Environment
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell NetWare 6.5 Support Pack 8
Situation
A NetWare FTP Server exists and does not have an eDirectory replica of it's own. An OES 2 Linux replica server is added nearby. The NetWare FTP server begins to use that replica for authentication, and FTP user account get locked out by eDirectory Intruder Detection.
NetWare FTP logins are done in 2 steps. First, when the FTP client submits a username, NWFTPD does a Verify Password call with a NULL (empty) password, to see if the account happens to have no password. If that fails (as would usually be the case), then NetWare FTP prompts the user for their actual password and then does a normal Login call with that password.
NetWare replica servers do not count a failed "Verify Password" attempt as an intruder event, as long as the password is NULL. However, OES Linux replica servers are incrementing the intruder attempt counter in this situation. This doesn't usually lead to a problem if the FTP user only has 1 session active at a time, anywhere in the tree. However, if multiple attempts with the same user name are happening nearly simultaneously, then intruder lockout can be triggered.
Resolution
This issue was resolved on OES 2 in both eDirectory 8.8.5 Patch5 and eDirectory 8.8.6. The package which contains the fix should be (at minimum) version:
If using eDir 8.8.5:
novell-NDSserv-8.8.5.5-0.7.2
If using eDir 8.8.6:
novell-NDSserver-8.8.6.1-0.10
A workaround which does not require OES to be updated is to place a replica on the NetWare FTP Server.