How does the Novell SSO algorithm work ?

Solution

Overview

1. When BCAAA receives a Novell SSO request, it immediately searches the IP-to-user table. If the user's IP address is in the IP-to-user table, then it is returned immediately.

Note: A copy of the IP-to-user table can be found as novell_primary_full.sso and novell_primary_inc.sso in binary format. If debugging is enabled (NovellDebug=1 in sso.ini), debug_novell_primary_full.sso and debug_novell_primary_inc.sso are created.

2. If the user's IP is not in the IP-to-user table, then BCAAA checks to see if an LDAP search is in progress. If it is, then BCAAA will temporarily block the request.

3. As results are returned from the LDAP search, they are added to the IP-to-user table. The blocked request will periodically wake up and check the IP-to-user table again. If a positive result is found, then it is returned immediately. If the IP still is not present in the IP-to-user table, and if the LDAP search is still ongoing, then the request will temporarily blocked.

Note : A positive result can come from a table entry that was added by the LDAP search or by the monitoring thread. The monitoring threads can add entries to the IP-to-user table while the LDAP search is ongoing.

4. If the request IP still is not found in the IP-to-user table and the LDAP search has finished, then a negative response is returned. The negative response will not be returned until the LDAP search has finished.

Additional notes:
1. The LDAP searches are scheduled in the Novell SSO realm settings on the ProxySG. A search can be scheduled at most once per day. BCAAA has a thread dedicated to perform LDAP searches. When not searching, this thread goes to sleep and wakes up periodically to see if a search is needed. You can see this happening in trace statements similar to the following:

2010/05/27 11:17:00.598 [4116] Next search for o=bcsi is in 102380 seconds
2010/05/27 11:17:00.598 [4116] Looking for something to search

2. There is one case where BCAAA will begin the search immediately. This is if an SG connects and asks BCAAA to search a container that it had not searched previously.
 

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ844
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat