Authentication is a complex topic, and your existing network infrastructure can affect your ability to successfully perform an initial iManager login. The following facts can help you minimize authentication-related difficulties. For more information about authentication-related topics, see the NetIQ Modular Authentication Service (NMAS) documentation and NetIQ eDirectory documentation.
iManager authentication is a platform-dependent operation, meaning that it functions differently depending on the platform on which iManager is running
Linux and Windows servers: When iManager runs on a Linux or Windows server it utilizes eDirectory’s legacy authentication mechanism and the regular eDirectory password. This mechanism supports eDirectory’s Universal Password option but does not support the Simple Password option.
iManager Workstation: iManager Workstation runs on a client workstation, either Linux or Windows, and leverages the NMAS client that allows it to use Universal Password, if configured.
iManager does not use LDAP for the initial iManager authentication process. It utilizes eDirectory’s proprietary authentication protocol. However, following initial authentication, iManager can, create LDAP connections to eDirectory as needed to support directory access for the installed plug-ins that require LDAP access.
iManager does not support authenticating with eDirectory’s Simple Password.
You might encounter the following error messages when authenticating to iManager. Each error message section discusses possible causes.
If you receive a 404 error the first time you attempt to access iManager, you need to verify the ports that Apache is running on. Depending on how you installed iManager and whether you chose to use Apache or IIS, the configuration file locations vary. Apache uses either the httpd.conf file or the ssl.conf file. Refer to the Microsoft documentation for information on IIS port settings.
If you receive an internal server error or servlet container error (either unavailable or being upgraded), iManager is having one of two problems with Tomcat:
Tomcat has not fully initialized after a reboot.
Tomcat has failed to start.
Wait a few minutes and try again to access iManager. If you still receive the same errors, verify the status of Tomcat.
Restart Tomcat.
For information about restarting Tomcat, see Starting and Stopping Tomcat.
Check the Tomcat logs for any errors.
The log file is located in the $tomcat_home$/logs directory on the UNIX, Linux, and Windows platforms. On UNIX and Linux, the logs are named catalina.out or localhost_log.date.txt. On Windows, the log files are named stderr and stdout.
The object name entered could not be found in the context specified.
Some possible causes:
Contextless login might be disabled.
Your User object might not be in the configured search containers list. Either ask your administrator to add your user location to the contextless login search containers or log in with a full context.
The NDS password has been disabled in the Universal Password policy. This may also manifest itself with a 222 Error Message.
You can avoid this error with iManager Workstation by installing the client, which allows iManager to utilize the Universal Password authentication mechanism rather than eDirectory’s legacy authentication process.
This error is a system failure with several possible causes.
The target server does not have a copy of what the source server is requesting, or the source server has no objects that match the request and has no referrals on which to search for the object.
Some possible causes:
You entered an incorrect tree or IP address. If you are using the IP address, make sure you include the port if eDirectory is installed on a nonstandard (524) port.
iManager cannot locate your tree or IP address before timing out. If the tree name fails, use the IP address.
An invalid password was used, authentication failed, one server tried to synchronize with another one but the target server’s database was locked, or a problem exists with the remote ID or public key.
Some possible causes:
You typed an incorrect password
There are multiple users with the same user name in the tree. Contextless login tries to log in using the first user account it finds with the supplied password. In this case, provide a full context when you log in or limit the search containers that contextless login searches.
If eDirectory is installed and running on another port besides the default port 524, you can use the IP address or DNS name of the eDirectory server to log in if you also specify the port. For example:
For an IPv4 address:
https://127.0.0.1/nps/servlet/webacc?taskId=fw.Startup&forceMaster=true
For an IPv6 address:
https://[2001:db8::6]:1080/nps/servlet/webacc?taskId=fw.Startup&forceMaster=true
If you use the tree name to log in, you do not have to specify a port.
Possible values for the Tree Name field are the tree name, the server IP address, and the server DNS name. For best results, use the IP address.
If necessary, iManager can log in to the eDirectory tree using a server that does not host an eDirectory replica. To do this, iManager maintains a connection cache with the information it needs to successfully log in. To populate the connection cache, the first time you login to an eDirectory tree with iManager you must log in to a server that hosts a replica.
Restarting Tomcat or the iManager server clears the connection cache, so the first time iManager logs in following one of these events, you must log in to a server that hosts a replica.
Login failures occur for a variety of reasons. Authentication error messages are addressed in Authentication Issues.
For information about limiting the error messages that iManager displays upon a failed authentication attempt, see Preventing User Name Discovery.
If a password expires, the user sees a message to this effect. However, users might not be aware that grace logins can be quickly consumed, depending on certain operations such as modifying a dynamic group, simple find, and setting a simple password.
These operations consume additional grace logins each time a user performs a task. We highly recommend that you encourage users to change their passwords the first time they are prompted.
To enable contextless authentication using an alternate object type, do the following:
Open iManager and browse to Configure > iManager Server > Configure iManager > Authentication.
If you do not see this task, you are not an authorized user. See Authorized Users and Groups.
Set Public Username and Password to a user that has rights to read the desired attributes.
Modify <TOMCAT_HOME>\webapps\nps\WEB-INF\config.xml to include a <Setting> property that lists the attributes you want to add to the contextless search, and then restart Tomcat.
For information about restarting Tomcat, see Starting and Stopping Tomcat.
For example, the following XML adds the Alias and User objects to the contextless search:
<setting> <name><![CDATA[Authenticate.Form.ContextlessLoginClass.NDAP.treename]]></name>
<value><![CDATA[User]]></value>
<value><![CDATA[Alias]]></value>
</setting>
Similarly, the following XML allows users to log in with the CN or uniqueID attribute:
<setting> <name><![CDATA[Authenticate.Form.ContextlessLoginSearchAttributes.NDAP.treename]]></name>
<value><![CDATA[CN]]></value>
<value><![CDATA[uniqueID]]></value>
</setting>
IMPORTANT:
In the sample code above, replace treename with the name of the appropriate directory tree in lower case.
If you save any iManager Server settings from the Configure iManager task after editing the config.xml file, verify that the tree name is still in lowercase or customized contextless login will fail.