I'm setting up a new Citrix farm, and I'm revisiting an old problem I've
had with previous installations.

Our user log in from Citrix's web interface, or from Windows/Mac/Thin
Client. Before connecting, they supply their eDirectory name and
password. This is passed over when initialiting the Citrix session,
though the CTXGINA to the NWGINA. We've got IDM2.02 doing the sync
between eDir and AD, so when NWGINA passes on the name/password to
MSGINA, it connects straight through. Result: the user has to type their
name/password once, it flows through each GINA and everything is
authenticated. Happy users.

The problem is: we've got users in different contexts. The username is
passed to NWGINA, it doesn't exist in the same context as the last user
to log in, and the user gets a "check your name or password" error.

Contextless logins would solve this problem - name is passed, it's
looked up via LDAP and the correct context is picked - but the client
ONLY does an LDAP search when the user presses the TAB key, clicks on
Advanced etc ...

This was the case around a year ago when I was first setting up the
farm, and it still seems to be the case now. Why why why can't Novell
give us the option of the client doing an LDAP lookup automatically when
it detects credentials being passed to it by another GINA?

The bodge before has always been to create another OU with aliases to
all the users in, and force the client to look at that context by
default. This works, but it's another layer of administration for our
helpdesk - they have to remember to create an alias along with each new
user and delete it afterwards when the user leaves the company doesn't
always happen.

Am I correct in the assumption contextless logins only work when used
"interactively"? Has anyone found a better method?

P.S. Yes I have tried submitting an enhancement request for this, for
all the good it did.