LDAP Contextless Login #10

Good afternoon, I'm working with my customer on an issue in respect to
LDAP contextless log in, and how this service gets broken when they turn
off allow anonymous binds for security reasons. Please see the contained
information below, please let me know if this is not the correct forum.



I have directed them to the following, 

'Novell Documentation'
(http://www.novell.com/documentation/noclienu/noclienu/?page=/documentation/noclienu/noclienu/data/ahpxzr7.html)

Taking things out of context: Using LDAP Contextless login in your
network. 

Also used TID 10090499 (which I was unable to locate on the Novell
support site any longer), but I did have the steps written down in a
number of places. 

Here is the message from the customer. 

"I have done all of this.  I have also checked the LDAP proxy user
using my Apache Directory studio and it gives me a LDAP error 48 -
Anonymous Simple Bind disabled.   We are on the ldap server object bind
restrictions using disallow anonymous simple binds as part of our
security measures.

We tested this back in October and it worked on a test ldap server
(DC1-NDS3) that we were using.  I tested last week and it didn't work
there anymore either.    I have been really trying to think about what
we changed and I looked back in our old tickets and we upgraded
eDirectory on the primary servers and one of those is where we did the
initial test.   I looked at the patches and what was fixed in the
upgrades but can not find anything on why LDAPS will not function in
this manner now. "

Any ideas or thoughts?


-- 
dschaldenovell
------------------------------------------------------------------------



0
dschaldenovell
3/19/2012 6:06:01 PM
novell.netware.winnt-2x-xp 10573 articles. 1 followers. Follow

2 Replies
750 Views

Similar Articles

[PageSpeed] 53

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I do not know for sure, but I'm guessing this is related to Bug# 733188:

https://bugzilla.novell.com/show_bug.cgi?id=733188

It is scheduled to be fixed with 8.8 SP7, assuming this issue matches
your symptom.  The problem is a bug within eDirectory sees ANYTHING
before the start of an authenticated bind as an anonymous bind and when
you disable anonymous binds and enable TLS (on port 389, or whatever
non-SSL LDAP port) the start of the TLS usually happens before the
authentication (of course, because it's going to protect the credentials
passed during authentication).

