Environment
Novell Access Manager 4.0
Novell Access Manager 3.2
Novell Access Manager 3.1
eDirectory user store running on SLES 11 x86-64 OS
eDirectory user store running on SLES 10 x86-64 OS
eDirectory version running is 8.8 SP5 32/64 bit or greater
Novell Access Manager 3.2
Novell Access Manager 3.1
eDirectory user store running on SLES 11 x86-64 OS
eDirectory user store running on SLES 10 x86-64 OS
eDirectory version running is 8.8 SP5 32/64 bit or greater
Situation
Formfill policy defined that reads and writes secrets to a remote eDirectory LDAP user store.
The LDAP replica has the option 'Install NMAS SAML method' enabled
The remote eDir has the SAML methods installed
When a user tries to fill the HTML form using the FormFill policy enabled on the protected resource, the following error is reported on the browser:
Status: 500 Internal Server Error, Description: Datastore Error
Even with auto submit disabled, we get this error - the attributes that we try and fill with secret store cannot be read or written. Looking at the DSTRACE output on the LDAP user store (with +NMAS, LDAP and TIME flags enabled), the following error is reported
DSTRACE Says -
4128168848 NMAS: 6: Create NMAS Session
4128168848 NMAS: 6: SASL SAML started
4128168848 NMAS: SASL Mechanism [SAML] not available:
4128168848 NMAS: Available SASL Mechanisms:
4128168848 NMAS: [NMAS_LOGIN]
4128168848 NMAS: 6: ERROR: -1693 SASL_DoMechanism: NMAS_InvokeMechanism
4128168848 NMAS: 6: Client Session Destroy Request
4128168848 NMAS: 6: Destroy NMAS Session
4128168848 NMAS: 6: Aborted Session Destroyed (with MAF)
4128168848 LDAP: Failed to authenticate full context on connection 0x15160280,
err = -1693 (0xfffff963)
The LDAP replica has the option 'Install NMAS SAML method' enabled
The remote eDir has the SAML methods installed
When a user tries to fill the HTML form using the FormFill policy enabled on the protected resource, the following error is reported on the browser:
Status: 500 Internal Server Error, Description: Datastore Error
Even with auto submit disabled, we get this error - the attributes that we try and fill with secret store cannot be read or written. Looking at the DSTRACE output on the LDAP user store (with +NMAS, LDAP and TIME flags enabled), the following error is reported
DSTRACE Says -
4128168848 NMAS: 6: Create NMAS Session
4128168848 NMAS: 6: SASL SAML started
4128168848 NMAS: SASL Mechanism [SAML] not available:
4128168848 NMAS: Available SASL Mechanisms:
4128168848 NMAS: [NMAS_LOGIN]
4128168848 NMAS: 6: ERROR: -1693 SASL_DoMechanism: NMAS_InvokeMechanism
4128168848 NMAS: 6: Client Session Destroy Request
4128168848 NMAS: 6: Destroy NMAS Session
4128168848 NMAS: 6: Aborted Session Destroyed (with MAF)
4128168848 LDAP: Failed to authenticate full context on connection 0x15160280,
err = -1693 (0xfffff963)
Resolution
Install the 'compat-2009.1.19-2.2.i586.rpm' on the SLES 11.0 server running eDir 885-32/64 bit or greater. The SAML NMAS method has a dependency on the module libstdc++-libc6.2-2.so.3 and if it's not present, it won't load and will cause all the problem. This is required for the SAML NMAS method used by eDir and it's supporting libraries to initialise correctly. Once done, the IDP Cluster can use eDir for Secret Store without problems.
For SLES 11 x86-32 and x86-64 builds, this compat module is still required. The compat rpms are located in the SLES11-Extras repository, which is not enabled by default.
YaST2 | Software | Software Repositories | Configuration | Repositories | "Enable" the "SLES11-Extras" repository | OK
Once the SLES11-Extras is enabled, search for and install the appropriate compat rpm per architecture below.
SLES 11 32bit - compat (compat-2009.1.19-2.1)
SLES 11 64bit - compat-32bit (compat-32bit-2009.1.19-2.1)
For SLES 11 x86-32 and x86-64 builds, this compat module is still required. The compat rpms are located in the SLES11-Extras repository, which is not enabled by default.
YaST2 | Software | Software Repositories | Configuration | Repositories | "Enable" the "SLES11-Extras" repository | OK
Once the SLES11-Extras is enabled, search for and install the appropriate compat rpm per architecture below.
SLES 11 32bit - compat (compat-2009.1.19-2.1)
SLES 11 64bit - compat-32bit (compat-32bit-2009.1.19-2.1)