www.novell.com/documentation Troubleshooting Guide eDirectory 8.
Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc.
Contents About This Book 9 1 Resolving Error Codes 11 2 Installation and Configuration 13 2.1 2.2 2.3 2.4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.1 Fatal Error Occurs in Schema Sync When Installing a Second eDirectory Server into the Tree on a SLES 11 Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.
5 Troubleshooting LDIF Files 5.1 5.2 5.3 Understanding LDIF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.1.1 LDIF File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.1.2 LDIF Content Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.1.3 LDIF Change Records . . . . . . . . . .
9.4 Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 9.4.1 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 9.4.2 Previous Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 10 Migrating to Novell eDirectory 10.1 10.2 10.
16.5 16.6 16.7 ndsbackup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Using DSRepair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 16.6.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 16.6.2 Troubleshooting DSRepair . . . . . . . . . .
23.3 23.4 23.5 23.6 23.7 23.8 23.9 23.10 23.11 23.12 23.13 23.14 23.15 23.16 23.17 23.18 23.19 23.20 23.21 23.22 23.23 23.24 23.25 Enabling Event System Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Tracking Memory Corruption Issues on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 TCP Connection not Terminating after Abnormal Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Novell eDirectory 8.
About This Book This Troubleshooting Guide describes how to resolve Novell eDirectory 8.
Documentation Updates For the most recent version of the Novell eDirectory 8.8 SP7 Troubleshooting Guide, see the NetIQ eDirectory 8.8 online documentation (https://www.netiq.com/documentation/edir887/index.html) Web site. Additional Documentation For documentation on managing and administering eDirectory, see the Novell eDirectory 8.8 SP7 Administration Guide. (https://www.netiq.com/documentation/edir887/edir88/data/front.html) 10 Novell eDirectory 8.
1 Resolving Error Codes 1 For a complete list and explanation of eDirectory error codes, see the Novell Error Codes Web page (http://www.novell.com/documentation/nwec/).
Novell eDirectory 8.
2 Installation and Configuration 2 Section 2.1, “Installation,” on page 13 Section 2.2, “Configuration,” on page 15 Section 2.3, “Upgrade,” on page 17 Section 2.4, “Multiple Instances,” on page 19 2.1 Installation This section discusses various problems you may encounter during the eDirectory 8.8 installation along with troubleshooting tips. Section 2.1.1, “Fatal Error Occurs in Schema Sync When Installing a Second eDirectory Server into the Tree on a SLES 11 Machine,” on page 13 Section 2.
If the -632: Error description System failure error message appears during installation, exit from the installation process. Set the n4u.base.slp.max-wait parameter to a larger value, such as 50, in the /etc/opt/ novell/eDirectory/conf/nds.conf file, then restart the installation process. During installation, if the Tree Name Not Found error message is displayed, do the following: 1 Check whether multicast routing is enabled on the Solaris host that you are installing the product on.
2.1.7 NICI Does Not Get Installed in the Server Mode on Windows In the Properties dialog box of the NICIFK file there is a tab called Security. If there are no names in the Group or user names field, then this issue occurs. To work around this problem, do the following: 1 Remove the NICIFK file. This is present in C:/Windows/system32/novell/nici if the system root is C:/Windows/ system32. If the system root is F:/Windows/system32 then this file is present in F:/Windows/ system32/novell/nici.
To workaround: select only one interface that eDirectory can communicates on; do not select the loopback interfaces during the install. 2.2.2 Tree Name Lookup Failed: -632 Error While Configuring eDirectory 8.8 on Linux While configuring eDirectory 8.8 on Linux, you might get the Tree name lookup failed: -632 error. To resolve this, perform the following steps: 1 After installing the SLP package, ensure that you manually start SLP as follows: /etc/init.
2.3 Upgrade Section 2.3.1, “The Integrated Installer Fails to Upgrade on Windows 2003,” on page 17 Section 2.3.2, “Upgrade Fails from Prior Versions of eDirectory 8.7.3 SP9 to eDirectory 8.8 SP7,” on page 17 Section 2.3.3, “Upgrade Fails if the Mount Point Is Set to /var/opt/novell/eDirectory/data,” on page 18 Section 2.3.4, “Upgrading eDirectory After Applying a Patch Does Not Remove the Patch Version on a Windows System,” on page 19 2.3.
/etc/init.d/ndsd stop 2 Remove NICI. pkgrm NOVLniu0 3 Install NICI shipped with eDirectory 8.8 SP7. pkgadd -d NOVLniu0.pkg 4 Start eDirectory. /etc/init.d/ndsd start 5 Run nds-install from the eDirectory 8.8 SP7 package. While shutting down the eDirectory 8.7.3.x server with the latest NICI, ndsd sometimes dumps the core in the DIB directory of eDirectory. You can ignore it because it does not corrupt data or disrupt services. AIX 1 Stop eDirectory. /etc/ndsd stop 2 Remove NICI.
