I just installed 6.200. And tried to get it work with the eDirectory on our Novell 6.5 Server... (Use SSL, entered the context). But If I click on >Browse eDirectory
New TLS connection 0x60e7c380 from 192.168.X.YYY:56349, monitor = 0x204, index = 3
Monitor 0x204 initiating TLS handshake on connection 0x60e7c380
DoTLSHandshake on connection 0x60e7c380
Completed TLS handshake on connection 0x60e7c380
DoBind on connection 0x60e7c380
Bind name:cn=192.168.X.XXX,o=CONTEXT, version:3,authentication:simple
17:02:36
Failed to resolve full context on connection 0x60e7c380, err = no such entry (-601)
Failed to authenticate full context on connection 0x60e7c380, err = no such entry (-601)
Sending operation result 32:"":"NDS error: no such entry (-601)" to connection 0x60e7c380
TLS read failure 5 on connection 0x60e7c380, setting err = -5875. Error stack:
Monitor 0x204 found connection 0x60e7c380 socket failure, err = -5875, 0 of 0 bytes read
Monitor 0x204 initiating close for connection 0x60e7c380
Server closing connection 0x60e7c380, socket error = -5875
Connection 0x60e7c380 closed
I had the exact same problem with the SSO. My BIND DN was that of my IP address instead of the BIND user/pass specified under SSO. After the upgrade to 6.200 the server didn't restart, I manually restarted the server and it started binding correctly and SSO began working.
I don't think that this is your problem. I have Novell Secure Login installed, and schema has been extended however - the same problem. I should point out that SSO sometimes works on my network. That happens if I manually assign an IP address and restart a workstation. Than eDirectory stores that different address and it works but when I leave the address acquired by DHCP, I get User Authentication prompt in 99% cases. And even when it doesn't prompt for authentication it sometimes does "single sign on" but proxy thinks I'm a different user because someone else used that very address before and it was stored also under that different user in eDirectory (properties of the user->general->environment->network address).
I do have multiple Novell servers, but I don't think there's a problem with synchronisation. I would probably notice somewhere else. EDirectory just stores multiple IP addresses for users that sometimes change IP address. But I must stress that SSO doesn't work in most cases, even when a user has only one IP address stored. ASL uses SSL to comunicate with eDirectory and when I switch to port 389, eDirectory browsing simply doesn't work from ASL although it is otherwise functional.
Hi!
My SSO seems to work! I guess SveN was partially right. Multiple IP addresses stored in a user environment properties have been cleaned by DSRepair but synchronisation was fine.
I'll post again if something new happens.
Keep in mind, there is a 5 minute cache. Astaro caches 5 minutes the result of the request to the eDirectory. So, if an IP address was allowed by SSO, it will be allowed for 5 more minutes. Also, if another users has logged in on the machine, in the meantime.
To empty the cache for testing execute ' /etc/rc.d/aua restart; /var/mdw/scripts/hyperdyper.sh restart' on console.
i was just talking to Sven and i might have found a hint, why some Netware client's don't want to authenticate.
We use the "IP only"-version of the Netware Client, and with this one SSO works fine.
If you are using the "IPX only"-version of the Netware Client, than SSO might not work, as the client stores the IPX address in the eDirectory and not the IP Address. Therefor we can not authenticate the IP address.
Can you confirm this, means do you have an IPX-only client that is not working and the IP-only client is working?
Hi! We have all clients configured to IP-only and still had a problem. We have multiple Novell server environment and synchronisation between eDirectory replicas was fine. However, eDirectory stored multiple IP addresses for the same user if the user's workstation changed IP addresses or if the user logged on different WSs. I'm not 100% convinced that that was the problem but after DSRepair my eDirectory cleaned "wrong" IP addresses and now SSO works fine!
