Environment
Novell iChain 2.3
Support Pack 4
Access control policies enabled for protected resources being accessed
Seperate LDAP server and tree used for authentication and access control
Novell ZENworks 7 Desktop Management - ZDM7
Authentication enabled (LDAP)Access control policies enabled for protected resources being accessed
Seperate LDAP server and tree used for authentication and access control
Situation
ZENworks workstation object unable to login or obtain policies when using iChain.When using ZFD with iChain, workstations logging into iChain use a dot-delimited name.iChain uses an extended LDAP lookup to convert this dot-delimited name to a typeless name.
When using the same tree for authentication and for access control, this works fine.
However, when using separate trees, iChain appends the treename of the access control
tree (where the ISO object exists) instead of the treename of the LDAP server used
for authentication. The result is that the workstation is unable to login, and all
workstation related policies will not be functional.
Resolution
Apply ichain
2.3.321 onwards (available in pre SP5 builds of
iChain).
Additional Information
The extended LDAP lookup for name conversion should always use the treename of the
LDAP server specified in the authentication profile.
Traces showed that iChain sends LDAP Extended request with object name using incorrect
treename: "LT-03742.Workstations.NTS.EMEA.NOVELL.NOVLTST"
where
LDAP auth server treename is "NOVL"
ACL tree with ISO oject treename is "NOVLTST"