Perform the following: 1. Create /var/opt/novell/eDirectory/data_upg_bak directory. 2. Move the files from /var/opt/novell/eDirectory/data to /var/opt/novell/ eDirectory/data_upg_bak. IMPORTANT: Keep the /var/opt/novell/eDirectory/data directory empty to ensure smooth upgrade. 2.3.
2.4.2 eDirectory Does Not Listen on All the Configured Interfaces Ensure that all the interfaces on which eDirectory is configured are up and connected. 2.4.3 ndsd Falls Back to Default Port if the Interface Specified is Incorrect When using ndsconfig new or ndsmanage to create a second instance of the directory, if the interface specified is incorrect, nds tries to use the default interface.
3 Determining the eDirectory Version Number 3 The following sections list ways you can determine the version of eDirectory installed on a server: Section 3.1, “Windows,” on page 21 Section 3.2, “Linux,” on page 21 Section 3.3, “Solaris,” on page 22 Section 3.4, “AIX,” on page 23 3.1 Windows Run iMonitor. On the Agent Summary page, click Known Servers. Then under Servers Known to Database, click Known Servers. The Agent Revision column displays the internal build number for each server.
The ndsstat utility displays information related to eDirectory servers, such as the eDirectory tree name, the fully distinguished server name, and the eDirectory version. In the following example, eDirectory 8.7.1 is the product version (marketing string), and 10510.65 is the binary version (internal build number). osg-dt-srv17:/>ndsstat Tree Name: SNMP-HPUX-RASH Server Name: .CN=osg-dt-srv17.O=novell.T=SNMP-HPUX-RASH. Binary Version: 10510.
On the Agent Summary page, click Known Servers. Then under Servers Known to Database, click Known Servers. The Agent Revision column displays the internal build number for each server. For example, an Agent Revision number for Novell eDirectory 8.7.1 might be 10510.64. For information on running iMonitor, see “Accessing iMonitor” in the Novell eDirectory 8.8 SP7 Administration Guide. Run pkginfo -l NDSserv. Entering this command will display similar information to ndsd --version. 3.4 AIX Run ndsstat.
Novell eDirectory 8.
4 Log Files 4 This section contains information on the following log files: Section 4.1, “modschema.log,” on page 25 Section 4.2, “dsinstall.log,” on page 25 Section 4.3, “ndsd.log,” on page 25 4.1 modschema.log The modschema.log file contains the results of all schema extensions that are applied when an eDirectory server is installed into an existing tree. Each line of the log states which class or attribute is being added or modified and gives the status of the modification attempt.
Novell eDirectory 8.
5 Troubleshooting LDIF Files 5 The Novell Import Conversion Export utility lets you easily import LDIF files into and export LDIF files from eDirectory. For more information, see “Novell Import Conversion Export Utility” in the Novell eDirectory 8.8 SP7 Administration Guide. In order for an LDIF import to work properly, you must start with an LDIF file that the Novell Import Conversion Export utility can read and process.
5.1.2 LDIF Content Records An LDIF content record represents the contents of an entire entry.
Component Description Record Delimiters Blank lines (lines 5, 10, 15, and 26 in the example above) are used as record delimiters. Every record in an LDIF file including the last record must be terminated with a record delimiter (one or more blank lines). Although some implementations will silently accept an LDIF file without a terminating record delimiter, the LDIF specification requires it. Attribute Value Specifier All other lines in a content records are value specifiers.
1 2 3 4 5 6 7 8 9 10 11 12 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 version: 1 dn: c=US changetype: add objectClass: top objectClass: country dn: l=San Francisco, c=US changetype: add objectClass: top objectClass: locality st: San Francisco dn: ou=Artists, l=San Francisco, c=US changetype: add objectClass: top objectClass: organizationalUnit telephoneNumber: +1 415 555 0000 dn: cn=Peter Michaels, ou=Artists, l=San Francisco, c=US changetype: add sn: Michaels givenname: Peter objectClass: top o
Element Description add: attribute type A keyword indicating that subsequent attribute value specifiers for the attribute type should be added to the entry. delete: attribute type A keyword indicating that values of the attribute type are to be deleted. If attribute value specifiers follow the delete field, the values given are deleted. If no attribute value specifiers follow the delete field, then all values are deleted.
19 20 21 22 23 24 25 26 27 28 29 30 31 32 description: guitar player description: solo performer # Delete a specific value from the telephonenumber # attribute. delete: telephonenumber telephonenumber: +1 415 555 0001 # Replace the existing title attribute with an empty # set of values, thereby causing the title attribute to # be removed. replace: title - The Modify DN Change Type The modify DN change type lets you rename an entry, move it, or both.
