What actions are associated with the operations “updateUser”?

I need a solution

A user’s account has an operation entry for “updateUser” with a Status Code of “0” and Status Message of “Success”.

  1. Is this operation caused by end user or an administrator?
  2. Is this operation caused by an automated process within VIP Access Manager and its LDAP connectivity?
  3. What actions cause the “updateUser” operation entry?

I am unable to find documentation on VIP Access Manager that defines operation messages or terminology used by the application.

  • If this exists, please share with me so I don’t have to ask these inane questions.
  • If this doesn’t exist, come on Symantec….
0

Related:

  • No Related Posts

How to Use sAMAccountName and userPrincipalName at Same Time for User Logon with Active Directory

Make two LDAP server profiles pointing to the same LDAP server IP. All the values should be same in the configuration except one. The Server logon name attribute is different for both the profiles. One has ‘sAMAccountName’ and the other one will be ‘userPrincipalName’.

Now when the user tries to login with ‘domainusername’, they will be authenticated by the LDAP profile using ‘sAMAccountName’. And when they uses their email id, they will be allowed by the other LDAP profile.

To know how to create and bind LDAP authentication profiles please follow the instructions of this article: https://support.citrix.com/article/CTX108876

Related:

  • No Related Posts

7023371: Unable to change AD password if using restricted (non-domain Admin) rights

This document (7023371) is provided subject to the disclaimer at the end of this document.

Environment

Identity Manager Driver – Active Directory

Situation

Error when changing a user’s password in Active Directory when using a user with only limited rights in Active Directory. When using a user with Domain Admin rights in Active Directory, the password is changed successfully.
Error is as follows:
<output>
<status level=”error” type=”driver-general” event-id=”….”>
<message>Password set failed.</message>
<ldap-err ldap-rc=”50″ ldap-rc-name=”LDAP_INSUFFICIENT_RIGHTS”>
<client-err ldap-rc=”50″ ldap-rc-name=”LDAP_INSUFFICIENT_RIGHTS”>Insufficient Rights</client-err>
<server-err>00000005: SecErr: DSID-031A11D7, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
</server-err>
<server-err-ex win32-rc=”5″/>
</ldap-err>
</status>
</output>

Resolution

This may be caused if the user does not have all the rights needed to change the password.
With Windows server 2016, you may find that additional rights are needed.
Also based on your security policies changes may be needed.
Below is one possible configuration that may work depending on the setup of the domain. Because of the countless ways a domain may be configured and the ways a driver may be configured, only suggestions may be made.
Grant the user the following permissions:
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes in Filtered Set
Replication synchronization
Also the following delegation:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
It may also be caused if the user had ever been a member of a domain admin group or other security group that caused the user to receive the attribute admincount=1 in active directory. Even if the user is later removed from the security group, the attribute will often remain on the user.
Here is a command to check the user from a powershell prompt.
get -aduser <username> -Properties admincount
If admincount is set to 1, unless the driver is using a domain admin account, you will not be able to change the password.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7023291: SSPR Users locked out after LDAP certificates are updated

This document (7023291) is provided subject to the disclaimer at the end of this document.

Environment

Self Service Password Reset
SSPR 4.x

Situation

Error 5017 authenticating to SSPR
Error 5059 – A certificate error has been encountered
Directory unavailable after certificates on the LDAP server were updated
Users unable to login after updating certs on LDAP server

