Discussion:
ldap_bind_nmas_s
(too old to reply)
Lee Wiltbank
2006-08-16 03:43:00 UTC
Permalink
Hi,

I am trying the nmasbind.c sample from the ldap sdk. The sample works fine
for two users (admin and test) with the NDS sequence. In ConsoleOne, I set
the Simple Password for test, but ldap_bind_nmas_s always returns 49
(LDAP_INVALID_CREDENTIALS), even though I can login using the Novell Login
using the Simple Password sequence. Any help would be greatly appreciated.
Thanks.

Lee
Susan Perrin
2006-08-16 18:46:36 UTC
Permalink
Hi

When you tested the Novell login using the simple password sequence, did you
first kill any existing authenticated connections? (red n Novell
Connections detach)?

It's working fine for me with the june 2006 cldap sdk build against eDir 88
sp1. Let me know what you're using.

On the server, please run a dstrace with +nmas +ldap. Here's an example of
a problem if I don't have the simple password method on my client, for
example:

NMAS Audit 0x290002 logged
16: CanDo
16: Sequence Selected == "Simple Password"
16: Client can do: 0x7 0x1F 0x1D 0x0
16: Sequence: Simple Password (AND) LMs 0x9
16: ERROR: -1663 CanDo
16: NMAS Audit 0x290005 logged
16: ERROR: -1663 NMAS Manager
16: Failed login

It will help to capture that nmas error.

Thank you
Susan
Lee Wiltbank
2006-08-16 19:16:52 UTC
Permalink
Susan,

Thanks for the help. In testing, I didn't kill any existing authenticated
connections, but it worked fine with the Novell Login. It only failed when
I try to do it myself with an ldap_bind_nmas_s. I did run dstrace on the
server with +nmas +ldap, but my log looks markedly differently from yours.
I get a lot of DSAResolveName, DSARead, DCCreateContext, etc on my screen.
I am using NW 65 SP5 with eDir 8.7.3.7 on it.

Lee
Post by Susan Perrin
Hi
When you tested the Novell login using the simple password sequence, did
you first kill any existing authenticated connections? (red n Novell
Connections detach)?
It's working fine for me with the june 2006 cldap sdk build against eDir
88 sp1. Let me know what you're using.
On the server, please run a dstrace with +nmas +ldap. Here's an example
of a problem if I don't have the simple password method on my client, for
NMAS Audit 0x290002 logged
16: CanDo
16: Sequence Selected == "Simple Password"
16: Client can do: 0x7 0x1F 0x1D 0x0
16: Sequence: Simple Password (AND) LMs 0x9
16: ERROR: -1663 CanDo
16: NMAS Audit 0x290005 logged
16: ERROR: -1663 NMAS Manager
16: Failed login
It will help to capture that nmas error.
Thank you
Susan
Peter Kuo
2006-08-17 03:08:26 UTC
Permalink
I think part of your problem may be due to eDir version -- you really need
8.8 for the NMAS method to work ... but like you (even on 8.8), I haven't
gotten the Simple Password to work yet I can authenticate using something
like ldapsearch against 8.7.3.x and 8.8 using Simple Password ... so
you're not alone in this. (I did fine using the June 2006 build of LDAP
SDK helps "a little")
--
Peter
eDirectory Rules!
Lee Wiltbank
2006-08-17 16:24:10 UTC
Permalink
I did install eDir 8.8.1 and tried again, still the same ldap error (49).
When I use dstrace +nmas +ldap, I can see this on screen:

Failed to authenticate full context on connection error = -16049

I am using the June 2006 build of the LDAP sdk.

Lee
Post by Peter Kuo
I think part of your problem may be due to eDir version -- you really need
8.8 for the NMAS method to work ... but like you (even on 8.8), I haven't
gotten the Simple Password to work yet I can authenticate using something
like ldapsearch against 8.7.3.x and 8.8 using Simple Password ... so you're
not alone in this. (I did fine using the June 2006 build of LDAP SDK helps
"a little")
--
Peter
eDirectory Rules!
Susan Perrin
2006-08-17 17:38:25 UTC
Permalink
Hi

If you're not comfortable posting your dstrace.log can you please email it
to me: sperrin at novell dot com.