1 2 3 4 5 6 7 8 9 version: 1 # Rename ou=Artists to ou=West Coast Artists, and leave # its old RDN value. dn: ou=Artists,l=San Francisco,c=US changetype: moddn newrdn: ou=West Coast Artists deleteoldrdn: 1 The following is an example of a modify DN change type that shows how to move an entry: 1 2 3 4 5 5 6 7 8 9 10 version: 1 # Move cn=Peter Michaels from # ou=Artists,l=San Francisco,c=US to # ou=Promotion,l=New York,c=US and delete the old RDN.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 5.1.5 version: 1 dn: cn=Peter Michaels, ou=Artists, l=San Francisco, c=US sn: Michaels givenname: Peter objectClass: top objectClass: person objectClass: organizationalPerson objectClass: iNetOrgPerson telephonenumber: +1 415 555 0001 mail: Peter.Michaels@aaa.com userpassword: Peter123 description: Peter is one of the most popular music ians recording on our label. He’s a big concert dr aw, and his fans adore him.
5.2.1 Enabling Forward References You might occasionally encounter LDIF files in which a record to add one entry comes before a record to add its parents. When this happens, an error is generated because the new entry’s parent does not exist when the LDAP server attempts to add the entry. To solve this problem, simply enable the use of forward references.
Option Description Server DNS name/IP address DNS name or IP address of the destination LDAP server Port Integer port number of the destination LDAP server DER File Name of the DER file containing a server key used for SSL authentication Login method Authenticated Login or Anonymous Login (for the entry specified in the User DN field) User DN Distinguished name of the entry that should be used when binding to the server-specified bind operation Password Password attribute of the entry specified
Option Description Filter RFC 2254-compliant search filter The default is objectclass=*. Attributes Attributes you want returned for each search entry 9 Click Next. 10 Specify the LDAP server where the data will be migrated. 11 Click Next, then click Finish. NOTE: Ensure that the schema is consistent across LDAP Services. Using the Novell Import Conversion Export Utility Command Line Interface To enable forward references in the command line interface, use the -F LDAP destination handler option.
Option Description Server DNS name/IP address DNS name or IP address of the destination LDAP server Port Integer port number of the destination LDAP server DER File Name of the DER file containing a server key used for SSL authentication Login method Authenticated Login or Anonymous Login (for the entry specified in the User DN field) User DN Distinguished name of the entry that should be used when binding to the server-specified bind operation Password Password attribute of the entry specified
Using the Novell Import Conversion Export Utility Command Line Interface To configure error log options in the command line utility, use the -l general option. For more information, see “General Options” in the Novell eDirectory 8.8 SP7 Administration Guide. 5.2.4 Using LDAP SDK Debugging Flags To understand some LDIF problems, you might need to see how the LDAP client SDK is functioning. You can set the following debugging flags for the LDAP source handler, the LDAP destination handler, or both.
NDSObjectClassDescription = "(" whsp numericoid whsp [ "NAME" qdescrs ] [ "DESC" qdstring ] [ "OBSOLETE" whsp ] [ "SUP" oids ] [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ] [ "MUST" oids ] [ "MAY" oids ] [ "X-NDS_NOT_CONTAINER" qdstrings ] [ "X-NDS_NONREMOVABLE" qdstrings ] [ "X-NDS_CONTAINMENT" qdstrings ] [ "X-NDS_NAMING" qdstrings ] [ "X-NDS_NAME" qdstrings ] whsp ")" The following example LDIF file adds the person objectClass to the schema: 1 2 3 4 5 6 7 8 9 10 11 12 version: 1 dn: cn=schema ch
NDSAttributeTypeDescription = "(" whsp numericoid whsp ; AttributeType identifier [ "NAME" qdescrs ] ; name used in AttributeType [ "DESC" qdstring ] ; description [ "OBSOLETE" whsp ] [ "SUP" woid ] ; derived from this other AttributeType [ "EQUALITY" woid] ; Matching Rule name [ "ORDERING" woid] ; Matching Rule name [ "SUBSTR" woid ] ; Matching Rule name [ "SYNTAX" whsp noidlen whsp ] ; Syntax OID [ "SINGLE-VALUE" whsp ] ; default multi-valued [ "COLLECTIVE" whsp ] ; default not collective [ "NO-USER-MODIF
Adding an Optional Attribute to an Existing Object Class Although adding new schema elements is an acceptable practice, modifying or extending existing schema elements is usually dangerous. Because every schema element is uniquely identified by an OID, when you extend a standard schema element, you effectively create a second definition for the element even though it still uses the original OID. This can cause incompatibility problems. There are times when it is appropriate to change schema elements.
# now create a person named john that will later be changed # into a bear when bearFeatures is added to its objectClass # list dn: cn=john,o=bearcave changetype: add cn: John sn: bear givenName: john objectClass: top objectClass: person objectClass: inetOrgPerson # now morph john into a bear by adding bearFeatures dn: cn=john,o=bearcave changetype: modify add: objectClass objectClass: bearFeatures add: bearHair bearHair: long bearHair: black #bearPicture:< file:///c:/tmp/john.
