Environment
Novell Client for Windows 2000/XP/2003 4.91 Login
Novell Client for Windows 2000/XP/2003 4.91
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 1
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 2
Novell Client for Windows 2000/XP/2003 4.91
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 1
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 2
Situation
Novell Client Login LDAP contextless Login is configured with
multiple contexts to search with Search Context and Subtree option
enabled.
A context searched first is also contained within the subtree of a higher context that is listed later in the search list.
Duplicate entries of the same user and context are presented to the user to select from to continue the login process
A context searched first is also contained within the subtree of a higher context that is listed later in the search list.
Duplicate entries of the same user and context are presented to the user to select from to continue the login process
Resolution
Fixed in the post-Novell Client 4.91 SP3 update of LGNCXW32.DLL
dated 07Feb2007 or later.
Additional Information
steps to
duplicate
Setup a Tree with a lower level context that holds the user for testing:
O=Novell
OU=Site1.OU=RegionA.O=Novell
CN=TestUser.OU=Site1.OU=RegionA.O=Novell
Enter the two contexts to search for in the Contextless login configuration with Search context and Subtree for both entries:
OU=Site1.OU=RegionA..O=Novell
O=Novell
Enter the user name of TestUser into the login dialog and a dialog with two entries of:
CN=TestUser.OU=Site1.OU=RegionA.O=Novell
CN=TestUser.OU=Site1.OU=RegionA.O=Novell
will be presented for the user has to select from to be able to continue with a login.
background for configuration
In this customer situation, the two (or multiple) context entries are required to properly support roaming users as well as situations where the WAN link to the site has failed for any reason. Some links are through low speed high latency Satelight links. Those sites have only local replicas to reduce the amount of replication across the WAN link. When the WAN link is down, local users are not able to login with just a level O=Novell search context setting. It requires the local OU=Site.OU=Region.O=Novell to be searched for a successfull login to the local resources. In the situations where the WAN link is down and roaming users are present, then it will be acceptable for the roaming user to be unable to login. This configuration has to support roaming users from many sites and having to enter some many distinct entries for each site greatly increases the number of LDAP search requests.
Setup a Tree with a lower level context that holds the user for testing:
O=Novell
OU=Site1.OU=RegionA.O=Novell
CN=TestUser.OU=Site1.OU=RegionA.O=Novell
Enter the two contexts to search for in the Contextless login configuration with Search context and Subtree for both entries:
OU=Site1.OU=RegionA..O=Novell
O=Novell
Enter the user name of TestUser into the login dialog and a dialog with two entries of:
CN=TestUser.OU=Site1.OU=RegionA.O=Novell
CN=TestUser.OU=Site1.OU=RegionA.O=Novell
will be presented for the user has to select from to be able to continue with a login.
background for configuration
In this customer situation, the two (or multiple) context entries are required to properly support roaming users as well as situations where the WAN link to the site has failed for any reason. Some links are through low speed high latency Satelight links. Those sites have only local replicas to reduce the amount of replication across the WAN link. When the WAN link is down, local users are not able to login with just a level O=Novell search context setting. It requires the local OU=Site.OU=Region.O=Novell to be searched for a successfull login to the local resources. In the situations where the WAN link is down and roaming users are present, then it will be acceptable for the roaming user to be unable to login. This configuration has to support roaming users from many sites and having to enter some many distinct entries for each site greatly increases the number of LDAP search requests.