Novell SSO Pre-requisites

FAQ ID:    FAQ774
Version:    2.0
Status:    Published
Published date:    03/29/2010
Updated:    06/03/2010



When using Novell SSO make sure that the following steps are taken. Most of the problems start after a time users get "The user could not be determined by the Single Sign-on agent" is due to the fact the BCAAA is not being sent updates from the Novell SSO.

When BCAAA Service is started it registers with the Novell eDirectory and gets a mapping of the current database. Once this is complete the BCAAA database is updated from the eDirectory when a login/logout event is triggered. If the Novell eDirectory is not setup correctly then the BCAAA database becomes out of date and users start to get errors.

This is why when you re-start the BCAAA Service is works again for a time.

1) Check to make sure the eDirectory has the following version.
eDirectory patched to fix the following memory leak.


Issues resolved in eDirectory 8.8 SP5 (20219.15)

- Memory Corruption fix: Ndsd cores in LDAP when a Bluecoat appliance monitors events (Bug 344893/427322)

Or running latest 8.7.x Patches.
2) Make sure that the Novell eDirectory extension is installed at the Novell LDAP server. 
BCAAA uses Novell LDAP SDK to perform a "Filtered Monitor Events" extended LDAP request.
This is used to update BCAAA with login/logout events, if this is NOT installed then problems with occur.
3) How BCAAA and Novell SSO work - taken from the Blue Coat Manual
Volume 4: Securing the Blue Coat ProxySG

Page 224.

"When a server is being monitored, each time a user logs in or logs out, an event message is sent to the BCAAA to update its mapping of FQDNs to IP addresses."

"To ensure that BCAAA has complete map of FQDNs to IP addresses, the Realm can be configured to do a full search of the configured master eDirectory server up to once per day."
4) PCAP Filter Analysis
Run a PCAP on the Server running the BCAAA, once this is running, start the BCAAA service so we capture the initial setup and registration process for the login/logout event.

"What you might see with this is a series of 'unwillingToPerform' responses in reply to 'attributeName=networkAddress' requests. This would mean their eDirectory doesn't have the right extensions enabled."

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question