Resolution

Reset the LDAP certificates by deleting and re-importing them through SSPR Config Editor
Steps if using SSPR Appliance:
  1. Open the SSPR Appliance (port 9443) https://server.whatever.com:9443
  2. Open Administrative Commands
  3. Select Unlock configuration
  4. Open SSPR Configuration Editor by going direrectly to https://server.whatever.com/sspr/private/config/editor (you might need to use a browser other than IE)
  5. In Config Editor, select LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection, LDAP Certificates
  6. Select Clear
  7. Select Import from server
  8. Save Changes
  9. Go back to the appliance (port 9443) https://server.whatever.com:9443
  10. Open Administrative Commands
  11. Select Lock configuration
Steps if using Linux (.war) or Windows (.msi) implementations of SSPR:
  1. Edit SSPRConfiguration.xml and set “configIsEditable” to true. It should look like this: <property key=”configIsEditable”>true</property> (for more detail see TID 7014954, “SSPR config manager not available” at https://www.novell.com/support/kb/doc.php?id=7014954
  2. Open SSPR Configuration Editor by going direrectly to https://server.whatever.com/sspr/private/config/editor (you might need to use a browser other than IE)
  3. In Config Editor, select LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection, LDAP Certificates
  4. Select Clear
  5. Select Import from server
  6. Save Changes

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7023360: Unable to access resources when using Sophos STAS

This document (7023360) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ eDirectory 8.8.8
Client for Open Enterprise Server 2 SP4
Sophos XG Firewall
Sophos Transparent Authentication Suite (STAS)

Situation

Unable to access Internet resources when authenticating to eDirectory through STAS.

Resolution

Ensure that each eDirectory user object has the UserID (UID) attribute populated. One approach is to use the steps outlined in Cool Solution “Setting Up UIDs in iManager based on CN Values” https://www.novell.com/coolsolutions/feature/18867.html

Cause

STAS relies on the UID being populated.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

3078409: Handling ndsd (eDirectory) core files on Linux and Solaris

Sometimes the reason ndsd crashes is due to memory corruption. If this is the case, it is necessary to add variables setting to the ndsd environment to put the memory manager into a debug state. This will help to ensure that ndsd generates a core at the time the corruption occurs so the module that caused the corruption can more easily be identified in the core.

If ndsd cores due to stack corruption, Novell Technical Support will request that you add the appropriate memory manager setting and wait for another core to re-submit.

Linux

To set the necessary memory checking variable on Linux:

Systemd – SLES 12 / Redhat 7 or later: Modify the “env” file located in the /etc/opt/novell/eDirectory/conf directory, then restart the eDirectory instance. ( See 2nd bullet under “Please refer to the following notes:” for details. )

MALLOC_CHECK_=3



SysVinit
– SLES 11 / RedHat 6 or earlier: Modify the pre_ndsd_start script and the following at the very top, then restart the eDirectory instance.

MALLOC_CHECK_=3

export MALLOC_CHECK_

Please refer to the following notes:

  • The contents of the pre_ndsd_start script are sourced into ndsd at the time ndsd loads. Be aware that any permanent settings will be overwritten if left in the ndsd script the next time an eDirectory patch is applied while the pre_ndsd_start script will not be modified. For this reason changes to the ‘ndsd’ script itself should not be made. This is the purpose of the pre/post_ndsd_start scripts.

  • eDirectory on SLES 12 or RHEL 7: You must add all environment variables required for the eDirectory service in the env file located in the /etc/opt/novell/eDirectory/conf directory.

  • MALLOC_CHECK_=3 should NOT be left permanently. Once the cores have been gathered, remove this setting from the modified script and restart ndsd. This environment variable can have a performance impact on some systems due to the increased memory checking. In eDirectory 8.8, it will cause ndsd to revert back to using malloc instead of tcmalloc_miminal which was added to enhance performance.

    Another side effect of using MALLOC_CHECK_=3 is the possibility of increased coring. Malloc will cause ndsd to core whenever a memory violation is detected whether or not it would have caused ndsd to crash under normal running conditions.

    To verify this ndsd environment variable is set properly while ndsd is running, do the following as the user running the eDirectory instance (‘root’ most of the time):

    strings /proc/`pgrep ndsd`/environ | grep -i MALLOC_CHECK_

    The command above will not work on a server with multiple eDirectory instances (or ndsd processes). To check a particular instance find that instance’s process’s PID and use that directly. For PID 12345 the command would be the following:

    strings /proc/12345/environ | grep -i MALLOC_CHECK_

    After ndsd has cored, to verify the core file had the ndsd environment variable set, do the following:

    strings core.#### | grep -i MALLOC_CHECK_

    Bundle the core with MALLOC_CHECK_=3 set as in step 2.