Thanks
Susan
Lee Wiltbank
2006-08-17 18:07:09 UTC
Permalink
No problem posting it. Here it is:

13: Create NMAS Session
13: Pregathered information NMAS_AID = 1 value lwiltbank\.O=test
13: Pregathered information NMAS_AID = 11 value Simple Password
13: CheckIfLocalUser: client supplied user DN lwiltbank\.O=test
ERROR: -610 dal_createUserContext: DDCResolveName for lwiltbank\.O=test
ERROR: -601 resolveFilteredReplica: Resolving
.lwiltbank\.O=test.IDG_65-TREE.
ERROR: -601 dal_createUserContext: resolveFilteredReplica for
lwiltbank\.O=test
ERROR: -16049 DALCreateLoginSession:createUserContext
13: ERROR: -16049 CheckIfLocalUser: DALCreateLoginSession
13: Destroy NMAS Session

For my command line, I am using:

<my host ip> 389 CN=lwiltbank.O=test "Simple Password"

Thanks for the help.

Lee
Post by Susan Perrin
Hi
If you're not comfortable posting your dstrace.log can you please email it
to me: sperrin at novell dot com.
Thanks
Susan
Susan Perrin
2006-08-17 20:41:56 UTC
Permalink
Hi

Thanks. I'm just guessing right now... but when you sucessfully login using
the Novell client login with nmas method, what server do you connect to as
your primary connection? After you login, check connections and look at the
server with the asterisk. Is that server the same as the ldap server you
are using to bind with? If not, can you try binding to the server that
contains your user object? I'm concerned about this filtered replica
business... It probably should chain, but I want to make sure the basic
functionality works before I ask about this error.

Thanks
Susan
Lee Wiltbank
2006-08-17 21:12:32 UTC
Permalink
I use the same server for both, I only have one in the entire company.
Although, one small difference is that in the Novell Login, I use the full
name (IDG-65-Server) and in the ldap_bind, I use the IP 10.11.102.200.

Lee
Post by Susan Perrin
Hi
Thanks. I'm just guessing right now... but when you sucessfully login
using the Novell client login with nmas method, what server do you connect
to as your primary connection? After you login, check connections and
look at the server with the asterisk. Is that server the same as the ldap
server you are using to bind with? If not, can you try binding to the
server that contains your user object? I'm concerned about this filtered
replica business... It probably should chain, but I want to make sure the
basic functionality works before I ask about this error.
Thanks
Susan
Peter Kuo
2006-08-17 21:53:37 UTC
Permalink
Post by Lee Wiltbank
Although, one small difference is that in the Novell Login, I use the full
name (IDG-65-Server) and in the ldap_bind, I use the IP 10.11.102.200.
That shouldn't matter. I think I'm going to reinstall my 8.8 from clean
(using VMWare so I'm going to use a brand spanking "new" setup) ... I ran
into a problem in the past (I think it was iManager not seeing my
Universal Password setup) and it was due to something getting borked in
the eDir backend ..
--
Peter
eDirectory Rules!
Susan Perrin
2006-08-17 22:46:44 UTC
Permalink
Hi

Do you have a dot in your org name? What are the parameters you are using
for nmasbind?

I'm using:

server 389 cn=user1,o=novell "Simple Password" simplepw

If you can do me a big favor, I want more testing and then I'll throw myself
at the mercy of the NMAS engineer. That error is undocumented.

I would like you to attach full traces (not just cut out the portion we've
been discussing) from both client and server, AND for both Novell client
login using Simple Password Method and using NMASBind.

Make sure you set "dstrace file on" on the server side. And add +AREQ to
the +NMAS and +LDAP And be certain that you have enabled all the screen
options check boxes on the ldap server object in iManager or ConsoleOne.

And for the client side see
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=10092531&sliceId=&dialogID=10577553&stateId=0%200%2010583626

If you can get me 4 files then, two from the server and two from the client
so I can see a sucessful login from both client and server perspectives, and
a failed bind from both client and server perspectives, this may tell me
more, or it will be what I can use to seek further help.

If you have problems with ncc just send along the dstrace logs.

