Environment
NetIQ SecureLogin 8.x
NetIQ SecureLogin 7.x
Novell SecureLogin 6.0 (NSL 6)
eDirectory data store
iManager plugin
Situation
- Unable to administer SecureLogin through iManager
- SecureLogin iManager plugin shows no applications
- When trying to administer SecureLogin through iManager the following error is returned:
"There was an error writing data to LDAP. ([LDAP: error code 17 - Undefined Attribute Type])"
- SecureLogin iManager plugin shows no applications
- When trying to administer SecureLogin through iManager the following error is returned:
"There was an error writing data to LDAP. ([LDAP: error code 17 - Undefined Attribute Type])"
Resolution
Extend the ldap schema for SecureLogin for every LDAP group in the tree
Schema mappings are LDAP group specific; perform the steps below for each LDAP group. Note that by default every LDAP server will be in its own LDAP group, so by default the following steps will need to be performed for each LDAP server.
1. From the installation files for SecureLogin run \SecureLogin\Tools\ldapschema.exe
1. From the installation files for SecureLogin run \SecureLogin\Tools\ldapschema.exe
2. Provide the IP address for the desired LDAP Server.
3. Login with the fully distinguished username that has rights to extend the schema (cn=admin,o=novell)
4. Click "Update Schema" look for any possible error messages in the status window.
Additional Information
LDAP SCHEMA NOTICE:
In the eDirectory tree by defualt LDAP servers will be a part of their own LDAP Group object. The LDAP Group object is what will recieve the LDAP schema attribute mapping.
In the eDirectory tree by defualt LDAP servers will be a part of their own LDAP Group object. The LDAP Group object is what will recieve the LDAP schema attribute mapping.
This means that if you extend the schema pointing to a LDAP server that is a member of LDAP Group A and then you run iManager against a server that is a member of LDAP Group B, it is possible that you will still receive the error "LDAP: error code 17" .
To avoid this either extend the LDAP schema against all servers that could be used for NSL administration or make the respective servers part of the same LDAP Group.
To be able to administer settings on a global level for a NSL 6 or 7 environment, the LDAP schema must be extended even if the NSL clients are not connecting over LDAP. It is required for communication with iManager.
To verify that this is the problem, look at the ldap schema for the LDAP group. In iManager, open the LDAP plugin and select LDAP Options, and pick the LDAP group the problem server is in. Then go to the Attribute Map tab, and look for the Prot: attributes. An eDirectory Attribute and a Primary LDAP attribute should be visible for each of the six SecureLogin attrbues. These all begin with Prot: SSO, as shown in the screen shot below. If these attributes are not present, run LDAPSchema.exe as described in the resolution section of this document.
