LDAP Auth to Novell eDirectory (working... kinda)

Hi all,

Anyone using LDAP Auth for RT with Novell eDirectory?

I’ve been working through the LDAP documentation at the wiki
(http://wiki.bestpractical.com/index.cgi?LDAP) and I’ve got things
mostly working with RT 3.6.1 and Novell eDirectory 8.7.x. I can log in
to RT and everything seems to work fine except that every time I log in,
eDirectory decrements my grace login total. Once I’m down to zero I
can’t log in to RT until I go into eDirectory (via ConsoleOne in my
case) and give myself some more grace logins.

When I look at the eDirectory log I find a socket error (-5871) every
time RT sends a search request. RT does a number of LDAP searches for
every log in attempt. The odd thing is that I don’t get an actual NDS
error until RT tries to use the LDAP filter settings that are included
in RT_SiteConfig. For example:

filter: “(cn=twilson)” isn’t a problem. Neither is filter:
"(mail=twilson@mycompany.com)". After those two searches RT tries
one that looks like this:

filter: “(&(cn=twilson)(objectclass=person))”

That one produces an “NDS error: bad password (-222)”. Presumably
that’s when the grace login count gets decremented. The next time I try
to log in it fails and the eDirectory log shows “NDS error: password
expired (-223)”.

I’ve disabled the grace login feature for now, but that’s not an
effective long-term solution.

I’d love to hear some suggestions.

-Tim

Tim Wilson, Director of Technology
Buffalo-Hanover-Montrose Schools
214 1st Ave NE Buffalo, MN 55313
ph: 763.682.8740 fax: 763.682.8743 http://www.buffalo.k12.mn.us

Tim Wilson wrote:

Hi all,

Anyone using LDAP Auth for RT with Novell eDirectory?

Yep.

I’ve been working through the LDAP documentation at the wiki
(Request Tracker Wiki) and I’ve got things
mostly working with RT 3.6.1 and Novell eDirectory 8.7.x. I can log in
to RT and everything seems to work fine except that every time I log in,
eDirectory decrements my grace login total. Once I’m down to zero I
can’t log in to RT until I go into eDirectory (via ConsoleOne in my
case) and give myself some more grace logins.

When I look at the eDirectory log I find a socket error (-5871) every
time RT sends a search request. RT does a number of LDAP searches for
every log in attempt. The odd thing is that I don’t get an actual NDS
error until RT tries to use the LDAP filter settings that are included
in RT_SiteConfig. For example:

filter: “(cn=twilson)” isn’t a problem. Neither is filter:
“(mail=twilson@mycompany.com)”. After those two searches RT tries
one that looks like this:

filter: “(&(cn=twilson)(objectclass=person))”

That one produces an “NDS error: bad password (-222)”. Presumably
that’s when the grace login count gets decremented. The next time I try
to log in it fails and the eDirectory log shows “NDS error: password
expired (-223)”.

I’ve disabled the grace login feature for now, but that’s not an
effective long-term solution.

I’d love to hear some suggestions.

-Tim

Unfortunately, I’m not really familiar with NDS grace logins (we don’t
use them), so I don’t know if I can help much. I would think this is
only a problem if the user’s password has already expired?

You may need to post your LDAP-related settings from RT_SiteConfig.

Jason