Environment
Novell eDirectory 8.8 for Netware 6.5
Novell Modular Authentication Service (NMAS)
Security Object Caching
Novell Modular Authentication Service (NMAS)
Security Object Caching
Situation
Issue:
CachedAttrsOnExtRefs (CAER) is not present on NCP Server object
What changed:
eDirectory was removed from the server and added back via nwconfig.
The CAER attribute gets added during the configuration/installation of NMAS during the eDirectory 88.x install. ndsconfig does not create this attribute.
CachedAttrsOnExtRefs (CAER) is not present on NCP Server object
What changed:
eDirectory was removed from the server and added back via nwconfig.
The CAER attribute gets added during the configuration/installation of NMAS during the eDirectory 88.x install. ndsconfig does not create this attribute.
Resolution
There are a couple of ways to add this attribute.
First option is by using the nmasinst utility.
nmasinst -i <admin.context> <treename>
Note: There has been a bug recently entered on Netware where using nmasinst does not add the CAER attribute on the server you are running nmasinst on, but instead updates the server who holds the master replica of the servers ncp server object. This has been reported to engineering and a engineering build of nmasinst.nlm is available from NTS if needed.
Second option:
This attribute is just a list of attributes (string syntax) so an ldif can be used to add this to the ncp server object. See below for an example ldif file and ice example to add CAER attribute.
First option is by using the nmasinst utility.
nmasinst -i <admin.context> <treename>
Note: There has been a bug recently entered on Netware where using nmasinst does not add the CAER attribute on the server you are running nmasinst on, but instead updates the server who holds the master replica of the servers ncp server object. This has been reported to engineering and a engineering build of nmasinst.nlm is available from NTS if needed.
Second option:
This attribute is just a list of attributes (string syntax) so an ldif can be used to add this to the ncp server object. See below for an example ldif file and ice example to add CAER attribute.
Additional Information
Example ldif file to import the cachedattrsonextrefs attribute on a defined ncp server object. Just copy and save to a file, such as caer.ldif
ice can then be used to import:
ice -lsys:\caer.log -SLDIF -f sys:\caer.ldif -DLDAP -s 192.168.0.110 -d cn=admin,o=contex -w password
#This LDIF file was generated by Novell's ICE and the LDIF destination handler.
version: 1
dn: cn=<servername>,ou=servers,o=novell
changetype: modify
add: cachedattrsonextrefs
cachedattrsonextrefs: SAS:Login Policy DN
cachedattrsonextrefs: ACL
cachedattrsonextrefs: SAS:Login Method Container DN
cachedattrsonextrefs: sasPostLoginMethodContainerDN
cachedattrsonextrefs: masvPolicyDN
cachedattrsonextrefs: masvDomainPolicy
cachedattrsonextrefs: masvPolicyUpdate
cachedattrsonextrefs: masvClearanceNames
cachedattrsonextrefs: masvLabelNames
cachedattrsonextrefs: masvLabelSecrecyLevelNames
cachedattrsonextrefs: masvLabelSecrecyCategoryNames
cachedattrsonextrefs: masvLabelIntegrityLevelNames
cachedattrsonextrefs: masvLabelIntegrityCategoryNames
cachedattrsonextrefs: masvNDSAttributeLabels
cachedattrsonextrefs: SAS:Login Sequence
cachedattrsonextrefs: SAS:Login Policy Update
cachedattrsonextrefs: sasNMASProductOptions
cachedattrsonextrefs: sasLoginFailureDelay
cachedattrsonextrefs: sasDefaultLoginSequence
cachedattrsonextrefs: sasAuthorizedLoginSequences
cachedattrsonextrefs: nspmPasswordPolicyDN
cachedattrsonextrefs: masvDefaultRange
cachedattrsonextrefs: masvAuthorizedRange
cachedattrsonextrefs: SAS:Login Secret
cachedattrsonextrefs: SAS:Login Secret Key
