Novell SSO Pre-requisites


<< Back to Knowledge Search

Solution

Overview

 

When using Novell SSO make sure that the following steps are taken. Most of the problems start after a time users get "The user could not be determined by the Single Sign-on agent" is due to the fact the BCAAA is not being sent updates from the Novell SSO.

When BCAAA Service is started it registers with the Novell eDirectory and gets a mapping of the current database. Once this is complete the BCAAA database is updated from the eDirectory when a login/logout event is triggered. If the Novell eDirectory is not setup correctly then the BCAAA database becomes out of date and users start to get errors.

This is why when you re-start the BCAAA Service is works again for a time.


1) Check to make sure the eDirectory has the following version.
 
eDirectory patched to fix the following memory leak.

http://www.novell.com/support/viewCo...rnalId=3426981

Issues resolved in eDirectory 8.8 SP5 (20219.15)

- Memory Corruption fix: Ndsd cores in LDAP when a Bluecoat appliance monitors events (Bug 344893/427322)

Or running latest 8.7.x Patches.
 
 
 
2) Make sure that the Novell eDirectory extension is installed at the Novell LDAP server. 
 
BCAAA uses Novell LDAP SDK to perform a "Filtered Monitor Events" extended LDAP request.
 
This is used to update BCAAA with login/logout events, if this is NOT installed then problems with occur.
 
 
 
3) How BCAAA and Novell SSO work - taken from the Blue Coat Manual
 
Volume 4: Securing the Blue Coat ProxySG

Page 224.

"When a server is being monitored, each time a user logs in or logs out, an event message is sent to the BCAAA to update its mapping of FQDNs to IP addresses."

"To ensure that BCAAA has complete map of FQDNs to IP addresses, the Realm can be configured to do a full search of the configured master eDirectory server up to once per day."
 
 
 
4) PCAP Filter Analysis
 
Run a PCAP on the Server running the BCAAA, once this is running, start the BCAAA service so we capture the initial setup and registration process for the login/logout event.

 
ldap.extendedReq||ldap.resultCode==53
 
 
"What you might see with this is a series of 'unwillingToPerform' responses in reply to 'attributeName=networkAddress' requests. This would mean their eDirectory doesn't have the right extensions enabled."
 
Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ774
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Software      SGOS 4, SGOS 5
Topic      BCAAA
Article Number      000012503
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat