This feature enables support for LDAP-based applications to authenticate (bind) to a Domain Controller over SASL layer via GSSAPI/GSS-SPNEGO employing NTLM. As part of this feature, DSfW introduces support for NTLM in case Kerberos is down or where a legacy third party application is limited with NTLM support alone. However, applications employing NTLM outside SASL layer will remain unsupported. It is recommended that you avoid NTLM-based authentication, because it is susceptible to attacks. For more information, see NTLM Authentication Protocol.
To use this feature on Windows 7 or Windows XP SP3 or later, you must change the local policy as follows:
On a Windows system, click Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options > Network Security: LAN Manager Authentication Level
Modify the value of the LAN Manager Authentication Level to Send LM and NTLM -use NTLM2 session security if negotiated.
Use the information in this section to resolve SASL NTLMSSP-based bind issues.
If there are pre-existing non-OES 11 SP3 domain controllers in your environment, perform the following steps on these domain controllers:
Start the ndstrace process by issuing the ndstrace -l>log& command. This runs the process in the background.
Force the backlink to run by issuing the ndstrace -c set ndstrace=*B command from the ndstrace command prompt.
Unload the ndstrace process by issuing the ndstrace -u command. Running the backlink process is especially important on servers that do not contain a replica.
Restart the ndsd sever by using the ndsd restart command.
Verify that the size or hash of the /var/opt/novell/eDirectory/data/nmas-methods/SPNEGOLSMLIN_X64.SO library matches to that of an OES 11 SP3 server.