell iFolder admin guide, adding a user through iFolder Manager does the following things:

Adding a new user through the iFolder Management Console accomplishes the following tasks:

* It creates a User object in your LDAP directory and creates the corresponding user account.
* It adds the iFolderServerName and iFolderQuota attributes to the new User object. Because these attributes are iFolder-specific, you must manage them through the iFolder Management Console. All other attributes associated with the user account object must be managed through your LDAP directory's management tool.
* It automatically enables the use of iFolder services for that user account; you do not need to manually enable the new user account for iFolder services. The iFolder user account gets created and activated the first time this user logs in to the iFolder server.
* It lets you assign the new user to the Default iFolder Server. Whatever iFolder server you have specified as the default server at the time of the user's initial login becomes the user's assigned server.
* Typically, the Default iFolder Server is the first server that you installed iFolder on unless you manually changed this. To change your default server name, go to the Global Settings task of the iFolder Management Console, then click iFolder Servers. For instructions, see Managing iFolder Servers.

If a user is not set up from here (assuming that they already exist in eDirectory), it will let them log into NetStorage on the web, but they will be unable to see anything or perform any real functions. When they try to log in through the iFolder Client, it will say that they have an Invalid Password.

Once a user is enabled for iFolder, they must activate the account through iFolder Client. To install the iFolder Client, browse to http://server.ip/iFolder and click on the Download link. When you install the iFolder Client, it installs to C:\Program Files\Novell\iFolder by default.

If the user logs in through the iFolder Client, the first thing it will do is prompt them for the folder on the local drive that will be used to store the local copy of synchronized files. It will then ask if they wish those files to be encrypted, although the box will be greyed out if you configured that option as enforced). Next, it will ask for a password (and hint) for the encryption (the files, file names and directory names are all encrypted). It will then let the user select whether to Enable pass phrase recovery option, if you did not enforce that. Granted, if Pass Phrase Recovery is enabled, the user's pass phrase will be stored on the server, encrypted but decryptable; I feel that this should always be enabled, though, because of the simple fact that you are the administrator and should not have files stored on the system that you cannot read or break!

Now, the user is activated (although they may have been activated the moment they first logged in, before all those options were set).

In the end, I decided that iFolder was a completely pointless feature of Netware. The only thing it has going for it is that it is relatively fast. Nonetheless, it has some serious security holes, and there are other options out there, such as NetStorage/NetDrive that are much better. I left iFolder installed, but will not enable any users to use it unless there is a very extenuating circumstance.

To completely prevent iFolder from loading, modify your Apache config file (SYS:\apache2\conf\httpd.conf) and comment out the line that reads "include sys:\apache2\ifolder\server\httpd_ifolder_nw.conf." Voila!

 

Novell NetStorage is what iFolder is called when you're accessing it through a web browser. As far as what the user can access, here is how it is determined (according to the NetStorage Web page help):

The NetStorage Web page displays the network files and folders currently accessible to you. For NetWare servers, NetStorage reads the user's login script to determine drive mappings, reads eDirectory User object properties to determine the path to the user's home directory, reads the user's Novell iFolder account, then displays a list of files and folders based on the mapped drives, home directories, and iFolder account. Storage Location objects are required for accessing files and directories on Linux servers and can also be used on NetWare servers. If Storage Location objects have been created and the user has rights to view these objects, the directories associated with these objects are also displayed.

Note that as far as normal volumes go, the user will only see what is mapped in their login scripts. To make the login scripts check for whether they're connecting through NetStorage or not, do something like this (from this document):

; NetStorage Drive Mappings
IF <WEBACCESS> = "1"
MAP G:=\\10.253.52.20\USERS\City\Teachers\%CN
MAP I:=\\10.253.52.20\VOL1\City\School\TEACHERS

; Novell Client Drive Mappings
ELSE
MAP ROOT G:=.Server1_USERS.Services.Location.ORG:City\Teachers\%CN
MAP ROOT I:=.Server1_VOL1.Services.Location.ORG:City\School\TEACHERS
END

This is the easiest, most foolproof way to restrict which users can access NetStorage. Check out this document for a detailed explanation of how NetStorage reads the login scripts.