If you want a pre-release fix you could open an SR and get it (the SR
should be credited back to you until 8.8 SP7 comes out).  Other ways you
can verify this issue matches the bug would include trying to bind with
SSL (port 636 by default), or deselect the 'Require TLS for Simple Binds
with Passwords' option on the LDAP Group object and then try to do an
authenticated, but non-TLS (insecure... this is for testing) bind and
that should also work.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPZ4YmAAoJEF+XTK08PnB5PHQP/3FE6h+PefHUPLVYAM95zscS
leIwztGCPTKZ8KchgREU9Fjc1y/1rALTv0u5jxGlSUCwx5GqoSJM4gxuYpsa4mES
7hFJ9C/ojWEZl9LUm05UuAKXjRINjUQRmvus15oyk/xKcZvvvDWzPWEuLOy9ZjUM
QisMARIKsDHbh0n/kR9zp3s6HS6pDeZftLfl4tu7RBMNwKUjEwS+73rdOIVtBiDC
V8lFp1oxcWJcJXzy/uDhXX8k3K4l6dC5XVS/otx/1+9dZ4SWNwwpBFCbpBkZdaBE
9Y5LeS2zFz3JqU6Eeuc+3eSF1pwVRH1go2x//qEBcsTcLH5+Rf47VNeT7xQVCo3A
sJikkvoGJR1PEQYk9a+BsUp86rJPIlB8OaiaN/OrbN5KfcE8Lh86PipGm5UoHw5n
uIXKPUHTWyL8zmmVuUgzk82XawOztUO+JbWM9PsLwhHOu6cEZ0eluFzmkYwVGLmY
1fEyH5PqcSKVy3pSi3eGaoP33X+o3QjrRLQ+YnOB+UALTwEHRLSYsb42TRYDB8Mz
D2eECCyrIAH/9wKfpoJJsPlHeaPvG68/BqQIBawRSSx/fOLA+S/+XM17yq+5M43b
k/Ns1Liago1FX4VFv8/FSqfrZW9L+xa3VQ2XNRPNEYLBkxeupmERTeX4YvdbmTGy
AcwsixR2anYqum4er5Q5
=zAkX
-----END PGP SIGNATURE-----
0
ab
3/19/2012 7:16:54 PM
ab;2183423 Wrote: 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I do not know for sure, but I'm guessing this is related to Bug#
> 733188:
> 
> https://bugzilla.novell.com/show_bug.cgi?id=733188
> 
> It is scheduled to be fixed with 8.8 SP7, assuming this issue matches
> your symptom.  The problem is a bug within eDirectory sees ANYTHING
> before the start of an authenticated bind as an anonymous bind and
> when
> you disable anonymous binds and enable TLS (on port 389, or whatever
> non-SSL LDAP port) the start of the TLS usually happens before the
> authentication (of course, because it's going to protect the
> credentials
> passed during authentication).
> 
> If you want a pre-release fix you could open an SR and get it (the SR
> should be credited back to you until 8.8 SP7 comes out).  Other ways
> you
> can verify this issue matches the bug would include trying to bind
> with
> SSL (port 636 by default), or deselect the 'Require TLS for Simple
> Binds
> with Passwords' option on the LDAP Group object and then try to do an
> authenticated, but non-TLS (insecure... this is for testing) bind and
> that should also work.
> 
> Good luck.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - 'Enigmail: A simple interface for
> OpenPGP email security' (http://enigmail.mozdev.org/)
> 
> iQIcBAEBAgAGBQJPZ4YmAAoJEF+XTK08PnB5PHQP/3FE6h+PefHUPLVYAM95zscS
> leIwztGCPTKZ8KchgREU9Fjc1y/1rALTv0u5jxGlSUCwx5GqoSJM4gxuYpsa4mES
> 7hFJ9C/ojWEZl9LUm05UuAKXjRINjUQRmvus15oyk/xKcZvvvDWzPWEuLOy9ZjUM
> QisMARIKsDHbh0n/kR9zp3s6HS6pDeZftLfl4tu7RBMNwKUjEwS+73rdOIVtBiDC
> V8lFp1oxcWJcJXzy/uDhXX8k3K4l6dC5XVS/otx/1+9dZ4SWNwwpBFCbpBkZdaBE
> 9Y5LeS2zFz3JqU6Eeuc+3eSF1pwVRH1go2x//qEBcsTcLH5+Rf47VNeT7xQVCo3A
> sJikkvoGJR1PEQYk9a+BsUp86rJPIlB8OaiaN/OrbN5KfcE8Lh86PipGm5UoHw5n
> uIXKPUHTWyL8zmmVuUgzk82XawOztUO+JbWM9PsLwhHOu6cEZ0eluFzmkYwVGLmY
> 1fEyH5PqcSKVy3pSi3eGaoP33X+o3QjrRLQ+YnOB+UALTwEHRLSYsb42TRYDB8Mz
> D2eECCyrIAH/9wKfpoJJsPlHeaPvG68/BqQIBawRSSx/fOLA+S/+XM17yq+5M43b
> k/Ns1Liago1FX4VFv8/FSqfrZW9L+xa3VQ2XNRPNEYLBkxeupmERTeX4YvdbmTGy
> AcwsixR2anYqum4er5Q5
> =zAkX
> -----END PGP SIGNATURE-----


This is the steps the customer followed. 

Here are the steps that I took.
1) Renamed original file: 
/opt/novell/eDirectory/lib64/nds-modules/libnldap.so.1.0.0.old
copied new file to: 
/opt/novell/eDirectory/lib64/nds-modules/libnldap.so.1.0.0
chmod to 755 on 
/opt/novell/eDirectory/lib64/nds-modules/libnldap.so.1.0.0  (This was
the properties on the original file)

Tested ldap.  Same error
Refreshed ldap from iManager on the LDap server object
Tested ldap same error

2) Renamed original file:  (This is a 64 bit system but tested anyway)
/opt/novell/eDirectory/lib/nds-modules/libnldap.so.1.0.0.old
copied new file to: 
/opt/novell/eDirectory/lib/nds-modules/libnldap.so.1.0.0
chmod to 755 on 
/opt/novell/eDirectory/lib/nds-modules/libnldap.so.1.0.0  (This was the
properties on the original file)

Refreshed ldap from iManager on the LDap server object
Tested ldap same error

3) Restarted ldap on the console with the following commands
nldap -u
nldap -l
Tested ldap same error

4)restarted nds
rcndsd stop
rcndsd start
Tested ldap 
Tested ldap same error


Any thoughts, or do you think that an SR might be the correct course of
action in this case?