I tried it when both NDS and Simple Password were enabled for the user, and
when only simple password was enabled for the user. Both worked fine. I
did not use encrypted simple password, but used ConsoleOne to set it. I am
using nmas.dll

Thank you
Susan
Lee Wiltbank
2006-08-18 15:45:07 UTC
Permalink
Susan,

Thanks for the help. The parameters I am using are:

server 389 cn=lwiltbank,o=test "Simple Password" simplepw

And here are the client and server log files. I logged in with the Novell
Login first and with nmasbind second. Thanks again.

=================================================================
NMAS Client Trace - Generated: Fri Aug 18 09:39:20 2006
=================================================================
client: NMAS Client, Win32
version: 3.2.0.16
build date: Dec 7, 2005

==== MethodID: 7 ====
description : NDS Login Method
module : (built in)
network func : (built in)
vendor : Novell, Inc.
version : 3.2.0.16
build date : Dec 7 2005
info func : (built in)
local func :

==== MethodID: 31 ====
description :
module : crlcm.dll
network func : LCM0000001F
vendor : Novell
version :
build date :
info func :
local func :

==== MethodID: 9 ====
description :
module : C:\WINDOWS\system32\pwdhash.dll
network func : LCM00000009
vendor :
version :
build date :
info func :
local func :

==== MethodID: 7 ====
description :
module : C:\WINDOWS\system32\ndslogin.dll
network func : LCM00000007
vendor :
version :
build date :
info func :
local func :

==== MethodID: 20 ====
description :
module : C:\WINDOWS\system32\epwdlcm.dll
network func : LCM00000014
vendor :
version :
build date :
info func :
local func :

Line#: Time: ThreadID:
======== ========= ==========
00000001 [09:39:20 0x00000994] MAF Ctx - transportFunc: 0x52E72A50
00000002 [09:39:20 0x00000994] MAF Ctx - transportArg: 0x018AB6A8
00000003 [09:39:20 0x00000994] MAF Ctx - atEndFunc: 0x52E72A90
00000004 [09:39:20 0x00000994] MAF Ctx - atEndArg: 0x018AB6A8
00000005 [09:39:20 0x00000994] MAF Ctx - nmasID: -1
00000006 [09:39:20 0x00000994] MAF Ctx - featureFlags: 0x00000000
00000007 [09:39:20 0x00000994] MAF Ctx - options: 0x000000F0
00000008 [09:39:20 0x00000994] MAF Ctx - uiHandle: 0x0007072C
00000009 [09:39:20 0x00000994] MAF Ctx - uiTimeout: 0x000000B4
00000010 [09:39:20 0x00000994] MAF Ctx - TreeName: IDG-65-TREE
00000011 [09:39:20 0x00000994] MAF Ctx - Name: CN=admin.O=test
00000012 [09:39:20 0x00000994] MAF Ctx - Password: (not NULL)
00000013 [09:39:20 0x00000994] MAF Ctx - Sequence: (NULL)
00000014 [09:39:20 0x00000994] MAF Ctx - Clearance: (NULL)
00000015 [09:39:20 0x00000994] [Method: 0007] LCM00000007 - NDS Method
00000016 [09:39:20 0x00000994] [Method: 0007] PWD Status - LSMVersion: 2,
graceLogins: 255, flags: 0x00000030
00000017 [09:39:20 0x00000994] [Method: 0007] DoLoginV2 rc: 0
00000018 [09:39:20 0x00000994] [Method: 0007] LCM00000007 rc: 0
00000019 [09:39:20 0x00000994] Method: 7, rc: 0
00000020 [09:39:20 0x00000994] doMethod - methodID: 7, rc: 0
00000021 [09:39:20 0x00000994] MgrClientMgr rc: 0
00000022 [09:39:20 0x00000994] mh->atEndFunc rc: 0
00000023 [09:39:20 0x00000994] MgrCloseLoginSession rc: 0
00000024 [09:40:30 0x00000AB0] MAF Ctx - transportFunc: 0x52E72A50
00000025 [09:40:30 0x00000AB0] MAF Ctx - transportArg: 0x018AB6A8
00000026 [09:40:30 0x00000AB0] MAF Ctx - atEndFunc: 0x52E72A90
00000027 [09:40:30 0x00000AB0] MAF Ctx - atEndArg: 0x018AB6A8
00000028 [09:40:30 0x00000AB0] MAF Ctx - nmasID: -1
00000029 [09:40:30 0x00000AB0] MAF Ctx - featureFlags: 0x00000000
00000030 [09:40:30 0x00000AB0] MAF Ctx - options: 0x000000F0
00000031 [09:40:30 0x00000AB0] MAF Ctx - uiHandle: 0x000D0732
00000032 [09:40:30 0x00000AB0] MAF Ctx - uiTimeout: 0x000000B4
00000033 [09:40:30 0x00000AB0] MAF Ctx - TreeName: IDG-65-TREE
00000034 [09:40:30 0x00000AB0] MAF Ctx - Name: CN=lwiltbank.O=test
00000035 [09:40:30 0x00000AB0] MAF Ctx - Password: (not NULL)
00000036 [09:40:30 0x00000AB0] MAF Ctx - Sequence: Simple Password
00000037 [09:40:30 0x00000AB0] MAF Ctx - Clearance: (NULL)
00000038 [09:40:30 0x00000AB0] loadMethod: C:\WINDOWS\system32\pwdhash.dll,
func: LCM00000009, rc: 0
00000039 [09:40:30 0x00000AB0] Method: 9, rc: 0
00000040 [09:40:30 0x00000AB0] doMethod - methodID: 9, rc: 0
00000041 [09:40:30 0x00000AB0] MgrClientMgr rc: 0
00000042 [09:40:30 0x00000AB0] mh->atEndFunc rc: 0
00000043 [09:40:30 0x00000AB0] MgrCloseLoginSession rc: 0