Novell eDirectory 8.
6 Troubleshooting SNMP 6 This section includes information for troubleshooting SNMP on all platforms. Section 6.1, “Traps Might Not Get Generated As Expected,” on page 45 Section 6.2, “SNMP Group Object,” on page 46 Section 6.3, “SNMP Initializing Errors,” on page 46 Section 6.4, “SNMP Subagent Does Not Start,” on page 46 Section 6.6, “SNMP Issues,” on page 46 Section 6.7, “SNMP Walk Hangs on Solaris Platform,” on page 48 6.
6.2 SNMP Group Object If the installation of the SNMP Group object fails, you can rectify this problem by executing the following command on the server console: ndsconfig add -m snmp 6.3 SNMP Initializing Errors eDirectory SNMP initialization component. Error code: -255 or Initialization failure. Error code: -255 The possible cause could be that you have not specified hostname:port or IP_address:port as a paramater to the SERVER command in eDirectory SNMP configuration file.
6.6.1 Issues After Upgrading from eDirectory 8.7.3 to eDirectory 8.8 After upgrading from eDirectory 8.7.3 to eDirectory 8.8, you might get the following error: %%% Attempting to restart the Novell eDirectory SNMP subagent (ndssnmpsa)... Starting NDS SNMP Subagent ... Initialization failure. Error code : -255 Please Wait... Done %%% Unable to start ndssnmpsa... Please try starting it manually... This error occurs because with eDirectory 8.8, eDirectory does not listen on the localhost.
Error: eDirectory SNMP Initialization component. Error code: -168 Error: eDirectory SNMP Initialization component. Error code: 9 To resolve this, unload and load ndssnmp using the following commands: /opt/novell/eDirectory/bin/ndssnmp -u /opt/novell/eDirectory/bin/ndssnmp -l 6.6.5 Errors While Stopping ndssnmpsa When ndssnmpsa is stopped on SLES 9, an error message similar to "*** glibc detected *** double free or corruption (!prev): 0x0819cdd0 *** " is displayed on the screen.
7 iMonitor 7 Section 7.1, “Browsing for Objects Containing Double-Byte Characters in iMonitor,” on page 49 Section 7.2, “Agent Health Check on a Single-Server Tree,” on page 49 Section 7.3, “iMonitor Report Does Not Save the Records for Each Hour,” on page 50 Section 7.4, “Creation and Modification Time Stamps,” on page 50 Section 7.5, “iMonitor Issues in Older Versions of Mozilla,” on page 50 Section 7.6, “Run Report Screen Layout Not Aligned on iMonitor,” on page 50 Section 7.
7.3 iMonitor Report Does Not Save the Records for Each Hour The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor. 7.
8 iManager 8 Section 8.1, “LDAP Operations Fail After Creating a New LDAP Group Using Quick Create,” on page 51 Section 8.2, “Issues While Backing Up on Red Hat EUC in the Japanese Locale,” on page 51 8.1 LDAP Operations Fail After Creating a New LDAP Group Using Quick Create Quick Create only creates an LDAP group object with dummy attributes that you can later modify. It creates the LDAP Group object with version one instead of nine.
Novell eDirectory 8.
9 Obituaries 9 There has been a great deal of confusion surrounding obituaries stored in the directory and, as a result, some people have developed poor business practices to deal with then. Unlike some directory products, Novell eDirectory ensures referential integrity between objects. For example, if Group A has a member, User B, and User B is deleted, the directory automatically removes the reference to User B from Group A.
removed after the Primary obituary is ready to be removed or, in the case of Inhibit_move, the Tracking obituary is removed after the Primary obituary has moved to the OBF_NOTIFIED state on the master replica. The replica responsible for processing obituaries does so on a background process (the Obituary Process), which is scheduled on a per-partition basis after a given partition finishes an inbound synchronization cycle.
If the obituary is a Back Link obituary and this server is the master, then this server is responsible for processing this obituary. IMPORTANT: Perform the required operation for this state if it has not been done. Most often, this is done by notifying an external reference.
This server can communicate with all other servers. There have not been any servers improperly or incompletely removed from the tree. The Health subreport will indicate if any partitions are not within tolerance for the replication sync times. If you are using iMonitor 1.5, select the Errors report option. The following items will be verified. You should browse the report and make sure that there are no errors. The agent version is displayed.
Examine the Agent Process Status: Obituaries to look for any errors. Common problems in Agent Process Status: Obituaries include -625, -622, -634, and -635 communication problems. See Server Information Report for more details. -601, and -603, indicating servers that have been improperly removed, or that the Server object might have a base class of Unknown. Errors shown on this page are not fatal. The next time the obituary process runs for that partition, it will retry the operation.
