Novell SSO Pre-requisites
When using Novell SSO make sure that the following steps are taken. Most of the problems start after a time users get "The user could not be determined by the Single Sign-on agent" is due to the fact the BCAAA is not being sent updates from the Novell SSO.
When BCAAA Service is started it registers with the Novell eDirectory and gets a mapping of the current database. Once this is complete the BCAAA database is updated from the eDirectory when a login/logout event is triggered. If the Novell eDirectory is not setup correctly then the BCAAA database becomes out of date and users start to get errors.
This is why when you re-start the BCAAA Service is works again for a time.
1) Check to make sure the eDirectory has the following version.
eDirectory patched to fix the following memory leak.
Issues resolved in eDirectory 8.8 SP5 (20219.15)
- Memory Corruption fix: Ndsd cores in LDAP when a Bluecoat appliance monitors events (Bug 344893/427322)
Or running latest 8.7.x Patches.
2) Make sure that the Novell eDirectory extension is installed at the Novell LDAP server.
BCAAA uses Novell LDAP SDK to perform a "Filtered Monitor Events" extended LDAP request.
This is used to update BCAAA with login/logout events, if this is NOT installed then problems with occur.
3) How BCAAA and Novell SSO work - taken from the Blue Coat Manual
Volume 4: Securing the Blue Coat ProxySG
"When a server is being monitored, each time a user logs in or logs out, an event message is sent to the BCAAA to update its mapping of FQDNs to IP addresses."
"To ensure that BCAAA has complete map of FQDNs to IP addresses, the Realm can be configured to do a full search of the configured master eDirectory server up to once per day."
4) PCAP Filter Analysis
Run a PCAP on the Server running the BCAAA, once this is running, start the BCAAA service so we capture the initial setup and registration process for the login/logout event.
"What you might see with this is a series of 'unwillingToPerform' responses in reply to 'attributeName=networkAddress' requests. This would mean their eDirectory doesn't have the right extensions enabled."
Rate this Page
Please take a moment to complete this form to help us better serve you.