User can't login to Novell iManager 2 using contextless login

(Last modified: 22Apr2004)

This document (10086732) is provided subject to the disclaimer at the end of this document.

fact

Novell NetWare 6.5

Novell iManager 2

symptom

User can't login to Novell iManager 2 using contextless login

Error: "Login failed.  Please check your credentials and try again."

Entering the full LDAP context for the user allows a successful login

Users in a different context can login to Novell iManager 2

Illegal ndsname "user" in ldap2uNDSDN, err = 34 (0x22)

ldap2uNDSDN ldapDN = "user" - error 34 (0x22)

Failed to convert LDAP DN "user" in nds_back_bind, err = 34 (0x22)

cause

iManager uses LDAP to first find a user.  In some cases, the search base is not set high enough in the tree.  For example, iManager is searching for users under the ou=Eng,o=Novell container when it should start from o=Novell.  Contextless login with iManager uses a combination of rights of the publicUser object and the pco object, which are both in the Extend container.  LDAP will actually bind as the publicUser object and will use the rights that publicUser has to search for CN's in the tree.  If you have any IRF's on certain containers that are blocking rights to read the CN attribute, contextless login will not work.

fix

1. Login to iManager.
2. Click on the Configure button.
3. Go to iManager Configuration | Portal | Properties
4. Change the Portal containers field to the appropriate container.  In the above example, it would be changed to o=Novell.
5. Save your changes. 
6. Choose to Refresh the Portal and then click OK

Try to log back into iManager contextlessly.

If you are still having problems logging in contextlessly, you will need to turn on DSTRACE with the LDAP flag and watch the LDAP traffic and look for errors.  If LDAP can't bind using the publicUser object, you will get a -669 error.  In that case, the publicUser object is corrupt and needs to be recreated.  Follow the steps in TID #10091786 - Recreating the iManager publicUser object.

The default rights given to the pco and the publicUser object at the portal search container are as follows:

publicUser

Read, Inheritable for CN

pco

Read, Write, Inheritable for ACL, Object Class, bhCmAcceptList, bhCmApprovedList, bhCmAssignList, bhCmDeniedList, bhCmInviteList, bhObjectGUI

Also, make sure that the container where the user object is stored has browse rights to itself.  All containers in the tree should have browse Entry rights to themselves by default.  If the rights are incorrect, you will see the following in the Ldap Dstrace:

llegal ndsname "user" in ldap2uNDSDN, err = 34 (0x22)
ldap2uNDSDN ldapDN = "user" - error 34 (0x22)
Failed to convert LDAP DN "user" in nds_back_bind, err = 34 (0x22)

document

Document Title:	User can't login to Novell iManager 2 using contextless login
Document ID:	10086732
Solution ID:	NOVL92214
Creation Date:	04Sep2003
Modified Date:	22Apr2004
Novell Product Class:	NetWare

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.