=================================================================
NMAS Client Trace - Generated: Fri Aug 18 09:40:44 2006
=================================================================
client: NMAS Client, Win32
version: 3.2.0.16
build date: Dec 7, 2005

==== MethodID: 7 ====
description : NDS Login Method
module : (built in)
network func : (built in)
vendor : Novell, Inc.
version : 3.2.0.16
build date : Dec 7 2005
info func : (built in)
local func :

==== MethodID: 31 ====
description :
module : crlcm.dll
network func : LCM0000001F
vendor : Novell
version :
build date :
info func :
local func :

==== MethodID: 9 ====
description :
module : C:\WINDOWS\system32\pwdhash.dll
network func : LCM00000009
vendor :
version :
build date :
info func :
local func :

==== MethodID: 7 ====
description :
module : C:\WINDOWS\system32\ndslogin.dll
network func : LCM00000007
vendor :
version :
build date :
info func :
local func :

==== MethodID: 20 ====
description :
module : C:\WINDOWS\system32\epwdlcm.dll
network func : LCM00000014
vendor :
version :
build date :
info func :
local func :

Line#: Time: ThreadID:
======== ========= ==========
00000001 [09:40:44 0x00000CB0] MAF Ctx - transportFunc: 0x50D76220
00000002 [09:40:44 0x00000CB0] MAF Ctx - transportArg: 0x00010000
00000003 [09:40:44 0x00000CB0] MAF Ctx - atEndFunc: 0x00000000
00000004 [09:40:44 0x00000CB0] MAF Ctx - atEndArg: 0x00000000
00000005 [09:40:44 0x00000CB0] MAF Ctx - nmasID: -1
00000006 [09:40:44 0x00000CB0] MAF Ctx - featureFlags: 0x00000000
00000007 [09:40:44 0x00000CB0] MAF Ctx - options: 0x000000E0
00000008 [09:40:44 0x00000CB0] MAF Ctx - uiHandle: 0x00000000
00000009 [09:40:44 0x00000CB0] MAF Ctx - uiTimeout: 0x00000000
00000010 [09:40:44 0x00000CB0] MAF Ctx - TreeName: (NULL)
00000011 [09:40:44 0x00000CB0] MAF Ctx - Name: lwiltbank.test
00000012 [09:40:44 0x00000CB0] MAF Ctx - Password: (not NULL)
00000013 [09:40:44 0x00000CB0] MAF Ctx - Sequence: Simple Password
00000014 [09:40:44 0x00000CB0] MAF Ctx - Clearance: (NULL)
00000015 [09:40:44 0x00000CB0] loadMethod: C:\WINDOWS\system32\pwdhash.dll,
func: LCM00000009, rc: 0
00000016 [09:40:44 0x00000CB0] Method: 9, rc: 0
00000017 [09:40:44 0x00000CB0] doMethod - methodID: 9, rc: 0