*** One thing I did notice was that if you left the server off of your map statements (ie. MAP F:=SYS:\, they would not map in iFolder, but of course would map in DOS. I wouldn't necessarily count on that for security, but good to know).

*** Note that NetStorage will also map search drives! For example, if there is a statement in your login script that reads MAP INSERT S1:=\\S3\SYS\PUBLIC, you will get a drive mapped in NetStorage called DriveS1@PUBLIC.

*** Some other login script commands will work using login in DOS that will not work in NetStorage. For example, doubling up "MEMBER OF" statements, such as IF MEMBER OF "THISGROUP" OR MEMBER OF "THATGROUP" THEN will work in DOS login but not NetStorage. MAP *1:=\\S3\SYS, which maps to the first network drive, will map to DriveF@SYS. The %LOGIN_NAME also will not work in NetStorage, meaning that a command such as MAP F:=\\S3\SYS\%LOGIN_NAME would do absolutely nothing in NetStorage (it would simply be ignored - you can't use that to erase an already-mapped drive F!).

*** Note also that this line works: IF NOT MEMBER OF "NetStorUsers" AND <WEBACCESS>="1" THEN EXIT
     but this one does NOT: IF <WEBACCESS>="1" AND NOT MEMBER OF "NetStorUsers" THEN EXIT

...luckily, in webaccess, it at least errs on the side of always false...

Preventing users from seeing their home directory in NetStorage must be done on an all or none basis - it cannot be changed for individual users. Go into iManager and click on File Access (NetStorage) ->Netware Storage Provider and change the value of Home Dirs to 0. (While I was in there, I also set Check MAP Drives to 1, which means that each mapped drive is checked at login and map drives that do not exist or that the user does not have access to are not displayed. Read this page of the NetStorage Configuration Guide for more).

According to the NetStorage QnA, ". . .the Home@Tree mapping . . . is made for every user that has the Homedirectory attribute set. The only way to prevent this is to empty the attribute for all users and make the homedir mapping through %CN. Then it will be treated as a regular mapping."

 

Check out that same document for another important security configuration, namely FORCING NETSTORAGE TO USE SECURE PORT!!! I kind of cheated on this one - I didn't want people connecting to our server on the unsecure port at all (we're not using it as a webserver after all), so I simply commented out the Listen 80 line in the SYS:\apache2\conf\httpd.conf file (and then restarted Apache) so that it would not open up the unsecure port at all! A much better way to do this would be to do a VirtualHost redirect, similar to the following:

<VirtualHost (ip address):80>
ServerName (ip address)
ServerAdmin (email address)
Redirect / https://(ip address)
</VirtualHost>

...which you could do on individual virtual directories. Sticking the lines "RewriteCond %{HTTP_HOST} ^(.*)$" and "RewriteRule ^(.*) https://%1$1 [L,R]" in there under a VirtualHost on port 80 section might do it. I'm just not familiar enough with the Apache config file, so this was easier for now. Perhaps just putting .htaccess files with the SSLrequireSSL directive in all directories that you wanted would work too. Finally, there is using the Redirect permanent / https://www.example.com/ directive as an option as well.

 

Novell NetDrive lets you map iFolder or NetStorage accounts on the workstation. The NetDrive User Guide can be found here. Keep in mind that if the user will be accessing iFolder stuff, the iFolder account must have already been activated through iFolder Client. The NetDrive client was found on our server in the following location: SYS:/Apache2/iFolder/Server/netdrive/netdrive.exe.

