13.4 Support for SASL NTLMSSP Bind in LDAP

This feature enables support for LDAP-based applications to authenticate (bind) to a Domain Controller over SASL layer via GSSAPI/GSS-SPNEGO employing NTLM. As part of this feature, DSfW introduces support for NTLM in case Kerberos is down or where a legacy third party application is limited with NTLM support alone. However, applications employing NTLM outside SASL layer will remain unsupported. It is recommended that you avoid NTLM-based authentication, because it is susceptible to attacks. For more information, see NTLM Authentication Protocol.

13.4.1 Planning for Support of SASL NTLMSSP Bind in LDAP

To use this feature on Windows 7 or Windows XP SP3 or later, you must change the local policy as follows:

  1. On a Windows system, click Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options > Network Security: LAN Manager Authentication Level

  2. Modify the value of the LAN Manager Authentication Level to Send LM and NTLM -use NTLM2 session security if negotiated.

13.4.2 Troubleshooting

Use the information in this section to resolve SASL NTLMSSP-based bind issues.

SASL NTLMSSP-Based Bind Over LDAP is Not Working

If there are pre-existing domain controllers prior to OES 11 SP2 in your environment, perform the following steps on these domain controllers:

  1. Start the ndstrace process by issuing the ndstrace -l>log& command. This runs the process in the background.

  2. Force the backlink to run by issuing the ndstrace -c set ndstrace=*B command from the ndstrace command prompt.

  3. Unload the ndstrace process by issuing the ndstrace -u command. Running the backlink process is especially important on servers that do not contain a replica.

  4. Restart the ndsd sever by using the ndsd restart command.

  5. Verify that the size or hash of the /var/opt/novell/eDirectory/data/nmas-methods/SPNEGOLSMLIN_X64.SO library matches to that of an OES 2018 or later server.