Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NMAS Errors

83 views
Skip to first unread message

Yancey

unread,
Jul 9, 2007, 12:25:23 PM7/9/07
to

I recently set "NDSD_TRY_NMASLOGIN_FIRST=true" to
enforce case-sensitive LDAP passwords. Now I am
starting to get errors like the one below. Other
than revert to "NDSD_TRY_NMASLOGIN_FIRST=false",
what can I do?

Thanks,
Yancey


-1902474320 LDAP: New TLS connection 0x8581d98
from 172.16.224.101:54859,
monitor = 0x5b32dbb0, index = 1

1530059696 LDAP: Monitor 0x5b32dbb0 initiating
TLS handshake on connection 0x8581d98

-1403974736 LDAP: DoTLSHandshake on connection 0x8581d98

-1403974736 LDAP: BIO ctrl called with unknown cmd 7

-1403974736 LDAP: Completed TLS handshake on connection 0x8581d98

-1861145680 LDAP: DoBind on connection 0x8581d98

-1861145680 LDAP: Bind name:cn=admin,o=org, version:3, authentication:simple

-1861145680 AUTH: SPM Login for user [0000805d]
<.admin.org.IDVAULT.> r
eturned NMAS error = -1645, fallback to NDS = false

-1861145680 AUTH: SPM Login erro = -254,

-1861145680 AUTH: [0000805d] <.admin.org.IDVAULT.>
LocalLoginRequest. Error bindery locked or dir locked
or trustee not found (-254), conn: 34.

-1861145680 LDAP: Failed to authenticate local on
connection 0x8581d98, err = bindery locked or dir locked
or trustee not found (-254)

-1861145680 LDAP: Sending operation result
80:"":"NDS error: bindery locked or dir locked or
trustee not found (-254)" to connection 0x8581d98

1530059696 LDAP: TLS read failure 5 on connection 0x8581d98,
setting err = -5875. Error stack:

1530059696 LDAP: Monitor 0x5b32dbb0 found connection 0x8581d98
socket failure, err = -5875, 0 of 0 bytes read

1530059696 LDAP: Monitor 0x5b32dbb0 initiating close
for connection 0x8581d98

-1403974736 LDAP: Server closing connection 0x8581d98,
socket error = -5875

-1403974736 LDAP: Connection 0x8581d98 closed

a...@novell.com

unread,
Jul 9, 2007, 12:29:13 PM7/9/07
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There are a few errors in here that may be relevant. The -254s could
mean that bindery is locked somehow or something strange like that (see
iMonitor for full details) and the -1645 is 'invalid parameter'. Can
you login with the users via LDAP? The Novell client or something else
NDAP-based? Have you tried with that user against different servers?
As a last guess have you verified your tree keys are synchronized properly?

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGkmKL7eGRNwWOK9IRAsqtAJ91QW5zLeMAS4ORI+26yLIQsFXItgCgoAxi
c1zuXLLHKwDFoAJ8pPWJ2Yk=
=l73s
-----END PGP SIGNATURE-----

Yancey

unread,
Jul 9, 2007, 3:02:06 PM7/9/07
to

From the documentation that I read, -1645 is as follows.

http://www.novell.com/documentation/nwec/nwec/data/al3r5bt.html

-1645 FFFFF993 NMAS E TIMED OUT NOT RECOVERABLE

Explanation: The client or the server failed to respond in a timely
manner. The calling software does not have the option to retry the
request if this error occurs.


This server is one of four identical servers that we use for LDAP and
Identity Manager. LDAP connections are load balanced across the four
servers. These have been running for more than a year with no
significant issues and the only thing we've changed is turning on
NDSD_TRY_NMASLOGIN_FIRST. To me, that error seems to imply that the NMAS
operation is timing out. I have not had a big problem with load on these
servers before, but have been told that NDSD_TRY_NMASLOGIN_FIRST adds
significant additional overhead for LDAP binds. Could it be that I am
now overloading eDirectory somehow with the additional NMAS overhead?

Yancey

0 new messages