iChain 2.3 LDAP lookup for name conversion uses incorrect ACL profile treename instead of authorization tree

  • 3704280
  • 06-Nov-2006
  • 30-Apr-2012


Novell iChain 2.3 Support Pack 4
Novell ZENworks 7 Desktop Management - ZDM7
Authentication enabled (LDAP)
Access control policies enabled for protected resources being accessed
Seperate LDAP server and tree used for authentication and access control


ZENworks workstation object unable to login or obtain policies when using iChain.
When using ZFD with iChain, workstations logging into iChain use a dot-delimited name.
iChain uses an extended LDAP lookup to convert this dot-delimited name to a typeless name.

When using the same tree for authentication and for access control, this works fine.
However, when using separate trees, iChain appends the treename of the access control
tree (where the ISO object exists) instead of the treename of the LDAP server used
for authentication. The result is that the workstation is unable to login, and all
workstation related policies will not be functional.


Apply ichain 2.3.321 onwards (available in pre SP5 builds of iChain).

Additional Information

The extended LDAP lookup for name conversion should always use the treename of the
LDAP server specified in the authentication profile.

Traces showed that iChain sends LDAP Extended request with object name using incorrect
treename: "LT-03742.Workstations.NTS.EMEA.NOVELL.NOVLTST"


LDAP auth server treename is "NOVL"
ACL tree with ISO oject treename is "NOVLTST"