=================================================

Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
7: ERROR: -1665 MAF_GetAttribute LSM 0x00000009 AID: 22
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
7: ERROR: -16049 MAF_GetAttribute LSM 0x00000009 AID: 18
7: ERROR: -1697 MAF_GetPassword LSM 0x00000009
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
7: MAF_GetAttribute LSM 0x00000009 AID: 24
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
7: MAF_GetAttribute LSM 0x00000009 AID: 24
7: MAF_Read LSM 0x00000009
7: ServerGet: message size=8 queue size 0
7: ClientGet: message size=8 queue Size 13
7: ClientGet: message size=5 queue Size 5
7: ClientPut: message size=8 queue Size 0
7: ServerGet: message size=12 queue size 0
7: ClientPut: message size=12 queue Size 0
7: MAF_Read LSM 0x00000009
7: ServerGet: message size=8 queue size 0
7: ClientPut: message size=8 queue Size 0
7: ServerGet: message size=12 queue size 0
7: ClientPut: message size=12 queue Size 0
7: MAF_Write LSM 0x00000009
7: ServerPut: message size=8 queue size 0
7: ServerPut: message size=24 queue size 8
7: MAF_Write LSM 0x00000009
7: ServerPut: message size=8 queue size 32
7: ServerPut: message size=24 queue size 40
7: MAF_Read LSM 0x00000009
7: ServerGet: message size=8 queue size 0
7: ClientGet: message size=8 queue Size 64
7: ClientGet: message size=24 queue Size 56
7: ClientGet: message size=8 queue Size 32
7: ClientGet: message size=24 queue Size 24
7: ClientPut: message size=8 queue Size 0
7: ServerGet: message size=16 queue size 0
7: ClientPut: message size=16 queue Size 0
7: PWD LSM: multiHashes = 1
7: MAF_Read LSM 0x00000009
7: ServerGet: message size=8 queue size 0
7: ClientPut: message size=8 queue Size 0
7: ServerGet: message size=28 queue size 0
7: ClientPut: message size=28 queue Size 0
7: MAF_Write LSM 0x00000009
7: ServerPut: message size=8 queue size 0
7: ServerPut: message size=12 queue size 8
7: PWD LSM: login failed
7: ERROR: -1642 MAF_End LSM 0x00000009
7: ServerGet: message size=8 queue size 0
7: ClientGet: message size=8 queue Size 20
7: ClientGet: message size=12 queue Size 12
7: ClientPut: message size=8 queue Size 0
7: WhatNext
7: Failed login
7: ClientGet: message size=8 queue Size 0
7: ServerPut: message size=8 queue size 0
7: ServerPut: message size=4 queue size 8
7: ServerGet: message size=8 queue size 0
7: ClientGet: message size=4 queue Size 4
7: ClientPut: message size=8 queue Size 0
7: ServerGet: message size=8 queue size 0
7: nmasEndSession: Login failed
7: Client Session Destroy Request
7: Local Session Cleared (Not Destroyed)
(10.11.102.97:1154)(0x0020:0x60) Failed to authenticate full context on
connection 0x49c7f0e0, err = success
7: Server thread exited
7: Pool thread 0xbfdbf188 work complete
Calling DSAReadObjectInfo conn:14 for client .[Public].
Calling DS Ping conn:14 for client .[Public].
ETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
7: CheckIfLocalUser: checking actual user DN CN=lwiltbank.O=test
7: Create thread request
7: Using thread 0xbfdbf188
7: Server thread started
7: Pool thread 0xbfdbf188 awake with new work
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
7: ServerGet: message size=8 queue size 0
7: ClientPut: message size=8 queue Size 0
7: ServerGet: message size=160 queue size 0
7: ClientPut: message size=160 queue Size 0
7: OEM
7: OEM Verb 1
7: ServerPut: message size=8 queue size 0
7: ServerPut: message size=144 queue size 8
7: HandleExchangeDFMKeys Domestic Grade (3DES) Wrapping Key

