NetWare Web Server Release Notes


This release note covers the NetWare Web Server 2.51 release. For updated technical information, visit the NetWare Web Server technical support page at http://support.novell.com/home/inetcon/nwws/

Performance tuning

PTFs

When running the Web Server in SMP environments, make sure you have installed all the current SMP PTFs.

Additionally, if you have enabled the NDS browser, you should make sure you have all the current Directory Service (DS) PTFs installed. If you experience out of memory condition errors, you may achieve better performance by adjusting the maximum number of threads.

You can search for and download PTFs from Novell Support Connection

Adjusting the maximum number of threads

The MaxThreads parameter is defined in the HTTPD.CFG file found in SYS:WEB\CONFIG directory. The MaxThreads parameter can be changed to enhance the Web Server performance. Valid values are 1 to 256. The default is 16.

You can adjust the MaxThreads value to suit your network environment. Before adjusting the MaxThreads, you should carefully consider the ramifications of increasing the MaxThreads. Increasing the value may not necessarily increase performance. In fact, it could decrease performance and available memory on the server as each thread is processed by the Web Server and has acquired memory.

You should consider the following when adjusting MaxThreads:

To determine an appropriate setting, set up your Web Server and monitor the Peak Requests field of the Web Server Console Information Log for a reasonable test period (a week). This field lists a value in the form of A/B, where A is the maximum number of concurrent requests handled by the Web Server since it has been running and B is the current MaxThreads setting. If you set MaxThreads equal to the A value, the Web Server should have adequate threads to handle its peak load. You may also want to define few extra threads if you anticipate an increase in load.

User Access Control

There are three different methods for restricting global directory access using NDS authentication:

  1. Restrict access to all valid users
  2. Restrict access using individual user names
  3. Restrict access using user groups

These restriction methods are mutually exclusive. Choose one method and use only that method.

For local directory access control, please refer to the sample ACCESS.WWW file in the WEB\SAMPLES\CONFIG directory.

Restrict Access to All Valid Users

To restrict access to all valid users, start the WEBMGR.EXE administration utility, go to the User Access tab, and check the "All valid users" check box.

To eliminate the need for all users to have to type in the fully-qualified user name, you can manually edit the AuthUserMethod line in the ACCESS.CFG file and specify a user context, such as "AuthUserMethod nds .eng.icd.novell".

AuthUserMethod defines the default authentication context so that end-users do not have to key it in at the user name and password prompt. However, if different users belong to different contexts, choose the context that the majority of the users are in and define that context in the AuthUserMethod line. Users not in the defined context will have to key in the fully-qualified user name (preceded with a dot), such as ".jsmith.eng.icd.novell".

If you use this method, you should not use the individual user name method or the user group method.

Restrict Access Using Individual User Names

Use this method only when the number of users is less than 25 and all users belong to the SAME NDS context.

To restrict access using individual user names, start the WEBMGR.EXE administration utility, go to the User Access tab, type in the NDS context (same for all the users), and select no more than 25 users.

If you restrict access using this method, when a user reads a restricted directory and is prompted for the user name and password, the user can key in just the user name. The NDS context is not needed.

If you use this method, you should not use the all valid users method or the user group method.

Restrict Access Using User Groups

To restrict access using user groups, a user group must first be defined using NetWare NWADMIN utility. To enable this user group, manually edit the ACCESS.CFG file, adding the following two lines in the appropriate place.

AuthGroupMethod nds .ou1.ou2.o
Require group .groupname.context

The AuthGroupMethod defines the default authentication context so that end-users do not have to key it at the user name and password prompt. However, if a user group consists of users in different contexts, choose the context that the majority of the users are in and define that context in the AuthGroupMethod line. Users in a different context will have to key in the fully-qualified user name.

The Require group line simply defines the user group. The user group name should be in the fully-qualified format and preceded by a dot(.).

For example, to restrict access to the web\docs directory to the user group techies.icd.novell which consists of users mostly from the context of .eng.icd.novell, the following lines should be in the <Directory docs> section:

AuthType Basic
AuthName local
AuthGroupMethod nds .eng.icd.novell
<Limit GET>
Require group .techies.icd.novell
</Limit>

If you use this method, you should not use the all valid users method or the individual user name method.

Script Security

As scripts allow users to run processes on your server, it is important to implement proper security measures for all scripts on your server. Implement the following measures to ensure security:

Controllng Access to LCGI NLMs

The NetWare Web Server provides a special method to restrict access to LCGI programs, such as NetBasic and NDS Object Browser. To restrict access to LCGI programs, create an ACCESS.WWW file in the directory where the LCGI program resides. When a user requests an LCGI server extension in this directory, he will be prompted for a userid and password.

It is important to note, once a user is authenticated to use the NetBasic LCGI extension, full access to all available NetBasic scripts is allowed. You cannot selectively place access control on different NetBasic scripts. Once a user is authenticated to use the NDS Object Browser, browsing to all available trees in NDS and all public object information is allowed.

Refer to the User Access Control section for details on how to set up the ACCESS.WWW file. By default, access to NetBasic is not restricted. When NDS browsing is enabled from the WEBMGR, access to is not restricted.

Restrictions and known problems

WEBMGR.EXE deletion of comments in *.CFG files

The WEBMGR utility does not support user comments in *.CFG files (ACCESS.CFG, HTTPD.CFG, SRM.CFG). If you manually edit these files and add comments by preceding lines with a pound sign (#), these lines will be deleted when you run the WEBMGR utility. A set of sample *.CFG files with full comments are provided in the WEB\SAMPLES\CONFIG\ directory.

Adding the NetBasic LoadableModule Directive for Upgrades

If you are upgrading to Web Server 2.51, in order to allow users to issue requests to NetBasic scripts, you must manually edit the SRM.CFG file and add a LoadableModule directive to map URL requests to the NetBasic NLM (CGI2NMX.NLM). Add the following directive to the SRM.CFG file:

  LoadableModule  /netbasic/  sys:web/lcgi/netbasic/cgi2nmx.nlm

Go to top of file or to the Novell NetWare Web Server Home Page.