Be aware of the following issues related to iManager authentication:
NOTE:If your network has more than three servers, or one or more servers that do not host eDirectory replicas, you must have SLP properly configured for iManager to log in. For more information, see the Novell Open Enterprise Server SLP documentation.
If eDirectory is installed and running on another port besides the default port 524, you can use the IP address or DNS name of the eDirectory server to log in if you also specify the port. For example:
For an IPv4 address:
https://127.0.0.1/nps/servlet/webacc?taskId=fw.Startup&forceMaster=true
For an IPv6 address:
https://[2001:db8::6]:1080/nps/servlet/webacc?taskId=fw.Startup&forceMaster=true
If you use the tree name to log in, you do not have to specify a port.
Possible values for the Tree Name field are the tree name, the server IP address, and the server DNS name. For best results, use the IP address.
If necessary, iManager can log in to the eDirectory tree using a server that does not host an eDirectory replica. To do this, iManager maintains a connection cache with the information it needs to successfully log in. To populate the connection cache, the first time you login to an eDirectory tree with iManager you must log in to a server that hosts a replica.
Restarting Tomcat or the iManager server clears the connection cache, so the first time iManager logs in following one of these events, you must log in to a server that hosts a replica.
Login failures occur for a variety of reasons. Authentication error messages are addressed in Authentication Issues.
For information about limiting the error messages that iManager displays upon a failed authentication attempt, see Preventing User Name Discovery.
If a password expires, the user sees a message to this effect. However, users might not be aware that grace logins can be quickly consumed, depending on certain operations such as modifying a dynamic group, simple find, and setting a simple password.
These operations consume additional grace logins each time a user performs a task. We highly recommend that you encourage users to change their passwords the first time they are prompted.
To enable contextless authentication using an alternate object type, do the following:
Open iManager and browse to Configure > iManager Server > Configure iManager > Authentication.
If you do not see this task, you are not an authorized user. See Authorized Users and Groups.
Set Public Username and Password to a user that has rights to read the desired attributes.
Modify <TOMCAT_HOME>\webapps\nps\WEB-INF\config.xml to include a <Setting> property that lists the attributes you want to add to the contextless search, and then restart Tomcat.
For information about restarting Tomcat, see Starting and Stopping Tomcat.
For example, the following XML adds the Alias and User objects to the contextless search:
<setting> <name><![CDATA[Authenticate.Form.ContextlessLoginClass.NDAP.treename]]></name>
<value><![CDATA[User]]></value>
<value><![CDATA[Alias]]></value>
</setting>
Similarly, the following XML allows users to log in with the CN or uniqueID attribute:
<setting> <name><![CDATA[Authenticate.Form.ContextlessLoginSearchAttributes.NDAP.treename]]></name>
<value><![CDATA[CN]]></value>
<value><![CDATA[uniqueID]]></value>
</setting>
IMPORTANT:
In the sample code above, replace treename with the name of the appropriate directory tree in lower case.
If you save any iManager Server settings from the Configure iManager task after editing the config.xml file, verify that the tree name is still in lowercase or customized contextless login will fail.