9.4.2 Previous Practices In the past, several different strategies have been employed to resolve stuck obituaries. Some of these strategies involve expensive partitioning operations, or the use of undocumented features that might cause problems in the future. The first strategy was to switch which replica held the master. This would work in some cases because the master is the agent responsible for moving the Back Link obituaries through their various states.
10 Migrating to Novell eDirectory 10 This chapter explains the process to migrate to Novell eDirectory from: Section 10.1, “Migrating the Sun ONE Schema to Novell eDirectory,” on page 59 Section 10.2, “Migrating the Active Directory Schema to Novell eDirectory Using ICE,” on page 62 10.
Thus, records that contain any reference to these objects or that try to modify these definitions need to be commented in the LDIF error file (err.ldf in the example). Some objectClasses definitions in Sun ONE do not have naming attributes. Adding these objectClasses would result in the following error in eDirectory: LDAP error : 80 (NDS error: ambiguous naming (-651) This error occurs because Sun ONE does not use the same method for determining naming rules as eDirectory.
add:objectclasses objectclasses : (2.5.6.0 NAME ’top’ STRUCTURAL MAY cn) Use the following Novell Import Conversion Export command line: ice -SLDIF -f LDIF_file_name -DLDAP -s eDirectory_server -p eDirectory_port -d eDirectory_Admin_DN -w eDirectory_password For example: ice -SLDIF -f topsch.ldf -DLDAP -s edir_srv2 -p edir_port2 -d cn=admin,o=org -w pwd1 Method 2: 1. In Novell iManager, click the Roles and Tasks button . 2. Click Schema > Add Attribute. 3.
10.2 Migrating the Active Directory Schema to Novell eDirectory Using ICE While migrating schema from Active Directory to Novell eDirectory using ICE, schema migration for the Computer objectClass fails with an ambiguous naming error (-651) error. To resolve this, complete the following steps: “Step 1: Perform the Schema Cache Update Operation” on page 59 “Step 2: Rectify the Error LDIF File to Eliminate the Errors” on page 59 “Step 3: Import the LDIF File” on page 61 10.2.
delete: objectclasses objectclasses: ( 2.16.840.1.113719.1.1.6.1.4 NAME ’computer’ ) add: objectclasses objectclasses: ( 2.16.840.1.113719.1.1.6.1.
Step 1: Perform the Schema Cache Update Operation You can write the errors encountered while comparing the schema to an error file using the following command: ice -e error_file -C -a -S ldap -s OpenLDAP_server -p Open_LDAP_port - D ldap -s eDirectory_server -p eDirectory_port -d eDirectory_full_admin_context -w eDirectory_password For example: ice -e err.
Changes in /etc/ldap.conf File # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=admin,o=acme ... # The credentials to bind with. # Optional: default is no credential. bindpw secret ... # The search scope. scope sub ... # Filter to AND with uid=%s pam_filter objectclass=inetorgperson ... # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) pam_password nds ... ssl off ...
Novell eDirectory 8.
11 Schema 1 This section includes information for troubleshooting schema. Troubleshooting Schema When an auxiliary class is disassociated with an object, the value is not immediately deleted, but it is marked as not present. The auxiliary class is associated with the entry until the DRL process cleans up these values during the actual object validation. Because the DRL is a resource-consuming background process, other operations are slow during this cleanup.
Novell eDirectory 8.
12 DSRepair 12 Section 12.1, “Running DSRepair on an NFS Mounted DIB on Linux,” on page 69 Section 12.2, “Running DSRepair with -R Option Hangs,” on page 69 Section 12.3, “Running DSRepair after Upgrade or Migration,” on page 69 12.1 Running DSRepair on an NFS Mounted DIB on Linux You might get -732 or -6009 errors while trying to run the ndsrepair (DSRepair) operations on an NFS-mounted DIB on Linux systems. 12.
Novell eDirectory 8.
13 Replication 13 eDirectory offers the Novell robust directory service and the fault tolerance inherent in replication. Replication allows you to keep copies of the eDirectory database, or portions of it, on multiple servers at once. Recovering from eDirectory Replica Problems You should always keep multiple replicas of eDirectory partitions.
Novell eDirectory 8.
14 Clone DIB Issues 14 Section 14.1, “Clone DIB Fails With -601 and -603 Errors,” on page 73 Section 14.2, “Clone DIB Can Fail Immediately After Offline Bulkload,” on page 73 Section 14.3, “Issue in Cloning with Enabled Encrypted Replication Feature,” on page 73 14.
Novell eDirectory 8.
15 Novell Public Key Infrastructure Services 15 Section 15.1, “PKI Operations Not Working,” on page 75 Section 15.2, “LDAP Search from Netscape Address Book Fails,” on page 75 Section 15.3, “Removing the configuration of an eDirectory server that is acting as a treekey server in a multiserver tree after having moved the existing eDirectory objects to a different server fails with the error code for Crucial Replica.,” on page 75 Section 15.
