This document (10091935) is provided subject to the disclaimer at the end of this document.
fact
Novell NetWare 6.5
Novell eDirectory 8.7.3 for All Platforms
Novell iManager 2
Novell Modular Authentication Service version 2.3
symptom
Error: 1681 or cannot connect when attempting to use the Forgot Password? url in Portal for NMAS password self service.
Dstrace with the acl and rn flags set shows error: -672 No_Access.
fix
There can be a few reasons one might see this error. Since the sequence of events during the retrieval of a user's challenge and hint involves a delegation from one gadget to another via LDAP many different steps and requirements must be operational for it to be sucessful.
1. SSL Problems and LDAP
- We must have LDAP up and running on the secure port of 636 as well as allowing for clear text simple binds. Clear text can be turned off once the installation is complete.
- If the LDAP server object was deleted and re-created after the installation of Password Management then the LDAP extension information is missing. A re-installation of NMAS 2.3 will resolve this. You can check to see if this step has been performed by loading Console One - LDAP server object - Properties - Other tab - extensionInfo - Open last value. It should say in the Ascii decode on the right .22#nmasldap.nlm if Password Management was the last package installed.
- Tomcat must have had it's .keystore file extracted from the server's KMO object. If the KMO was re-created then the TC4KEYST.EXE utility available on the Novell Support site will be needed to resolve this.
- SSL must also be configured between the LDAP server and the Portal Server. To verify test to see if the user can change his password using the Portal Change Password url. If this and iManager is working then the SSL config is good.
2. Authentication server is not running NMAS 2.3
The server must be running NMAS 2.3 and eDirectory 8.7.3. Further this server must hold a RW or Master replica of the user's partition.
3. Page Timed out
Simply refresh the page and try again
4. Plug in is corrupt or did not install properly
- First uninstall the NMAS Login Module. From iManager - Configure (Help Desk Dude) - iManager Configuration - Modules - NMAS Login Module - Delete.
- Then bounce tomcat. From server console type "java -exit". Look at the logger screen to verify java unloaded. Then type "tomcat4" wait 2 minutes then type "tcadmup". Watch the logger screen till you see the server listening on 9009.
- Then re-install the Module. Open the passwordmanagement.npm file with an unzipper such as WinZip and extract the nmasclient.npm login gadget file. Extract the From iManager - Configure (Help Desk Dude) - iManager Configuration - Modules - NMAS Login Module - Install - Browse to the nmasclient.npm extracted earlier. Once re-installed bounce tomcat again.
5. The [this] acl for the nsimHint attribute has not been set.
Make sure the jclient.jar file was run sucessfully. If the user does not get an error when setting the challenge and hint this step has been performed.
6. The user has a force challenge set and hint in their policy but they have not yet been set.
The user must first create the challenge and hint prior to clicking on the forgot password url.
7. The gadget was not properly installed.
Check to see if sys:\tomcat\4\webapps\nps\portal\gadgets\com.novell.security.nmas.npsgadget.NMASLoginGadget exists. If not re-install NMAS 2.3.
8. The user has an invalid login policy in their login sequence.
For instance if the challenge response sequence has the NDS login method in the Challenge Response Login Sequence. We will fail here since we will only be using the Challenge Response method during a Portal Forgot Password authentication. You should have a NDS login sequence that only contains the NDS Login Method and a Challenge Response Login Sequence that only contains the Challenge Response Login Method.
9. The LDAP SSL port in eDirectory is using a non-standard port (636).
If a non standard LDAP port is configured in eDirectory, it is important for you to identify the new port in portal services. You need to modify the PortalServlet.Properties file and add the LDAPSSL port assignment by performing the following:
1. Open the PortalServlet.properties file (..Tomcat\webapps\nps\WEB-INF\PortalServlet.properties )
Windows= (I.E. C:\Program Files\Novell\Tomcat\webapps\nps\WEB-INF\PortalServlet.properties)
Netware= (I.E. sys:\tomcat\4\webapps\nps\WEB-INF\PortalServlet.properites)
Linux/Unix = (I.E. /var/opt/novell/iManager2/nps/WEB-INF/PortalServerlet.properties)
2. Add the following to the end of the file:
LDAPSLL = [PORT]
I.E. LDAPSSL = 640
3. Stop and re-start Tomcat
See step 9. Restart Tomcat
10. The tree keys are out of sync between the servers in the tree.
Universal Password includes several new attributes that are ultimately encrypted using the SDI tree key. If the Security Domain is not functioning properly, these attributes will not be correctly generated, and then it will be impossible for the user to change their password.
Universal password needs the 168-bit keys for proper operation. See Using SDIDiag to gather specific SDKey information from servers for instructions on how to tell if your Security Domain Infrastructure is properly synchronized and operating. Note particularly in the process.txt output that every server has the same key, and that it is a 168 bit key. If you need to generate new keys for your tree, seeUsing SDIDiag - Switches and Options , and look particularly at the SD command with the -G option.
.
Return to Installing the new NMAS 2.3 Universal Password Policies and Self Service Forgotten Password enhancements
document
| Document Title: | Error: 1681 or cannot connect when attempting to use the Forgot Password? url in Portal for NMAS password self service. |
| Document ID: | 10091935 |
| Solution ID: | NOVL95991 |
| Creation Date: | 09Mar2004 |
| Modified Date: | 31Aug2004 |
| Novell Product Class: | Novell Directory Services |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.