Environment
NetIQ eDirectory 8.8
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Situation
With NetIQ eDirectory 8.8 (which is also included with Novell Open Enterprise Server 11 Support Pack 2) a problem was found in environments where network based restrictions are specified to allow a user (or group of users) login from.
In certain environments it may may desirable to allow the tree admin user to only login with a computer registered with an IP address from a certain network range.
As another example it may be desirable to only allow students in an Academic environment to login from a specific network range.
The problem exists in the configuration where IP based restrictions are configured for entire network ranges.
The problem does not exist when a single IP address is configured instead.
This same configuration has been working well on prior versions of NetIQ eDirectory 8.8 and prior versions of OES11 SP2, however the same configuration no longer works on NetIQ eDirectory 8.8 and/or OES11 SP2.
Basically, for all the users that match the specified criteria which should allow them to login, they will now receive the message "NDS error: bad station number (-253)".
Please note that this problem also exists in stand-alone eDirectory 8.8.
In certain environments it may may desirable to allow the tree admin user to only login with a computer registered with an IP address from a certain network range.
As another example it may be desirable to only allow students in an Academic environment to login from a specific network range.
The problem exists in the configuration where IP based restrictions are configured for entire network ranges.
The problem does not exist when a single IP address is configured instead.
This same configuration has been working well on prior versions of NetIQ eDirectory 8.8 and prior versions of OES11 SP2, however the same configuration no longer works on NetIQ eDirectory 8.8 and/or OES11 SP2.
Basically, for all the users that match the specified criteria which should allow them to login, they will now receive the message "NDS error: bad station number (-253)".
Please note that this problem also exists in stand-alone eDirectory 8.8.
Resolution
Work in progress.
Cause
There was an inconsistency in NMAS event data between IPv4 and IPv6 client addresses, where the port number was missing for IPv4.
This problem was introduced when fixing this inconsistency.
This problem was introduced when fixing this inconsistency.
Additional Information
IP based restrictions can be configured using iManager.
To configure an IP address range from which a user is allowed to login from :
Start iManager,:
To configure an IP address range from which a user is allowed to login from :
Start iManager,:
- select "Users",As a work-around, either the restriction that are set to the entire IP address range could be completely removed, or a user could be assigned with a specific IP addresses that could be entered.
- select "Modify users",
- select the user,
- select "restrictions",
- select "Address restrictions",
- select "IP",
- specify the IP address range for the restriction. E.g. 182.168.253.0, or 10.0.0.0.