cachedattrsonextrefs: SAS:Login Configuration
cachedattrsonextrefs: SAS:Login Configuration Key
cachedattrsonextrefs: SAS:Method Identifier
cachedattrsonextrefs: SAS:Advisory Method Grade
cachedattrsonextrefs: SAS:Login Client Method NetWare
cachedattrsonextrefs: SAS:Login Server Method NetWare
cachedattrsonextrefs: sasCertificateSearchContainers
cachedattrsonextrefs: sasNMASMethodConfigData
cachedattrsonextrefs: nspmPolicyPrecedence
cachedattrsonextrefs: nspmConfigurationOptions
cachedattrsonextrefs: nspmChangePasswordMessage
cachedattrsonextrefs: Password Expiration Interval
cachedattrsonextrefs: Login Grace Limit
cachedattrsonextrefs: nspmMinPasswordLifetime
cachedattrsonextrefs: Password Unique Required
cachedattrsonextrefs: nspmPasswordHistoryLimit
cachedattrsonextrefs: nspmPasswordHistoryExpiration
cachedattrsonextrefs: Password Allow Change
cachedattrsonextrefs: Password Required
cachedattrsonextrefs: Password Minimum Length
cachedattrsonextrefs: nspmMaximumLength
cachedattrsonextrefs: nspmCaseSensitive
cachedattrsonextrefs: nspmMinUpperCaseCharacters
cachedattrsonextrefs: nspmMaxUpperCaseCharacters
cachedattrsonextrefs: nspmMinLowerCaseCharacters
cachedattrsonextrefs: nspmMaxLowerCaseCharacters
cachedattrsonextrefs: nspmNumericCharactersAllowed
cachedattrsonextrefs: nspmNumericAsFirstCharacter
cachedattrsonextrefs: nspmNumericAsLastCharacter
cachedattrsonextrefs: nspmMinNumericCharacters
cachedattrsonextrefs: nspmMaxNumericCharacters
cachedattrsonextrefs: nspmSpecialCharactersAllowed
cachedattrsonextrefs: nspmSpecialAsFirstCharacter
cachedattrsonextrefs: nspmSpecialAsLastCharacter
cachedattrsonextrefs: nspmMinSpecialCharacters
cachedattrsonextrefs: nspmMaxSpecialCharacters
cachedattrsonextrefs: nspmMaxRepeatedCharacters
cachedattrsonextrefs: nspmMaxConsecutiveCharacters
cachedattrsonextrefs: nspmMinUniqueCharacters
cachedattrsonextrefs: nspmDisallowedAttributeValues
cachedattrsonextrefs: nspmExcludeList
cachedattrsonextrefs: nspmExtendedCharactersAllowed
cachedattrsonextrefs: nspmExtendedAsFirstCharacter
cachedattrsonextrefs: nspmExtendedAsLastCharacter
cachedattrsonextrefs: nspmMinExtendedCharacters
cachedattrsonextrefs: nspmMaxExtendedCharacters
cachedattrsonextrefs: nspmUpperAsFirstCharacter
cachedattrsonextrefs: nspmUpperAsLastCharacter
cachedattrsonextrefs: nspmLowerAsFirstCharacter
cachedattrsonextrefs: nspmLowerAsLastCharacter
cachedattrsonextrefs: nspmComplexityRules
cachedattrsonextrefs: nsimForgottenAction
cachedattrsonextrefs: nsimChallengeSetDN
cachedattrsonextrefs: nsimForgottenLoginConfig
cachedattrsonextrefs: nsimAssignments
cachedattrsonextrefs: nsimChallengeSetGUID
cachedattrsonextrefs: nsimPwdRuleEnforcement
cachedattrsonextrefs: nsimRequiredQuestions
cachedattrsonextrefs: nsimRandomQuestions
cachedattrsonextrefs: nsimNumberRandomQuestions
cachedattrsonextrefs: nsimMinResponseLength
cachedattrsonextrefs: nsimMaxResponseLength
cachedattrsonextrefs: ndspkiTrustedRootList
cachedattrsonextrefs: NDSPKI:Subject Name
cachedattrsonextrefs: NDSPKI:Not Before
cachedattrsonextrefs: NDSPKI:Not After
cachedattrsonextrefs: NDSPKI:Trusted Root Certificate
cachedattrsonextrefs: sasAuditConfiguration
cachedattrsonextrefs: pwdInHistory
cachedattrsonextrefs: nspmAdminsDoNotExpirePassword
cachedattrsonextrefs: nspmPasswordACL
cachedattrsonextrefs: sasAuthNMethodContainerDN
cachedattrsonextrefs: sasAuthNMethodList
NOTE: The CAER attribute is not what is actually read when a client logs in, this is just a list that the backlinker uses to know which attributes are allowed on an external reference. If an attribute is not present in this list and is not otherwised defined in code to be allowed on an external reference, it will not be present on an external reference'd object.