7: ClientGet: message size=8 queue Size 152
7: ServerGet: message size=8 queue size 0
7: ClientGet: message size=144 queue Size 144
7: ClientPut: message size=8 queue Size 0
7: ServerGet: message size=608 queue size 0
7: ClientPut: message size=608 queue Size 0
7: OEM
7: OEM Verb 3
7: HandleTransKeys Domestic Grade (3DES) Wrapping Key
7: Transaction keys unwrapped:HandleTransKeys
7: 3 Transaction keys unwrapped
7: ServerPut: message size=8 queue size 0
7: ServerPut: message size=12 queue size 8
7: ServerGet: message size=8 queue size 0
7: ClientGet: message size=8 queue Size 20
7: ClientGet: message size=12 queue Size 12
7: ClientPut: message size=8 queue Size 0
7: ServerGet: message size=23 queue size 0
7: ClientPut: message size=23 queue Size 0
7: CanDo
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
7: updateLoginStatistics configured failed login delay 3
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
7: Sequence Selected == "Simple Password"
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAResolveName conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSAReadObjectInfo conn:0 for client
.IDG-65-NETWARE.test.IDG-65-TREE.
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
Calling DSARead conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.
DSARead failed, no such attribute (-603).
7: Login Method 0x00000009
7: PWD LSM: started
7: MAF_Begin LSM 0x00000009
7: ServerPut: message size=8 queue size 0
7: ServerPut: message size=5 queue size 8
Calling DS Ping conn:0 for client .IDG-65-NETWARE.test.IDG-65-TREE.

=============================================================
Post by Susan Perrin
Hi
Do you have a dot in your org name? What are the parameters you are using
for nmasbind?
server 389 cn=user1,o=novell "Simple Password" simplepw
If you can do me a big favor, I want more testing and then I'll throw
myself at the mercy of the NMAS engineer. That error is undocumented.
I would like you to attach full traces (not just cut out the portion
we've been discussing) from both client and server, AND for both Novell
client login using Simple Password Method and using NMASBind.
Make sure you set "dstrace file on" on the server side. And add +AREQ to
the +NMAS and +LDAP And be certain that you have enabled all the screen
options check boxes on the ldap server object in iManager or ConsoleOne.
And for the client side see
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=10092531&sliceId=&dialogID=10577553&stateId=0%200%2010583626
If you can get me 4 files then, two from the server and two from the
client so I can see a sucessful login from both client and server
perspectives, and a failed bind from both client and server perspectives,
this may tell me more, or it will be what I can use to seek further help.
If you have problems with ncc just send along the dstrace logs.
I tried it when both NDS and Simple Password were enabled for the user,
and when only simple password was enabled for the user. Both worked fine.
I did not use encrypted simple password, but used ConsoleOne to set it. I
am using nmas.dll
Thank you
Susan
Susan Perrin
2006-08-21 19:46:01 UTC
Permalink
Hi

In your previous test, you wrote "389 CN=lwiltbank.O=test "Simple Password""

But in this one you write "server 389 cn=lwiltbank,o=test "Simple Password"
simplepw"

The latter is correct. The former is incorrect. The former explains the
610 (invalid dn entry) and 601 (not found).

So I'm assuming that using the ldap dn syntax, you are no longer getting
the -16049

I'm still not seeing what I want to see. I don't see anything after
MAF_Begin LSM 0x00000009 in your paste, nor any of the ldap.

Why don't you email me at sperrin at novell dot com with your phone number
and perhaps we can move more quickly on this.

thanks
Susan
Peter Kuo
2006-08-17 23:10:07 UTC
Permalink
Can you check if you can bind using the "NDS" method?
--
Peter
eDirectory Rules!
Lee Wiltbank
2006-08-18 20:21:34 UTC
Permalink
I can bind with NDS no problem at all.

