Cannot access internet when network address attribute is missing

  • 7013371
  • 25-Sep-2013
  • 10-Apr-2014

Environment

eDirectory
Novell Client 2 SP3 for Windows

Situation

Some applications, such as Websense TRITON Web Security, Sophos Astaro Security Gateway (ASG/UTM), and ContentKeeper Secure Internet Gateway allow access to the internet only if the network address can be read from the user object via LDAP. Because the network address attribute is not present on the user object, the user cannot access the internet.

Rebooting the workstation resolves the problem.

Resolution

This problem can result from either of two conditions.

1. The eDirectory user's "Network Address" attribute is potentially not updated in a timely manner after workstation resume or reconnect. This problem was fixed in Novell Client 2 SP3 for Windows (IR5)

2. The eDirectory user's "Network Address" attribute does not include the port number for the connection. To resolve this problem, configure eDirectory such that the port number is included as part of the network address attribute maintained for the user object.
 
On the OES server, add/set the following parameter in the /etc/opt/novell/eDirectory/conf/nds.conf file:
   n4u.server.mask-port-number=0
 
A value of 0 means port numbers are not masked, and are included in the network address
A value of 1 means port numbers are masked, and not included in the network address

To enable the setting, it is necessary to restart eDirectory, using the command:
   rcndsd restart
 
Note: This command will disconnect any users currently authenticated to eDirectory.

Additional Information

To verify that the port number is currently included as part of the network address attribute:
 
1. Open iMonitor (<ipaddress>:8028/nds)
2. Click the search (magnifying glass) button
3. Enter the name of the user in the "Relative Distinguished Name" field and click the "Search" button
4. Select the user
5. When the detailed entry for the user appears, scroll down to view the Network Address attribute. The "Address" field will show the network address and port number, such as: 137.56.212.248:0 or 10.10.1.198:49282. If the port number is 0, then the port number is being masked, and is not part of the network address attribute.