NMAS: error -1680 sequence not authorized

Error -1680 is seen in the NMAS trace

The sasAuthorizedLoginSequences is empty or missing the desired login sequence like cifslinlsm.

To find this attribute first check users, container user object exists in, partition user exists in, and the Login Policy object (in the security container) for sasAuthorizedLoginSequences.

In iManager | NMAS role | NMAS Login Sequences verify that the login sequence required is Authorized.  Then look for Authorized sequences starting at the user.  Modify the user, click the NMAS tab, Login Sequence sub tab and verify the sequence is listed and is active.  Proceed with the same process for verifying the login sequence on the container, partition, and finally the Login Policy object.

In eDir 8.8 this attribute is cached on external references, so it should not need to walk off the server.

When a user logs in with an NMAS aware client or using a login method like cifslinlsm a search is done starting at root of the tree for the sasAuthorizedLoginSequences attribute.  If the attribute exists, it evaluates the values to determine if the requested login sequence is listed as authorized.  This attribute does not exist by default.  It will be added if one or more sequences is de-authorized.  It will then list the authorized sequences.  If a login sequence does not show in the list, it is not authorized.

The search pattern that NMAS will do when scanning for the sasAuthorizedLoginSequences attribute is first the User object, then the User Object Container, then the Partition Root container for the user, and finally, the Login Policy object in the security container. 

If the the attribute does not exist NMAS finally checks the Login Policy object under the security container.  If the attribute does not exist then NMAS determines that all login sequences are authorized.  If the attribute exists and is valueless (no sequences listed), then no login sequence is authorized.