-- 
dschaldenovell
------------------------------------------------------------------------
dschaldenovell's Profile: http://forums.novell.com/member.php?userid=93234
View this thread: http://forums.novell.com/showthread.php?t=453630

0
dschaldenovell
3/21/2012 7:36:02 PM
Reply:

Similar Artilces:

LDAP Disabling anonymous binds stops Netware client from doing contextless login
Edirectory 8.7.3.3 Netware Client 4.9.0 SP2 Proxy_User has been created with blank password. I have been instructed by our auditors to disable anonymous binds on the LDAP server object. When I do this the LDAP contextless login feature of the Netware client stops working. I've been reading the documentation and tids on ldap and feel as if I'm going in circles... :) Can someone lend a hand, or point me to a good, complete document that discusses LDAP configuration, security, requirements, etc? Thanks in advance. Cheryl Fischer Cheryl Fischer Network / Email Admin...

Slow login with LDAP Contextless login enabled
Hi all, Has anyone run into the problem were users take over a minute to login? If the user does a logout and then login again without restarting the machine it takes 10 seconds. So the problem is only when the computer is restarted. If I disable the LDAP Contextless login in NWClient 4.92Sp2 the login takes 10 seconds and the problem is gone... The environment is NW6.5 SP6 ( I know, we will upgrade to SP8 as soon as possible :-) eDir is 8.7.3.9 and will also be upgraded asap. ZfD 4.00.1135 -- Bengtb --------------------------------------------------------------...

Win7, lgncxw32 LDAP Contextless Login: No LDAP server spec
I work for a school board in Ontario, and we are putting in 600 Windows 7 workstations this summer. We are having problems getting ldap to work. We have been using the �lgncl.zip� files from cool solutions to get contextless login to work on our WinXP machines. That doesn�t work on the Win7 machines. On the LDAP contextless login tab we have put in about 7 server and tree ip addresses with the defaults. We created a reg file that we change on the image depending on which school server we want to login to (different trees as we are a rural school board - just the way it was setup ...

LDAP Contextless login and Relative Distinguished Names (RDN) login
Is it possible to have BOTH LDAP Contextless login AND RDN login available AT THE SAME TIME? I'm asking because I would like to use contextless login but it would generate far less helpdesk call if I could still retain RDN login. When I tried it, it gave an LDAP error when I entered a RDN (ie, sylvain.adm instead of just sylvain) using the NW4.9SP1 client on Windows XP. Thanks. Not to my knowledge; only the "common name" portion goes into the "Username:" field and the actual context of that object goes into the "Context:" field. For the re...

LDAP Contextless login and 802.1X WLAN login with Aegis client
Hi. Is there any solution to the problem stated in subject? LDAP contextless logins can not work in a 802.1X WLAN solution since the client does NOT have network access until after it has logged in. Currently we disable LDAP contextless logins and "Workstation Only" flag for workstations that need WLAN access, is there any better way of doing this? /anders Anders Westerberg wrote: > Is there any solution to the problem stated in subject? LDAP contextless > logins can not work in a 802.1X WLAN solution since the client does NOT > have network access until af...

LGNCXW32 "LDAP Contextless Login: No LDAP server specified"
We are having trouble figuring out why we are suddenly having an issue with contextless login. We are not aware of any changes to the server (netware 6.5- SP8). Every thing was fine at the end of the day yesterday. Now, today, a box pops up that reads: LGNCXW32 LDAP Contextless Login: No LDAP server specified We've rebooted the server, but no luck. Any ideas as to what we can do to get this working? Thanks! -- willvi1 ------------------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is this (LDAP Serve...

NetWare Servr Only
We only have a NetWare Server (that will be updated to OES2 at a later date. We need to have a few Windows XP PCs setup so when I login into my tree using the Novell Client, that I also log into the local windows XP PC. Are there settings somewhere that I need to review? I can't use a generic windows local ID because the local ID needs adinistrator privileges and I don't want to setup a local ID with no password where it could be accessed by anyone Any suggestions? IDM, It appears that in the past few days you have not received a response to your posting. That...

2x 'Incorrect login count', for each login attempt through LDAP
We are running eDirectory 8.7.3 on NetWare 6.5SP2, and use LDAP for authentication between a number of applications (Apache, Tomcat, etc) and eDir. Whenever someone enters a wrong password, while trying to authenticate to one of the LDAP dependant applications, the 'Incorrect login count' increases by 2 instead of 1 though. So, instead of seeing 1->2->3->Account Locked in C1, we are seeing 2->4->Account Locked. Needless to say, our users are wondering why they only get 3 tries online, when they get 4 trying to log onto their workstations(and it isn't...