Lee
Post by Peter Kuo
Can you check if you can bind using the "NDS" method?
--
Peter
eDirectory Rules!
Peter Kuo
2006-08-18 22:25:28 UTC
Permalink
Same case here ...
--
Peter
eDirectory Rules!
Susan Perrin
2006-08-17 17:39:53 UTC
Permalink
I haven't gotten the Simple Password to work yet
So am I the only one for whom nmasbind.c is working ok? Can you send me
YOUR dstrace.log too?

Thanks
Susan
Peter Kuo
2006-08-17 21:53:37 UTC
Permalink
I'll re-run it this evening and post that.
--
Peter
eDirectory Rules!
Peter Kuo
2006-08-18 01:05:48 UTC
Permalink
Hi Susan:

I took a look at the trace and here's what I noticed (and perhaps you
don't need the entire log due to this):

The client indicates it can do 0x7, 0x1F, 0x0 (which I think this is just
the terminator). The Simple Password method on the server side looks for
0x9 which the client doesn't support ...

The NMAS DLLs supplied in the NMAS NDK supports only 0x7 (NDS) while the
ones with (say) C32 4.91SP2 supports 0x7 (NDS) and 0x1F
(Challenge/Response); none supports Simple Password it seems ... do you
happen to have a different version of the NMAS client?
--
Peter
eDirectory Rules!
Susan Perrin
2006-08-21 19:02:50 UTC
Permalink
Hi

You need to install the simple password method explicitly. I don't believe
that the current novell client install or nmas install that's part of the
novell client install provide the option to install the simple password
method. I got mine at download.novell.com searching on nmas methods. It
was a pretty obscure download.

I think I got it with nmmthd273.tgz

Thank you
Susan
Susan Perrin
2006-08-21 19:23:48 UTC
Permalink
oh, and my nmas.dll is version 3.2.0.16, but I don't believe I've seen
problems with any of the versions over the years. And of course I have the
simple password lsm on the server as demonstrated by looking at the security
container, authorized login methods. This is working for me on 88 sp1 and
873.

Thanks
Susan
Peter Kuo
2006-10-22 03:07:20 UTC
Permalink
I do have the stuff on the server side and I'm pretty sure (95+%) that it
does not on the client ..
--
Peter
eDirectory Rules!
Peter Kuo
2006-10-22 03:07:19 UTC
Permalink
Post by Susan Perrin
I got mine at download.novell.com searching on nmas methods. It
was a pretty obscure download.
I think I got it with nmmthd273.tgz
I'll give that a go when I have a chance soon ... as you can tell for not
having responded for a while, I have been distracted by other stuff!
--
Peter
eDirectory Rules!
Susan Perrin
2006-08-17 17:36:45 UTC
Permalink
I didn't kill any existing authenticated connections
The reason I mentioned this is because if you're already authenticated, the
nmas login doesn't fail in the way that it would if you started fresh by
wiping out the existing connections. I learned that the hard way when I
tested without having the simple pwd method installed and it seemed to work
ok until I did the delete connections.
a lot of DSAResolveName, DSARead
I should have said do a dstrace -all first, then enable what you want.

Thanks
Susan
Peter Kuo
2006-08-17 03:08:26 UTC
Permalink
Susan:

As a small aside: shouldn't nmas.dll and nmasmsg.dll be included with the LDAP Windows library? I can't seem to find them in the ZIP version (that's the June 2006 build)
--
Peter
eDirectory Rules!
Susan Perrin
2006-08-17 17:34:16 UTC
Permalink
Hi

I think that the idea is since you need the nmas client method installed
anyway, and to avoid version-itis, they are just assuming you already have
it.

Thanks
Susan
Peter Kuo
2006-08-17 21:54:49 UTC
Permalink
Then the sample code (nmasbind.c) should be updated to remove the comments
regarding these 2 files; they were in earlier CLDAP NDKs, BTW. Thanks.
--
Peter
eDirectory Rules!
Susan Perrin
2006-08-17 22:53:20 UTC
Permalink
Bug 200156 - either include nmas dlls with sdk or remove sample notes

submitted.

Thanks!
Susan
Peter Kuo
2006-08-18 22:25:28 UTC
Permalink
Thank you!
--
Peter
eDirectory Rules!
Loading...