    For more information on Malloc check see: TID 3113982 – Diagnosing Memory Heap Corruption in glibc with MALLOC_CHECK_

  • eDirectory 8.8.5 ftf2 (patch2) the location of the pre_ndsd_start has been moved from /etc/init.d to /opt/novell/eDirectory/sbin/.

Solaris

In current code, eDirectory uses libumem as the memory manager.

To configure libumem for debugging add the following to the pre_ndsd_start script at the top and restart ndsd:

UMEM_DEBUG=default

UMEM_LOGGING=transaction

export UMEM_DEBUG UMEM_LOGGING

Submit a new core with these settings in place.

Changing the location where cores files are generated

In certain situations it may be desirable to change the location where core files are generated. By default ndsd core files are placed in the dib directory. If space in this directory is limited or if another location is desired, the following can be done:

mkdir /tmp/cores

chmod 777 /tmp/cores

echo “/tmp/cores/core”> /proc/sys/kernel/core_pattern

This example would now generate the core. <pid> file in /tmp/cores

To revert back to placing cores in default location:

echo core > /proc/sys/kernel/core_pattern

Symbol build of ndsd libriaries



In some cases, a core file generated while running libraries with symbols included may be necessary to analyze the core.

This is particularly true when analyzing cores generated by the 64 bit version of ndsd since the parameters aren’t located at a specific location.

The symbol versions of the libraries can be obtained from Novell eDirectory backline support.

Related:

  • No Related Posts

How to Configure NetScaler Gateway to use RADIUS and LDAP Authentication with Mobile/Tablet Devices

  • On the Secondary Authentication Policies, add the LDAP_Mobile policy as top priority, followed by the RSA_NonMobile policy as secondary priority:

    User-added image

    Important! The session policy must have the correct Single Sign-on Credential Index, that is, it must be the LDAP credentials. For mobile devices, Credential Index under Session Profile > Client Experience should be set to Secondary which is LDAP.

    Therefore you need two session policies, one for mobile devices and the other for non-mobile devices.

    For mobile devices session policy and session profile will look as shown in the following screenshot.

    To create session policy, navigate to required virtual server and, click Edit, go to policy section and click + sign:

    User-added image

    User-added image

    Choose Session option from the drop-down.

    User-added image

    Enter the desired Session Policy name and click + to create a new profile. For mobile devices, Credential Index under Session Profile > Client Experience should be set to Secondary which is LDAP.

    User-added image

    User-added image

    User-added image

    For non-mobile device follow the same steps. Credential Index under Session Profile > Client Experience should be set to Primary which is LDAP.

    The expression should be changed to:

    REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

    User-added image

    To create new profile for non-mobile user,click + sign.

    User-added image

    User-added image

  • Related:

    • No Related Posts

    7023346: -603 error attemping to add server to Driver Set

    This document (7023346) is provided subject to the disclaimer at the end of this document.

    Environment


    Identity Manager 4.7

    Situation

    When attempting to add a new server with IDM 4.7 installed on it to a new Driver Set, a -603 error is recieved.

    Error message: Unable to associate the server with the Driver Set.

    com.novell.admin.common.exceptions.UniqueSPIException: (Error-603) The requested attribute could not be found. In the Directory, if an attribute does not contain a value then the attribute does not exist for the specific object.

    Resolution

    After installing IDM 4.7 on the server, make sure you run the configure.sh script. This should extend schema on the Identity Vault.

    Or run the /opt/novell/eDirectory/bin/idm-install-schema script to extend schema.

    Then attempt to add the server to the driver set again.

    Additionally, make sure the new server holds a read write replica of the partition where the driver set resides.

    Cause

    Missing IDM schema

    Disclaimer

    This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

    Related:

    • No Related Posts