[rt-users] LDAP Auth to Novell eDirectory (working... kinda)
Jason Long
jlong at messiah.edu
Fri Sep 22 16:54:30 EDT 2006
Tim Wilson wrote:
> Hi all,
>
> Anyone using LDAP Auth for RT with Novell eDirectory?
Yep.
> I've been working through the LDAP documentation at the wiki
> (http://wiki.bestpractical.com/index.cgi?LDAP) and I've got things
> mostly working with RT 3.6.1 and Novell eDirectory 8.7.x. I can log in
> to RT and everything seems to work fine except that every time I log in,
> eDirectory decrements my grace login total. Once I'm down to zero I
> can't log in to RT until I go into eDirectory (via ConsoleOne in my
> case) and give myself some more grace logins.
>
> When I look at the eDirectory log I find a socket error (-5871) every
> time RT sends a search request. RT does a number of LDAP searches for
> every log in attempt. The odd thing is that I don't get an actual NDS
> error until RT tries to use the LDAP filter settings that are included
> in RT_SiteConfig. For example:
>
> filter: "(cn=twilson)" isn't a problem. Neither is filter:
> "(mail=twilson at mycompany.com)". After those two searches RT tries
> one that looks like this:
>
> filter: "(&(cn=twilson)(objectclass=person))"
>
> That one produces an "NDS error: bad password (-222)". Presumably
> that's when the grace login count gets decremented. The next time I try
> to log in it fails and the eDirectory log shows "NDS error: password
> expired (-223)".
>
> I've disabled the grace login feature for now, but that's not an
> effective long-term solution.
>
> I'd love to hear some suggestions.
>
> -Tim
Unfortunately, I'm not really familiar with NDS grace logins (we don't
use them), so I don't know if I can help much. I would think this is
only a problem if the user's password has already expired?
You may need to post your LDAP-related settings from RT_SiteConfig.
Jason
More information about the rt-users
mailing list