NSL: Moving from workstation in LDAP mode to workstaiton in eDir mode corrupts user secrets

  • 3750509
  • 19-Oct-2006
  • 26-Apr-2012

Environment

Novell SecureLogin
NSL3.51.x
NSL installed in LDAP mode
NSL installed in eDir mode WITHOUT SecretStore

Situation

Moving from workstation in LDAP mode to workstaiton in eDir mode corrupts user secrets

Users move back and forth between workstations that have the novell client and NSL installed in eDir mode, and workstations that have no novell client and NSL installed in LDAP mode. When they move from one mode to the other, they receive errors indicating their secrets have been corrupted.

Resolution

Install SecretStore on the server and reinstall the NSL client with SecretStore.

Disabling passphrases is not supported in eDir mode unless SecretStore is installed. The passphrase is part of the encryption algorithm and substantial security benefits are lost when it is disabled. For this reason NSL 3.51 does not allow the disabling or hiding of passphrases unless there is a secure connection between workstation and server such as LDAP with SSL or NCP with NICI (SecretStore).

Steps to duplicate:
1. Disable local cache,
2. Disable passphrase
3. Install NSL 3.51.3.6 in eDirectory mode WITHOUT SecretStore on a workstation running the Novell client (v 4.91sp2).
4. Install NSL3.51.3.6 in LDAP credential manager mode (with nmas but without SecretStore) on a workstation without the Novell client.
5. Login to NSL on one of the workstations (doesn't matter which one) and establish a user's data store by enabling an application with NSL.
6. Go to the workstation that has NSL installed in the other mode.
7. Try to access the same user's data store
8. One of the following messages will be returned:
- "a corrupt entry was found, would you like to delete it” or
- "the cache file has lost synchronization with the directory. Would you like to synch now?”