More than anything, I wanted users to be able to use this to map drives to volumes on the server. To do so, the user should create a "site" (in NetDrive terms) that utilizes NetStorage. If they click on New Site, then type https://svr1.your-domain-name.com:portnumber/oneNet/NetStorage (Replace portnumber with the actual assigned port number such as 51443). In order to make it secure, you must run WebDAV + SSL, which I did by selecting WebDAV as the server type, and ensuring that the URL began with https://. I unchecked Save Password and then typed in my username, then selected "Flush Directory Listing upon each connection" and "Flush File Cache upon each connection". I clicked Connect, and voila!

Once NetDrive connected, it created the drive letter that I had selected (which defaulted to X:), mapped my home directory as Home@ROOT, and mapped all the drived from my Login Scripts, in the form DriveF@SYS, DriveG@BAK, etc. as directories under the X: drive. If I had iFolder enabled for this user, it would have mapped that directory structure as well. In other words, the same drives that the user sees when they go into NetStorage through their web browser, become mapped as directories in NetDrive.

Unfortunately, NetDrive proved to be incredibly slow. The Server and the workstation were right next to each other, plugged into the same network switch, and the delay was still very noticeable.

If you want to map a drive directly to a volume that shows up in NetDrive (rather than doing a subst), point it to a URL similar to the following: https://server.ip/oneNet/NetStorage/DriveF@SYS.

You could also map the entire NetStorage directory structure and then use subst statements for individual drives (for example subst F: X:\DriveF@SYS\) if you wanted to put everything in one NetDrive site (out of convenience), but in practice, this seems to be incredibly slow.

Unfortunately, NetDrive is a bit slow. In fact, I decided that it was probably way too slow. I will look into what ports and traffic normal IP protocol logins/drive mappings Netware uses before I make any final decisions.

*** There is also a commercial program called webdrive, which looks almost exactly like NetDrive. Perhaps it is more configurable though. If you run both, you'll notice that these programs use the same registry settings.

 

 

 

*** If encryption is turned on for a user, the files/filenames/directory names are stored encrypted on the server; however, they are not stored as encrypted on the user's local drive! According to the iFolder Documentation:

Authentication and Encryption in iFolder

The iFolder client talks to the iFolder server over HTTP port 80, which is a clear text, unencrypted port. Data requests that are exchanged between the iFolder client and iFolder server are never encrypted. However, the username and password are always encrypted. Novell iFolder encrypts the data over the connection and while the file is on the iFolder server only if the user selects the encryption option at the time the account is initialized or if the iFolder administrator enforces the encryption option from the iFolder Management Console.

iFolder uses RSA encryption to encrypt the username and password and Blowfish encryption to encrypt the user data when it travels between the iFolder client and server. If data encryption is enabled, the data is actually encrypted as it travels across the wire to the iFolder server and is stored in its encrypted state on the iFolder server. However, the data is never stored encrypted on the local workstation.

When a user logs in, the iFolder client authenticates to the iFolder server by sending the encrypted username and password to the iFolder server. The iFolder server uses the user ID and password to perform an LDAP bind to an LDAP server. After the LDAP bind is successful, LDAP verifies that the user is connected to the correct iFolder server. If the user is on a different server, his request is directed to the correct server. iFolder uses the LDAP server to store its configuration settings and to specify what iFolder server the user is assigned to; this is how iFolder handles redirection.

So, anything that the user stores in their iFolder directories is inherently insecure. You probably don't want confidential data sitting around on users' hard drives on their home computers! In other words, don't let your users use iFolder for anything confidential or important. :(

 

*** Keep in mind that if you disable a user in iFolder, it appears that the user's iFolder directory and data still remain. So, if you re-enable them, their data should still be there waiting; if you want to get rid if that data, either disable the user and then delete the directory manually (you will need to know their alphanumeric ID, however) or, before you disable the user, click on the "Remote iFolder Data" button from the user's configuration menu.

 

*** If you need to backup or restore a user's iFolder directory, you must know their alphanumeric iFolder Account name. You can find this long alphanumeric ID by going to User Management in iFolder Manager and searching for the user.

Great documentation (and other solutions) for iFolder can be found at iFolder Cool Solutions.