IDM 4.6 Engine & Remote Loader Service Pack 3 4.6.3.0

Abstract: This is an Engine and Remote Loader Service Pack for Identity Manager 4.6. It will take the IDM Engine to version 4.6.3.0 and should only be applied on top of IDM 4.6. This patch is for both the IDM 4.6 engine and the remote loader.

Document ID: 5393130
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:

  • IDM_engine_rl_IDM4.6.3.zip (547.57 MB)

Products:

  • Identity Manager 4.6

Superceded Patches:

Related:

  • No Related Posts

7016262: IDM Patch instructions for non-root install

Steps to install IDM patches (Engine, Remote Loader, drivers) on Linux when IDM has been installed with the non-root install instructions.

IDM Patch instructions for non-root installs

1) ROOTDIR=<non-root eDirectory location>

2) rpm –dbpath $ROOTDIR/rpm -Uvh –relocate=/usr=$ROOTDIR/opt/novell/eDirectory –relocate=/etc=$ROOTDIR/etc –relocate=/opt/novell/eDirectory=$ROOTDIR/opt/novell/eDirectory –relocate=/opt/novell/dirxml=$ROOTDIR/opt/novell/dirxml –relocate=/var=$ROOTDIR/var –badreloc –nodeps –replacefiles <rpm-location>

===

Usage example: We have installed ssop rpm as a user other than root

1) Assuming the <non-root eDirectory location> is /home/user/eDirectory

Under this Directory you should find the following directories and files:

Copyright license nmas opt readme.txt var etc license.txt Packages rpm

the 1st command would be:

ROOTDIR=/home/user/eDirectory

2) With the above in mind the second command would be:

rpm –dbpath $ROOTDIR/rpm -Uvh –relocate=/usr=$ROOTDIR/opt/novell/eDirectory –relocate=/etc=$ROOTDIR/etc –relocate=/opt/novell/eDirectory=$ROOTDIR/opt/novell/eDirectory –relocate=/opt/novell/dirxml=$ROOTDIR/opt/novell/dirxml –relocate=/var=$ROOTDIR/var –badreloc –nodeps –replacefiles /home/user/novell-DXMLssop.rpm

Important Note : All the commands provided are meant to be a single line. The commands may not work if you don’t have the folder <non-root eDirectory location>/rpm and the file named “__db.000” under that folder. This would mean that the base non-root IDM installation has been corrupted. You may want to re-install the base IDM system again to correct this issue.

Related:

  • No Related Posts

7018114: SSPR Users locked after Grace Logins Expire

This document (7018114) is provided subject to the disclaimer at the end of this document.

Environment

Self Service Password Reset
SSPR 3.x
SSPR 4.x
eDirectory grace logins configured

Situation

SSPR consumes eDir grace logins
Users can’t log in to SSPR
eDirectory account is locked; no grace logins remain

Resolution

At least two options are available to avoid this situation:
1) If possible, disable grace logins on the eDirectory password policy. When configured this way, eDirectory itself won’t force users to change an expired password during authentication, but applications such as SSPR can still do so.
2) Increment the allowed grace login value to account for a typical user authentication operation happening multiple times. This won’t resolve the problem exactly but it can decrease the amount of users that will hit the limit.
In either case, consider the following settings in SSPR config manager, under Modules, Change Password:
Password Pre-Expire Time
Password Expire Warn Time
Check Expire During Authentication
With these settings in place users will:
1. If they are within the “Password Expire Warn Time,” see a warning when logging in to SSPR telling them their password will expire in x number of days.
2. Be forced to change their password if they are within the “Password Pre-Expire Time.” This helps prevent users from experiencing password expiration during the middle of a session.
3. Be forced to change their password if it has expired.
NOTE: The above settings are enforced when the user attaches to SSPR, not when a user logs in to eDirectory or other applications and systems that use eDirectory. However, it is possible to direct users to pass through SSPR during their login process, thus allowing SSPR to enforce the above password expiration settings. This can be accomplished as follows:
1. Use the Client Login Extension (CLE) to force users to change expired passwords when logging into windows desktop. CLE can also be used to force Challenge/Response enrollment and other SSPR operations.
2. Integrate SSPR with Access Manager or other web SSO technologies to force users to pass through SSPR during authentication. This approach can force web users to reset expired password during authentication

Cause

SSPR makes LDAP binds, and each LDAP bind operation decrements the grace login count.

Additional Information

Attempting to integrate SSPR with an SSO provider like Access Manager or other login provider can lead to confusing results in regards to eDirectory grace logins. While you may expect that grace logins will decrement in a predictable way when a user logs into your system, you will find that grace logins are consumed unexpectedly and sometimes unpredictably. This is because when multiple components of your authentication system are configured to use LDAP, grace logins can be consumed by each component.
The core issue is that when using LDAP, each LDAP bind operation which happens at the beginning of a connection will decrement the grace login count. Applications can use connection management techniques that disable idle connections and reconnect when needed, or use connection pools to limit the total connection count. Both of these techniques can lead to additional unexpected LDAP binds. Further, load balancing and high-availability architectures can result in additional connections. The end result is that a single user’s login process can execute multiple LDAP binds that cause multiple grace login decrements.
When these systems exhaust the grace logins remaining, failure can happen in odd ways such as the authentication gateway allowing login but an application failure happening during the session, or an application may return an error trying to read data from the directory.
SSPR itself will perform at least one, and sometimes more LDAP binds when a user attaches. SSPR tries to limit bind operations when a grace limit state is detected, but it is not always possible to limit the connections.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7022949: LDAP based Designer sets remote loader password incorrectly for 4.5.x systems

This document (7022949) is provided subject to the disclaimer at the end of this document.

Environment


Identity Manager 4.5.x

Identity Manager Designer version 4.6.x (LDAP)
Identity Manager Designer version 4.7

Situation

LDAP Designer sets an incorrect value for the remote loader password and sometimes also for a connected system’s application password when deploying a driver to an IDM 4.5.x server. As a result the driver fails to start, indicating that the credentials are invalid.

This works correctly when deploying drivers to servers running IDM 4.6.x or 4.7.x.

Resolution

In order to fix this issue permanently, the best approach is to upgrade the IDM engine version to 4.6.x or 4.7.x.

It is also possible to work around the problem by setting the password with iManager and the corresponding IDM plugins or by using NCP based Designer instead.

Cause

Both the remote loader and the application password are stored in eDirectory as an AES encrypted hash in the attribute DirXML-ShimAuthPassword. During initialization it’s possible to add a policy that will display the policy being sent. Once this policy is in place, it’s possible to see that when the Remote Loader password is set with LDAP Designer against a 4.5.x system, the password field is sent incorrectly as:

<password>REMOTE(remotepwd)REMOTE(remotepwd)thisIsTheAppPassword</password>`
instead of:
<password>REMOTE(remotepwd)thisIsTheAppPassword</password>

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

IDM 4.5 REST Driver 1.0.1.0

Abstract: Patch update for the NetIQ Identity Manager Rest driver. This patch will take the driver version to 1.0.1.0.

Document ID: 5370351
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:

  • IDM45_REST_1010.zip (424.62 kB)

Products:

  • Identity Manager 4.5
  • Identity Manager 4.6
  • Identity Manager 4.7

Superceded Patches:

Related:

  • No Related Posts