Environment
Novell iManager 2.7.1 (SP1)
Situation
After installing iManager 2.7.1 (SP1) for iManager 2.7, users cannot login to iManager.
Getting error:
"Enter a valid username and context"
"Enter a valid username and context"
User cannot log in with username or fully qualified username.
Getting error:
"Enter a valid username and context"
"Enter a valid username and context"
User cannot log in with username or fully qualified username.
Resolution
A bug/change was introduced in iManager 2.7.1 (SP1) where if the Tree or user doesn't have Public Browse rights assigned, all iManager 2.7.1 logins will fail, regardless of your assigned rights.
If you have removed this default [Public] ACL assignment from the top of the tree (ROOT), all users, regardless of their rights will fail to login to iManager 2.7.1
By default in all eDirectory installs, [Public] has the Browse right to the top of the tree (ROOT), giving all users the right to view any objects in the tree.
NOTE: The [Public] trustee is not an actual object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes.
To verify you have the [Pulblic] trustee assignment, you can use iManager 2.7, iManager 2.7 Workstation, ConsoleOne, iMontior, etc.
iManager 2.7
Select the Rights Task | Modify Trustees | Browse to the Tree Object | Ok. Select the "Assigned Rights" link next to the [Public] Trustee and verify that "Browse" and "Inherit" are both checked.
iMonitor
Login to iMonitor | Select the .T=YourTree object | Scroll down the entry to Find the "ACL" attribute. One of the values for ACL should be the Trustee of [Public] (as is shown below)
08/15/08 02:31:30 PM 1:1 Present Browse, Inherit(implied) [Entry Rights] .[Public].
Current work around:
Grant [Public] browse entry rights to ROOT or to the user logging into iManager.
iManager
Select the Rights Task | Modify Trustees | Browse to the Tree object (or the user object) | If Public is already a Trustee, select the "Assigned Rights" link, then select "Add property" button | Select [Entry Rights] and select Ok | Select "Done" | then "Apply" (if you don't select Apply, the changes will not be applied.)
If Public is NOT already a Trustee, Select "Add Trustee" | Select "Public" | Ok | then "Apply" (if you don't select Apply, the changes will not be applied.)
If you have removed this default [Public] ACL assignment from the top of the tree (ROOT), all users, regardless of their rights will fail to login to iManager 2.7.1
By default in all eDirectory installs, [Public] has the Browse right to the top of the tree (ROOT), giving all users the right to view any objects in the tree.
NOTE: The [Public] trustee is not an actual object. It is a specialized trustee that represents any network user, logged in or not, for rights assignment purposes.
To verify you have the [Pulblic] trustee assignment, you can use iManager 2.7, iManager 2.7 Workstation, ConsoleOne, iMontior, etc.
iManager 2.7
Select the Rights Task | Modify Trustees | Browse to the Tree Object | Ok. Select the "Assigned Rights" link next to the [Public] Trustee and verify that "Browse" and "Inherit" are both checked.
iMonitor
Login to iMonitor | Select the .T=YourTree object | Scroll down the entry to Find the "ACL" attribute. One of the values for ACL should be the Trustee of [Public] (as is shown below)
08/15/08 02:31:30 PM 1:1 Present Browse, Inherit(implied) [Entry Rights] .[Public].
Current work around:
Grant [Public] browse entry rights to ROOT or to the user logging into iManager.
iManager
Select the Rights Task | Modify Trustees | Browse to the Tree object (or the user object) | If Public is already a Trustee, select the "Assigned Rights" link, then select "Add property" button | Select [Entry Rights] and select Ok | Select "Done" | then "Apply" (if you don't select Apply, the changes will not be applied.)
If Public is NOT already a Trustee, Select "Add Trustee" | Select "Public" | Ok | then "Apply" (if you don't select Apply, the changes will not be applied.)