LDAP binds cause intruder count to be increased when login is disabled in the server console

  • 3890604
  • 12-Jul-2007
  • 26-Apr-2012

Environment

Novell eDirectory 8.7.3 for NetWare 6.5
Novell eDirectory 8.8 for NetWare 6.5

Situation

When an LDAP client attempts to authenticate to a server where the command "disable login" has been issued, the bind will fail with an error -254. This behavior is correct. However, if the authenticating user belongs to a container where "Intruder detection" is configured, the attempt to bind to server will cause the intruder count to be increased, eventually leading to the account being locked.

Note that the same client attempting to log in with an NCP client will not cause the intruder count to increase.


Resolution

This behavior affects only LDAP binds that use the traditional NDS password to connect to eDirectory. Any LDAP bind that uses NMAS will function properly.

If there are certain accounts that are more susceptible to be affected by this behavior (like service accounts that monitor the server regularly through LDAP) it is possible to implement a simple workaround to prevent this problem. The solution would be to create a Universal Password Policy that removes the NDS password and sets the Simple password. This way the LDAP bind will be performed through NMAS and the problem will not occur.

If the system is running eDirectory 8.8 or above, then it is also possible to set the environment variable "NDSD_TRY_NMASLOGIN_FIRST" to true and the implement a Universal Password policy that affects the desired users, in order to force the bind to go through the NMAS libraries.

Refer to section 4.2"How to Make Your Password Case-Sensitive" in the eDirectory documentation to set this variable.



Status

Reported to Engineering