Environment
Novell Modular Authentication Service (NMAS)
Novell Client for Windows 2000/XP/2003 4.91
Novell Client for Windows 2000/XP/2003 4.91
Situation
Workstation Clients using a locally installed NMAS Login Client
Method, e.g. the PCProx method, get a -1680 error when attempting
to login.
Resolution
If any login sequence authorization values are present on the user
object, the user's container object, or the user's partition root
container, and the desired login method is not listed at the first
location that contains any of the login sequence authorization
attributes, then the login attempt will fail with a -1680
error.
If all login methods are desired to be authorized, which is the default scenario, then any existing sasAuthorizedLoginSequences attribute values in the tree, particularly in the search path of user, container, partition root, then Login Policy object should be deleted.
In one case after newly installing the PCProx functionality in a tree, all users were failing with the -1680 error. They found that there were old sasAuthorizedLoginSequence attribute values for no longer used methods on the Users Container. After removing the sasAuthorizedLoginSequences attribute from the Users container, users could successfully log in with the PCProx method.
If all login methods are desired to be authorized, which is the default scenario, then any existing sasAuthorizedLoginSequences attribute values in the tree, particularly in the search path of user, container, partition root, then Login Policy object should be deleted.
In one case after newly installing the PCProx functionality in a tree, all users were failing with the -1680 error. They found that there were old sasAuthorizedLoginSequence attribute values for no longer used methods on the Users Container. After removing the sasAuthorizedLoginSequences attribute from the Users container, users could successfully log in with the PCProx method.
Additional Information
In iManager, from the NMAS role using the NMAS Login Sequences
task, you can see all the available login sequences. By
default, all login sequences are Authorized, and you should see a
green check mark listed in the last column of the display
there. Individual login sequences can be disabled or enabled
here, and this then applies to the entire tree, as this modifies
the attribute sasAuthorizedLoginSequences on the Login Policy
object in the Security container. Finer grained control than
just applying this authorization to the whole tree is also
available, in a hierarchal method, just like looking for a password
policy. From the User object modification screen, there is an
NMAS tab with a Login Sequences function that shows the exact same
information. Modifying the information on the user, sets the
authorized login sequences only for a specific user. This
same screen is available for container objects too, and if modified
there will apply to all objects in the container where the change
is made. If the container is a partition root,
then it applies to all user objects in the whole partition.
The full search path NMAS will scan when looking for the sasAuthorizedLoginSequences attribute is first the User object, then the User Object Container, then the Partition Root container for the user, and finally, the Login Policy object in the security container. If NMAS doesn't find the attribute at the lower levels, it will continue searching to the Login Policy object. If it doesn't find one there, the default is that all Login Sequences are authorized.
The full search path NMAS will scan when looking for the sasAuthorizedLoginSequences attribute is first the User object, then the User Object Container, then the Partition Root container for the user, and finally, the Login Policy object in the security container. If NMAS doesn't find the attribute at the lower levels, it will continue searching to the Login Policy object. If it doesn't find one there, the default is that all Login Sequences are authorized.