3 Specify the name and context of the W0 object (usually W0.KAP.Security), then click OK. 4 In the Valued Attributes column, select NDSPKI:SD Key Server DN, then click Edit. 5 Specify the name and context of a different server in the Security Domain Key Server's DN field, then click OK. 6 Click Apply, then click OK. 15.
16 Troubleshooting Utilities on Linux and UNIX 16 Section 16.1, “Novell Import Convert Export Utility,” on page 77 Section 16.2, “ndsconfig Utility,” on page 77 Section 16.3, “ndsmerge Utility,” on page 78 Section 16.4, “DSTrace Utility,” on page 78 Section 16.5, “ndsbackup Utility,” on page 78 Section 16.6, “Using DSRepair,” on page 79 Section 16.7, “Using DSTrace,” on page 85 16.
16.2.2 ndsconfig Does Not Verify an Invalid Configuration File Path To create the necessary configuration file, ndsconfig requires the full path and the configuration filename. When the same path name is passed for both the configuration file and the instance directory, ndsconfig cannot create the configuration file and aborts the operation. 16.2.
16.6 Using DSRepair This section consists of the following: “Syntax” on page 79 Section 16.6.2, “Troubleshooting DSRepair,” on page 85 Use the DSRepair utility at the server console to do the following: Correct eDirectory problems such as bad records, schema mismatches, bad server addresses, and external references. Make advanced changes to the eDirectory schema.
Option Description -S Global Schema Operations option. This option contains several schema operations that might be necessary to bring the server's schema into compliance with the master of the Tree object. However, these operations should be used only when necessary. The local and unattended repair operations already verify the schema. -C Check External Reference Object option. Checks each external reference object to determine if a replica containing the object can be located.
Function Modifiers Used with the -R Option Modifier Description -l Locks the eDirectory database during the repair operation. -u Uses a temporary eDirectory database during the repair operation. -m Maintains the original unrepaired database. -i Checks the eDirectory database structure and the index. -f Reclaims the free space in the database. -d Rebuilds the entire database. -t Performs a tree structure check.
Option Description Import Remote Schema (Advanced Switch Option) Select an eDirectory tree that contains the schema you want to add to the schema of the current tree. After you select a tree, the server that holds the master replica of the Tree partition is contacted. The schema from that server will be used to extend the schema on the current tree.
Synchronize the Replica on All Servers Determines the complete synchronization status on every server that has a replica of the selected partition. This helps you determine the health of a partition. If all of the servers with a replica of the partition are synchronizing properly, then the partition is considered healthy. Each server performs an immediate synchronization to every other server in the replica ring. Servers do not synchronize to themselves.
View Entire Server's Name Used to view the complete server name when the width of the server name is too long to view from within the server table. Remove This Server from Replica Ring (Advanced switch option.) Removes a selected server from the selected replica stored on the current server. If a server appears in the replica ring but it is no longer part of the eDirectory tree or no longer contains a replica of the partition, delete the Server object using iManager.
View Entire Server’s Name Displays the complete name of the server when the width of the server name is too great to view from within the server's table. This option is the same as the -P option. For more information, see “-P” on page 79. Examples To perform an unattended repair and log events in the /root/ndsrepair.log file, or to append events to the log file if it already exists, enter the following command: ndsrepair -U -A no -F /root/ndsrepair.
16.7.1 Basic Functions The basic functions of DSTrace are to: View internal eDirectory activity and debugging messages in Linux, Solaris, or AIX. Initiate limited synchronization processes. You can use the DSTrace utility in either UI mode or command line mode. By default, DSTrace runs in UI mode.
Message Description set ndstrace = +SYNC Enables the synchronization messages. set ndstrace = -SYNC Disables the synchronization messages. set ndstrace = +SCHEMA Enables the schema messages. You can also combine the debugging message flags by using the Boolean operators & (which means AND) and | (which means OR).
Trace Flag Description INSP Messages related to the integrity of objects in the source server’s local database. Using this flag increases the demands on the source server’s disk storage system, memory, and processor. Do not leave this flag enabled unless objects are being corrupted. JNTR Messages related to the following background processes: janitor, replica synchronization, and flat cleaner. LDAP Messages related to the LDAP server. LMBR Messages related to the limber process.
Trace Flag Description TVEC Messages related to the following attributes: Synchronize Up To, Replica Up To, and Transitive Vector. VCLN Messages related to the establishment or deletion of connections with other servers. As you use the debugging messages in DSTrace, you will find that some of the trace flags are more useful than others. One of the favorite DSTrace settings of Novell Support is actually a shortcut: set ndstrace = A81164B91 This setting enables a group of debugging messages. 16.7.
Trace Flag Parameters Description *CTD None Displays, in comma-delimited format, the source server’s outbound connection table and the current statistical information for the table. These statistics do not give any information about the inbound connections from other servers or clients to the source server. *D Replica rootEntry ID Removes the specified local entry ID from the source server’s Send All Object list.
