eDirectory 8.8 and/or OES11 SP2 - IP based network restrictions result in "NDS error: bad station number (-253)".

  • 7014756
  • 19-Mar-2014
  • 19-Mar-2014

Environment

NetIQ eDirectory 8.8
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2

Situation

With NetIQ eDirectory 8.8 (which is also included with Novell Open Enterprise Server 11 Support Pack 2) a problem was found in environments where network based restrictions are specified to allow a user (or group of users) login from.

In certain environments it may may desirable to allow the tree admin user to only login with a computer registered with an IP address from a certain network range.
As another example it may be desirable to only allow students in an Academic environment to login from a specific network range.

The problem exists in the configuration where IP based restrictions are configured for entire network ranges.
The problem does not exist when a single IP address is configured instead.

This same configuration has been working well on prior versions of NetIQ eDirectory 8.8 and prior versions of OES11 SP2, however the same configuration no longer works on NetIQ eDirectory 8.8 and/or OES11 SP2. 

Basically, for all the users that match the specified criteria which should allow them to login, they will now receive the message "NDS error: bad station number (-253)".

Please note that this problem also exists in stand-alone eDirectory 8.8.

Resolution

Work in progress.

Cause

There was an inconsistency in NMAS event data between IPv4 and IPv6 client addresses, where the port number was missing for IPv4. 
This problem was introduced when fixing this inconsistency.

Additional Information

IP based restrictions can be configured using iManager.
To configure an IP address range from which a user is allowed to login from :

Start iManager,:
-  select "Users",
-  select "Modify users",
-  select the user,
-  select "restrictions",
-  select "Address restrictions",
-  select "IP",
-  specify the IP address range for the restriction. E.g. 182.168.253.0, or 10.0.0.0.

As a work-around, either the restriction that are set to the entire IP address range could be completely removed, or a user could be assigned with a specific IP addresses that could be entered.