Environment
Novell SecureLogin
NSL6.1
LDAP Credential Manager Mode
eDirectory datastore
Users login to eDir / NSL after logging into Windows
Smart card used for Windows login
No Novell Client on the workstation
NSL6.1
LDAP Credential Manager Mode
eDirectory datastore
Users login to eDir / NSL after logging into Windows
Smart card used for Windows login
No Novell Client on the workstation
Situation
After logging into Windows, users are prompted for a password to login to eDir and launch NSL. Users had expected a single authentication to login to both Windows and eDir.
No pass-through authentication after smart card authentication to windows.
LDAP error 49, "Failed Authentication" shows in log files.
No password is sent from Windows to SecureLogin.
No pass-through authentication after smart card authentication to windows.
LDAP error 49, "Failed Authentication" shows in log files.
No password is sent from Windows to SecureLogin.
Resolution
This is working as designed.
In credential manager mode (where the install option was selected to launch Novell SecureLogin (NSL) after logging into Windows), NLDAPAuth (NSL's LDAP authentication piece) receives credentials from Windows, and then attempts to authenticate to eDirectory with those same credentials via an LDAP connection. This works great when Windows has a password to hand off to NLDAPAuth, but does not work with non-password login methods.
SecureLogin (through NLDAPAuth) requires NMAS to conduct non-password authentication. NMAS requires the workstation to have either the Novell Client, or NSL installed in GINA or Application mode. NMAS and therefore NLDAPAuth does not work with NSL installed in LDAP Credential Manager mode.
Workarounds:
1. Install the Novell Client on the workstation, including the NMAS component, and install SecureLogin on the workstations in default eDirectory mode. OR
In credential manager mode (where the install option was selected to launch Novell SecureLogin (NSL) after logging into Windows), NLDAPAuth (NSL's LDAP authentication piece) receives credentials from Windows, and then attempts to authenticate to eDirectory with those same credentials via an LDAP connection. This works great when Windows has a password to hand off to NLDAPAuth, but does not work with non-password login methods.
SecureLogin (through NLDAPAuth) requires NMAS to conduct non-password authentication. NMAS requires the workstation to have either the Novell Client, or NSL installed in GINA or Application mode. NMAS and therefore NLDAPAuth does not work with NSL installed in LDAP Credential Manager mode.
Workarounds:
1. Install the Novell Client on the workstation, including the NMAS component, and install SecureLogin on the workstations in default eDirectory mode. OR
2. Install SecureLogin in LDAP, GINA mode. Installed in
GINA mode, NLDAPAuth will use NMAS to login to eDir over an LDAP connection.
While this does change the login dialog box displayed to the user, note that
the NLDAPAuth GINA can be modified to suit company needs.