iChain and Access Manager users experience slow logins to LDAP server after upgrade to eDirectory 8.8

  • 3699038
  • 12-Nov-2007
  • 22-Nov-2016


Novell iChain 2.3 Support Pack 5
Novell eDirectory 8.8 for All Platforms
Novell Access Management 3 Linux Novell Identity Server


New versions of eDirectory (8.8 and for security reasons have a built in a 3 second delay after a failed LDAP bind attempt. This will cause an iChain or Access Manager Identity Server box to have a slower resolution of the context the user resides in as it tests each context for the user. For each context that fails, the login will be 3 seconds longer. If the user's object is 5 contexts down in the LDAP context list, their login will take 12 seconds to happen. If the user's object is in the first container in the LDAP context list they will login immediately, as no failure will occur.


The default behavior of waitting 3 seconds before getting a response from your LDAP request can be changed to 0, which will fix the issue but create the security problem the change was meant to fix. To change this to 0:
Go into iMonitor on LDAP box with a web browser, https://:8009/nds
In the top left corner click the NDS iMonitor picture.
Click the radio button "Enabled" to enable Advanced Mode and then click submit.
Click the "Agent Configuration" button at the top.
On the left side, click the "Permanent Settings" hyper link.
On the left side, click the "Change" hyper link.
In the parameter Options sections, click the Type: drop down arrow and select "FAILED AUTH DELAY"
Change Value to 0.
Click the Save button.

Done. This setting is dynamic and will take effect as soon as the save button is clicked. This will have to be done to every LDAP server that iChain or the Novell Identity server will authenticate against.

Additional Information

Should there be any NMAS login methods or Universal Password configured on an ldap server the following steps are added to those mentioned above.

  1. Log into iManager
  2. Click Vew Objects on the tool bar above
  3. Click Login Policy. This will bring up the Login Policy properties window
  4. Click the NMAS tab
  5. Change the Delay after failed login attempts: setting from 3 to 0
  6. Click Apply
This setting is dynamic and does not require a restart. 

NOTE:  This setting requires the NMAS plugin be installed in iManager

Adding this setting updates the sasLoginFailureDelay attribute

Change Log

Added instructions for systems with NMAS configured. The steps for iMonitor are not sufficient if NMAS is enabled.