Trace Flag Parameters Description *FL 1-10 Sets the number of rolling log files used by DSTrace. If you set this parameter to any value greater than 1, once the source server’s ndstrace.log file reaches the configured maximum file size, DSTrace renames the file ndstrace1.log and creates a new ndstrace.log file. When that file reaches its maximum file size, the previous ndstrace1.log file is renamed ndstrace2.log, and the more recent ndstrace.log file is renamed ndstrace1.log.
Trace Flag Parameters Description *M Bytes Changes the maximum file size used by the source server’s ndstrace.log file. The command can be used regardless of the state of the debug file. The bytes specified must be a decimal value between 10000 bytes and 100 MB. If the value specified is higher or lower than the specified range, no change occurs. !M None Reports the maximum memory used by eDirectory. !N 0|1 Sets the name form.
Trace Flag Parameters Description *STS None Displays the status information for the schema synchronization process on the source server. *STO None Displays the status information for the backlink process (obituaries) on the source server. *STL None Displays the status information for the limber process on the source server. !T Time Sets the interval (in minutes) for checking the server’s UP state.
Novell eDirectory 8.
17 NMAS on Linux and UNIX 17 Section 17.1, “Unable to Log In Using Any Method,” on page 95 Section 17.2, “The User Added Using the ICE Utility Is Unable to Log In Using Simple Password,” on page 95 17.1 Unable to Log In Using Any Method After installing and configuring NMAS, restart the eDirectory server. After reinstalling a method after you have uninstalled a previous instance of that method, restart the eDirectory server. 17.
Novell eDirectory 8.
18 Troubleshooting on Windows 18 Section 18.1, “The eDirectory for Windows Server Won’t Start,” on page 97 Section 18.2, “The Windows Server Can’t Open the eDirectory Database Files,” on page 97 Section 18.3, “SLP_NETWORK_ERROR(-23) Occurs in Windows Machines,” on page 98 18.1 The eDirectory for Windows Server Won’t Start If the eDirectory server fails to start when you boot the Windows server, a message will notify you that the service failed to start.
If there are other replicas, logging in might be slow and you will see communication errors and synchronization errors on the servers holding those replicas. The database files might have been corrupted through disk errors on the NT/2000 server. Someone might have deleted one or more of the database files. If other replicas of the eDirectory database exist, complete the following steps: 1 Start Novell iManager from an administrative workstation. 2 Remove the corrupted replica from the replica ring.
net.slp.isDA = true 3 Save the changes, then close the file.
Novell eDirectory 8.
19 Accessing HTTPSTK When DS Is Not Loaded 19 You can set up a preconfigured admin user that allows access to the HTTP Protocol Stack (HTTPSTK) when DS is not loaded. The preconfigured admin user, sadmin, has rights that are equivalent to the eDirectory Admin User object. If the server is in a state where eDirectory is not functioning correctly, you can log in to the server as this user and perform all the diagnostic and debugging tasks necessary that do not require eDirectory. Section 19.
DHost remote management page Use the DHost remote manager page (accessible through the /dhost URL or from the root page) to set the sadmin password. Novell eDirectory server must be running on the eDirectory server in order for you to set or change the sadmin password. 1 Open a Web browser. 2 In the address (URL) field, enter the following: http://server.name:port/dhost for example: http://MyServer:80/dhost You can also use the server IP address to access the DHost iConsole. For example: http://137.65.
20 Encrypting Data in eDirectory 20 In Novell eDirectory 8.8 and later, you can encrypt specific sensitive data while they are stored on the disk and while they are accessed by the client. This chapter provides you information on the errors you might encounter while using the encrypted attributes and replication features in eDirectory 8.8 and later. For more information on encrypted attributes and replication, refer to the Novell eDirectory 8.8 SP7 Administration Guide (https://www.netiq.
Possible Cause The encrypted attributes are configured to be accessed only over a secure channel. The application is trying to access the encrypted attributes over a clear text channel. Action The application should access the encrypted attributes through a secure channel, like LDAP secure channel or HTTP secure channel.
Possible Cause If the parent partition has pre-eDirectory 8.8 servers (mixed version ring) and if the child partition has ER enabled, the merge and/or join partition operations would be disallowed and the ERR_INCOMPATIBLE_DS_VERSION error will be returned. The reason for this is that the child partition contains sensitive data with ER enabled at the partition level and the parent partition having pre-eDirectory 8.8 server. With ER enabled only between eDirectory 8.
20.5 Viewing or Modifying Encrypted Attributes through iManager If an attribute of an object is encrypted, you cannot view or modify the object by using iManager 2.5. To work around this issue, you can view or modify the encrypted attribute over a secure channel, using any of the following methods: LDAP: The LDAP request must be send over a secure channel, which means that the trusted root certificate of the server must be used. ICE: LDIF scripts can be used to modify the object.
