Unable to add SecureLogin applications to container

  • 7014594
  • 19-Feb-2014
  • 03-Mar-2014

Environment

NSL 7.0.3 HF4
AD environment
Windows Server 2003 SP2, AD Forest Functional Level: 2000



Situation

Adding applications to OU fails on one active directory domain
Unable to add applications to container
Unable to add application definitions to a container through SLAP tool, or through the MMC plugin. 
Problem does not occur if application is added to different container
Problem does not occur adding applications to users within or below the container
Problem only occurs on one particular container
SSODebug log shows LDAP Error 0xb (LDAP ADMIN LIMIT EXCEEDED)

Resolution

Export SecureLogin data from the container, delete the values in the container and re-import.  Steps:

1. Export the data from the container with slaptool or through the MMC Plugin. 
     Slaptool command:   slaptool -e -o "cn=abc,dc=123" exportfile.xml

2. Clear all the data from the container's protocom attributes (sso entries,sso entries checksum ,sso pref  etc..) using adsiedit or Apache directory studio, or with Slaptool.  
     Slaptool command:  slaptool -d -o "cn=abc,dc=123" -a 

3. Import the data that was exported in step 1 with the MMC Plugin (distribution tab) or with SLAPTool.  
     SlapTool command:  slaptool -o "cn=abc,dc=123" exportfile.xml

Cause

Attributes on Windows 2000 servers can only hold approximately 800 values.  In this case the Win 2003 server was running at a Win 2000 functional level, and the Protocom-SSO-Entries attribute already held 828 values.  Thus the limit was exceeded.

Additional Information

For attribute value limits for various versions of Windows server, see the “more information” section of the Microsoft kb article 914036  at http://support.microsoft.com/kb/914036/en-us
  

For a complete description of this case in the NetIQ forums, see https://forums.netiq.com/showthread.php?49537-how-many-application-definitions-do-you-have


Use LDP.EXE to look for values in excess of 800 on a Win 2003 server, 1300 on a Win 2008 server.  Steps for using LDP.exe:
1. Start, Run, LDP
2. Connection menu, choose "Connect"
3. Connection menu, choose "Bind" (as long as you are logged in with domain
admin credentials, you can just leave the User, Password, and Domain fields
blank)
4. View menu, choose "Tree" and select "OK"
5. Expand the domain 
6. Expand the OU where the user object or the container object is located
7. Double click the user object or the container ( having issues)
8. Scroll in the right hand pane to find the entries for each attribute that has a value. The number of values for each attribute will be shown. 
9. Look for an attribute that has a large number of values, particulary for one with more than 800 entries on a server with a Win2000 functional level, or 1300 entries on a server with a Win2003 functional level.