How to log in via LDAP with an NMAS method

  • 3307424
  • 26-Feb-2008
  • 13-Aug-2013

Environment

Novell eDirectory 8.8.x
NMAS 3.x

Situation

Cannot authenticate with LDAP via a NMAS Method

How to allow a NMAS Method to login to eDirectory through LDAP
How to allow a NMAS Method to authenticate through LDAP


Resolution

By default LDAP and other server-side utilities use NDS login first and if this fails, it uses the Simple Password login. eDirectory 8.8 has new functionality that will allow the LDAP authentication to use an NMAS method. It uses an environment variable to accomplish this.

Complete the following procedure to allow the LDAP authentication to use a NMAS Method.

1) Set the environment variable:

Linux and UNIX:

Add the following in the pre_ndsd_start script /opt/novell/eDirectory/sbin (formerly found in in /etc/init.d with 8.8.5.0 and earlier):

NDSD_TRY_NMASLOGIN_FIRST=true
export NDSD_TRY_NMASLOGIN_FIRST

These lines should be placed anywhere in the file.

NetWare:

Add the following in the beginning of c:\nwserver\startup.ncf file:

env NDSD_TRY_NMASLOGIN_FIRST=true

Windows:

Right-click on "My Computer" on the desktop and select Properties. In the Advanced tab click Environment Variables. Under System Variables, Add the variable and set the value to true.

2) Restart the eDirectory server.

3) Set the default login sequence on the user to the NMAS Method implemented.

If this is not set, it will use the NDS login method as the default method. To enforce the method to be used by all users, go to the login policy object in the security container in iManager. Go to the other tab and set the attribute "sasDefaultLoginSequence" to the value of the NMAS Method that has been implemented.

Another alternative would be to change the code for application that is authenticating to use the NMAS LDAP SDK by using the LDAP NMAS bind API call. This API call (ldap_bind_nmas_s) can pass the Login Sequence that is being used.


Additional Information

If using a third party NMAS Method, consult with the third party vendor regarding their software. The vendor is responsible for the third party methods and implementation of the method.

Formerly known as TID# 10099787

Change Log

2010-03-07 AB: Correcting loads of incorrect information regarding where the script resides, where the changes should be made, which scripts need to be modified, etc.  Also cleaned up some minor grammatical issues.

2013-08-13 KK: Corrected URL and moved it behind the actual API name, ldap_bind_nmas_s for easier searching.