21 The eDirectory Management Toolbox 21 The Novell eDirectory Management Toolbox (eMBox) lets you access all of the eDirectory backend utilities remotely as well as on the server. eMBox works with Novell iManager to provide Web-based access to eDirectory utilities such as DSRepair, DSMerge, Backup and Restore, and Service Manager. IMPORTANT: Role Based Services must be configured through iManager to the tree that is to be administered in order for eMBox tasks to be run.
Novell eDirectory 8.
22 SASL-GSSAPI 2 This section discusses the error messages logged by the SASL-GSSAPI authentication mechanism. Section 22.1, “SASL-GSSAPI Issues,” on page 109 Section 22.2, “Log File,” on page 109 Section 22.3, “Error Messages,” on page 109 22.1 SASL-GSSAPI Issues Section 22.1.1, “Issue with Multiple User Objects,” on page 109 Section 22.1.2, “Authorization ID,” on page 109 22.1.
SASL-GSSAPI: Reading Object Realm_FDN FAILED eDirectory error code Cause: This error is generated in eDirectory. The realm object does not exist. SASL-GSSAPI: Not enough memory Cause: Not enough memory to perform the specific operation. SASL-GSSAPI: Invalid Input Token Cause: Token from client is defective or invalid SASL-GSSAPI: NMAS error NMAS error code Cause: This error is generated in NMAS and is an internal error.
ldap_simple_bind_s: Invalid credentials major = 1, minor =0 Cause: The cause might be the version mismatch between the LDAP service principal on the KDC server and the LDAP service principal on the eDirectory server. This is because every time you extract the LDAP service principal key to the keytab file, the key version number gets incremented. Action: Complete the following procedure: 1 Update the key in eDirectory server so that the version numbers are in sync. 2 Destroy the tickets at the client.
Novell eDirectory 8.
23 Miscellaneous 23 Section 23.1, “Backing Up a Container,” on page 113 Section 23.2, “Repeated eDirectory Logins,” on page 114 Section 23.3, “Enabling Event System Statistics,” on page 114 Section 23.4, “Tracking Memory Corruption Issues on Linux,” on page 114 Section 23.5, “TCP Connection not Terminating after Abnormal Logout,” on page 114 Section 23.6, “NDS Error, System Failure (-632) Occurs When Doing ldapsearch for the User Objects,” on page 115 Section 23.
23.2 Repeated eDirectory Logins Repeated eDirectory logins can use up the available memory. Disable the Login Update attribute using iMonitor to overcome this problem. 23.3 Enabling Event System Statistics Time related statistics are maintained for every event thrown and consumed in eDirectory. This information is useful for troubleshooting event consumer issues. These statistics are not required for normal functioning of directory; therefore, they are disabled for performance reasons.
tcp_keepalive_probes: Determines the frequency of sending TCP keepalive probes before deciding a broken connection. The tcp_keepalive_probes takes an integer value, recommended less than 50 depending on your tcp_keepalive_time and the tcp_keepalive_interval values. The default is to set to 9 probes before informing the application of the broken connection. tcp_keepalive_intvl: Determines the duration for a reply for each keepalive probe.
23.7 Disabling SecretStore An eDirectory administrator can disable SecretStore using the following processes: 23.7.1 On Linux and UNIX 1 Go to the nds-modules directory and rename or move the following SecretStore modules: libsss.so libssncp.so libssldp.so 2 Restart the server. Alternatively, you can also comment out the line in the /etc/opt/novell/eDirectory/conf/ ndsmodules.conf file that loads ssncp. 23.7.
23.11 ldif2dib Fails to Open the Error Log File When the DIB Directory Exists In the Custom Path ldif2dib fails to open the default log file, ldif2dib.log when the dib directory is relocated to a custom location. To work around this issue, explicitly provide the log file location by using the -b switch. 23.
23.16 Troubleshooting Ports with Custom eDirectory 8.8 Instances In eDirectory 8.8, if you configure a new instance in a custom location when the default instance server is down, it takes the default instance ports. The default instance does not come up, because the ports of the default instance are allotted to the custom location instance. Follow the procedure in “Troubleshooting Ports with Custom eDirectory 8.8 Instances” (http:// www.novell.com/coolsolutions/feature/17933.
23.22 Listening on Multiple NICs Slows Down eDirectory ldapsearch Performance To work around this issue, Disable the NICs in the configuration file that slow down the ldapsearch performance. or Enable Advanced Referral Costing (ARC) by using the set NDSTRACE =!ARC1 command in DSTrace. 23.23 Unable to Limit the Number of Concurrent Users on UNIX/ Linux Platforms In eDirectory 8.8 SP7, you cannot limit the number of concurrent connections on UNIX or Linux platforms.
Novell eDirectory 8.
