Logging in to Novell iManager 2 using Contextless Login
Novell Cool Solutions: Feature
Digg This -
Posted: 8 Jun 2004
If you find that you can't login to Novell iManager 2 using contextless login, but you can get in by entering your full LDAP context, here's why it happens, and how to work around it.
iManager uses LDAP to first find a user. In some cases, the search base is not set high enough in the tree. For example, iManager may be searching for users under the ou=Eng,o=Novell container when it should start from o=Novell.
Contextless login with iManager uses a combination of rights of the publicUser object and the pco object, which are both in the Extend container. LDAP will actually bind as the publicUser object and will use the rights that publicUser has to search for CN's in the tree. If you have any IRF's on certain containers that are blocking rights to read the CN attribute, contextless login will not work.
- Login to iManager.
- Click on the Configure button.
- Go to iManager Configuration | Portal | Properties
- Change the Portal containers field to the appropriate container. In the above example, it would be changed to o=Novell.
- Save your changes.
- Choose to Refresh the Portal and then click OK.
Try to log back into iManager contextlessly.
If you are still having problems logging in contextlessly, you will need to turn on DSTRACE with the LDAP flag and watch the LDAP traffic and look for errors. If LDAP can't bind using the publicUser object, you will get a -669 error. In that case, the publicUser object is corrupt and needs to be recreated. Follow the steps in TID #10091786 - Recreating the iManager publicUser object.
The default rights given to the pco and the publicUser object at the portal search container are as follows:
Read, Inheritable for CN
Read, Write, Inheritable for ACL, Object Class, bhCmAcceptList, bhCmApprovedList, bhCmAssignList, bhCmDeniedList, bhCmInviteList, bhObjectGUI
Also, make sure that the container where the user object is stored has browse rights to itself. All containers in the tree should have browse Entry rights to themselves by default. If the rights are incorrect, you will see the following in the LDAP DSTRACE:
llegal ndsname "user" in ldap2uNDSDN, err = 34 (0x22) ldap2uNDSDN ldapDN = "user" - error 34 (0x22) Failed to convert LDAP DN "user" in nds_back_bind, err = 34 (0x22)
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com