ice can then be used to import:
ice -lsys:\caer.log -SLDIF -f sys:\caer.ldif -DLDAP -s 192.168.0.110 -d cn=admin,o=contex -w password
#This LDIF file was generated by Novell's ICE and the LDIF destination handler.
version: 1
dn: cn=<servername>,ou=servers,o=novell
changetype: modify
add: cachedattrsonextrefs
cachedattrsonextrefs: SAS:Login Policy DN
cachedattrsonextrefs: ACL
cachedattrsonextrefs: SAS:Login Method Container DN
cachedattrsonextrefs: sasPostLoginMethodContainerDN
cachedattrsonextrefs: masvPolicyDN
cachedattrsonextrefs: masvDomainPolicy
cachedattrsonextrefs: masvPolicyUpdate
cachedattrsonextrefs: masvClearanceNames
cachedattrsonextrefs: masvLabelNames
cachedattrsonextrefs: masvLabelSecrecyLevelNames
cachedattrsonextrefs: masvLabelSecrecyCategoryNames
cachedattrsonextrefs: masvLabelIntegrityLevelNames
cachedattrsonextrefs: masvLabelIntegrityCategoryNames
cachedattrsonextrefs: masvNDSAttributeLabels
cachedattrsonextrefs: SAS:Login Sequence
cachedattrsonextrefs: SAS:Login Policy Update
cachedattrsonextrefs: sasNMASProductOptions
cachedattrsonextrefs: sasLoginFailureDelay
cachedattrsonextrefs: sasDefaultLoginSequence
cachedattrsonextrefs: sasAuthorizedLoginSequences
cachedattrsonextrefs: nspmPasswordPolicyDN
cachedattrsonextrefs: masvDefaultRange
cachedattrsonextrefs: masvAuthorizedRange
cachedattrsonextrefs: SAS:Login Secret
cachedattrsonextrefs: SAS:Login Secret Key
cachedattrsonextrefs: SAS:Login Configuration
cachedattrsonextrefs: SAS:Login Configuration Key
cachedattrsonextrefs: SAS:Method Identifier
cachedattrsonextrefs: SAS:Advisory Method Grade
cachedattrsonextrefs: SAS:Login Client Method NetWare
cachedattrsonextrefs: SAS:Login Server Method NetWare
cachedattrsonextrefs: sasCertificateSearchContainers
cachedattrsonextrefs: sasNMASMethodConfigData
cachedattrsonextrefs: nspmPolicyPrecedence
cachedattrsonextrefs: nspmConfigurationOptions
cachedattrsonextrefs: nspmChangePasswordMessage
cachedattrsonextrefs: Password Expiration Interval
cachedattrsonextrefs: Login Grace Limit
cachedattrsonextrefs: nspmMinPasswordLifetime
cachedattrsonextrefs: Password Unique Required
cachedattrsonextrefs: nspmPasswordHistoryLimit
cachedattrsonextrefs: nspmPasswordHistoryExpiration
cachedattrsonextrefs: Password Allow Change
cachedattrsonextrefs: Password Required
cachedattrsonextrefs: Password Minimum Length
cachedattrsonextrefs: nspmMaximumLength
cachedattrsonextrefs: nspmCaseSensitive
cachedattrsonextrefs: nspmMinUpperCaseCharacters
cachedattrsonextrefs: nspmMaxUpperCaseCharacters
cachedattrsonextrefs: nspmMinLowerCaseCharacters