Contextless Login
I've recently set up contextless login. We have a small tree, one parent and 2 child containers. It is working in one parent and one child but not the other, i.e I can log in as a user in the parent and one child container without a context, but a user in the other child container still requires the context. The error is not an LDAP error but simply the user is not found. I am using an LDAP proxy user, and have checked that the rights are the same at each container level. Each container has its own server in its own LDAP group (separated by a WAN) and those configs are th...

LDAP Contextless login
Hi, Our tree is named BLA_TREE and cannot get LDAP Contextless login to work at all, doesn;t even come up with any errors. Have tried with a proxy user and also the public user to no avail. Is this because of the "_" not being a recognised LDAP character?? Ben Broadfoot, > Our tree is named BLA_TREE and cannot get LDAP Contextless login to > work at all, doesn;t even come up with any errors. Have tried with a > proxy user and also the public user to no avail. Is this because of > the "_" not being a recognised LDAP character?? Could be, ...

ldaps and contextless login
we try run a secure LDAP authentication against edir 8.7.x. via contextless login. The problem is that the login only works if the context is added. -- netman wrote: > we try run a secure LDAP authentication against edir 8.7.x. via > contextless login. > The problem is that the login only works if the context is added. When you try to use unsecure LDAP does it work then ? -- Cheers, Edward yes, this works okay. Edward van der Maas wrote: > netman wrote: > >> we try run a secure LDAP authentication against edir 8.7.x. via >> conte...

LDAP contextless login
I am having problems with LDAP contextless login. I had it working with 4.9sp1a and then it stopped. I get a user not found. I have tried several servers all of which worked before. I can also query those servers with an LDAP query tool. Any ideas? Jason Emery wrote: > > I am having problems with LDAP contextless login. I had it working with > 4.9sp1a and then it stopped. I get a user not found. I have tried several > servers all of which worked before. I can also query those servers with an > LDAP query tool. Any ideas? You might ask in the support.n...

Contextless Login #10
Hi, I try to setup contextless login in my organisation (schools). I configured my Netware client (4.91 SP2). When I log with my username (I have all rights), everything's OK but when I login with a student username (limited rights), the client doesn't do the login scripts. If I deactivate contextless login, login scripts work fine. Anyone can help me ? Are you sure the user's are actually still authenticating to NDS? Check "NetWare Connections" under properties of Network Neighborhood. This does not make sense since the logon scripts run after au...

LDAP Contextless login
Here is the problem - LDAP contextless login works. However, in some buildings after typing in a user account the search seems to take 5 - 10 seconds where in other buildings the search response is almost immediate. In one building where a static IP address is assigned, the delay occurs, if the same machine is setup with DHCP the problem goes away and the LDAP response is immediate, crazy. Any ideas helpful. r3ll1c0tt@br1cksch0ols.org wrote: > Here is the problem - LDAP contextless login works. > > However, in some buildings after typing in a user account the...

Web resources about - LDAP Contextless Login #10 - novell.netware.winnt-2x-xp

Contextless Right-Wing Puke Funnel Video Good Enough for USDA Firing
I’m loath to jump on anything pushed by professional bully Andrew Breitbart, but since he rules the world of the traditional media and, apparently, ...

Contextless manga wtf - Imgur
Imgur is home to the web's most popular image content, curated in real time by a dedicated community through commenting, voting and sharing. ...

Mitt Romney Hoisted With His Own Contextless Petard
The Romney campaign thinks they have a winning Obama gaffe on their hands. At a Univision election forum this afternoon, President Obama admitted ...

Hugh Ryan (@Hugh_Ryan) on Twitter
Sign in Sign up To bring you Twitter, we and our partners use cookies on our and other websites. Cookies help personalize Twitter content, tailor ...

Jonathan Martin, Future Gunner « Above the Law: A Legal Web Site – News, Commentary, and Opinions on ...
Guess the lawyers will sort out whatever happened between Richie Ingonito and Jonathan Martin.

Rewindy Isn't A Photo Sharing Service, It's A Story Platform
Over the years I've noticed that photos on Facebook, the world's largest photo sharing platform, are getting more and more contextless as people ...

“The Pacific”: A Regrettable Lack of Common Virtues
... Philippines. However, scenes in which Americans loot Japanese corpses for their gold teeth or murder wounded Japanese prisoners remain contextless ...


Even The Founder Of YouTube Can’t Stand Google+
Jawed Karim posts his first YouTube comment ever. Hard to see how these contextless, disembodied Google+ comments are an improvement, but hey! ...

Orioles announce slew of minor league coaches and staff
The Orioles announced all of their minor league coaches and player development staff on Thursday because it's not like there was anything else ...

Resources last updated: 11/22/2015 2:24:55 PM