cachedattrsonextrefs: nspmMaxLowerCaseCharacters
cachedattrsonextrefs: nspmNumericCharactersAllowed
cachedattrsonextrefs: nspmNumericAsFirstCharacter
cachedattrsonextrefs: nspmNumericAsLastCharacter
cachedattrsonextrefs: nspmMinNumericCharacters
cachedattrsonextrefs: nspmMaxNumericCharacters
cachedattrsonextrefs: nspmSpecialCharactersAllowed
cachedattrsonextrefs: nspmSpecialAsFirstCharacter
cachedattrsonextrefs: nspmSpecialAsLastCharacter
cachedattrsonextrefs: nspmMinSpecialCharacters
cachedattrsonextrefs: nspmMaxSpecialCharacters
cachedattrsonextrefs: nspmMaxRepeatedCharacters
cachedattrsonextrefs: nspmMaxConsecutiveCharacters
cachedattrsonextrefs: nspmMinUniqueCharacters
cachedattrsonextrefs: nspmDisallowedAttributeValues
cachedattrsonextrefs: nspmExcludeList
cachedattrsonextrefs: nspmExtendedCharactersAllowed
cachedattrsonextrefs: nspmExtendedAsFirstCharacter
cachedattrsonextrefs: nspmExtendedAsLastCharacter
cachedattrsonextrefs: nspmMinExtendedCharacters
cachedattrsonextrefs: nspmMaxExtendedCharacters
cachedattrsonextrefs: nspmUpperAsFirstCharacter
cachedattrsonextrefs: nspmUpperAsLastCharacter
cachedattrsonextrefs: nspmLowerAsFirstCharacter
cachedattrsonextrefs: nspmLowerAsLastCharacter
cachedattrsonextrefs: nspmComplexityRules
cachedattrsonextrefs: nsimForgottenAction
cachedattrsonextrefs: nsimChallengeSetDN
cachedattrsonextrefs: nsimForgottenLoginConfig
cachedattrsonextrefs: nsimAssignments
cachedattrsonextrefs: nsimChallengeSetGUID
cachedattrsonextrefs: nsimPwdRuleEnforcement
cachedattrsonextrefs: nsimRequiredQuestions
cachedattrsonextrefs: nsimRandomQuestions
cachedattrsonextrefs: nsimNumberRandomQuestions
cachedattrsonextrefs: nsimMinResponseLength
cachedattrsonextrefs: nsimMaxResponseLength
cachedattrsonextrefs: ndspkiTrustedRootList
cachedattrsonextrefs: NDSPKI:Subject Name
cachedattrsonextrefs: NDSPKI:Not Before
cachedattrsonextrefs: NDSPKI:Not After
cachedattrsonextrefs: NDSPKI:Trusted Root Certificate
cachedattrsonextrefs: sasAuditConfiguration
cachedattrsonextrefs: pwdInHistory
cachedattrsonextrefs: nspmAdminsDoNotExpirePassword
cachedattrsonextrefs: nspmPasswordACL
cachedattrsonextrefs: sasAuthNMethodContainerDN
cachedattrsonextrefs: sasAuthNMethodList
NOTE: The CAER attribute is not what is actually read when a client logs in, this is just a list that the backlinker uses to know which attributes are allowed on an external reference. If an attribute is not present in this list and is not otherwised defined in code to be allowed on an external reference, it will not be present on an external reference'd object.