Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: eDirectory Not Starting

361 views
Skip to first unread message

a...@novell.com

unread,
Jul 5, 2007, 12:37:23 PM7/5/07
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Regardless of what the messages state are your LDAP ports really
listening? Try the following command:

netstat -anp | grep 'LISTEN ' | grep ndsd

That will show every port listening with ndsd as the process. If you
see 389 and 636, ignore the messages; it may be a timing issue with LDAP
coming up slowly. Also can you get into eDirectory via ConsoleOne or
iManager or anything else?

The message says dxevent can't be found. I believe libdxevent.so and a
couple softlinks to it should be in /usr/lib/nds-modules so you may want
to check there.

Good luck.

Celso G. Lima wrote:
> I am having some problems starting my edirectory server, and I don't
> know where else to look for. The server is report both TCP and TLS port
> as "not listening", and the following is the only thing I get from
> ndsd.log.
> The only error is linked to iMonitor. How can I get more verbosity out
> of ndsd? We have eDir 8.7.3.9 on RHEL AS 3U9. That server used to be my
> master replica and it holds the certificate server and keys.
>
> Thanks,
>
>
> Jul 05 11:27:48 Path of Novell eDirectory configuration file /etc/nds.conf
> Jul 05 11:27:48 Host process for Novell eDirectory 8.7.3.9 v10553.73
> successfully started
> Jul 05 11:27:48 MASVInit called
> Jul 05 11:27:48 MASV : Initialized
> Loader Failed:for dxevent,error dxevent: cannot open shared object file:
> No such file or directory,errno 2
> Jul 05 11:27:49 NMAS Server Version:3.1.3.0 Build:20070219 started
> Jul 05 11:27:49 SPM DClient Version:3.1.3.0 Build:20070219 started
> Jul 05 11:27:50 GAMS Version: 1.30.01 DHModuleInit called
> Jul 05 11:27:50 GAMS Version: 1.30.01 started
> Jul 05 11:27:50 Information: SNMP Trap Server for Novell eDirectory
> 8.7.3.9 v10550.91 started.
>
> Jul 05 11:27:50 ndsimon initialization failed - -605
> Jul 05 11:27:50 Warning: Could not load module imon, -1
> Jul 05 11:27:54 Novell PKI Services Started Successfully
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjR317eGRNwWOK9IRAkTjAJ9dEgm2zas5rdKOkOJFubeyRfMnCACdGhPU
zpCZY38k1hJ7t1heEh7KWbc=
=zUQ1
-----END PGP SIGNATURE-----

Celso G. Lima

unread,
Jul 5, 2007, 12:33:55 PM7/5/07
to

Celso G. Lima

unread,
Jul 5, 2007, 2:46:25 PM7/5/07
to
The daemon does not start. I can see it being launched by it dies
immediately.
Neither ports 389, 636 or 524 available.

the message about the dxml module is just a warning. If you don't have
dirxml installed it reports that message.


a...@novell.com

unread,
Jul 5, 2007, 3:05:03 PM7/5/07
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have the dxevent message once in my ndsd.log file but not since
2007-03-25 when I first installed IDM. Oh well.

- -605 (No Such Partition) isn't a good error to have during bootup.
Future versions of eDirectory should be able to load the agent without
the DIB like `ds -ndb` can on NetWare but currently it isn't possible to
do so you can use ndstrace during the loading of the DIB. You will
probably want to either implement some recovery stuff for this server
(remove and re-add the DIB) or call Novell so they can try to open the
DIB while the agent is running to see if any other information can be found.

What changed or happened when this started?

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjUCP7eGRNwWOK9IRApHUAJ9xogwDnLRuUFmouZ3BlCQk8Ua2pgCgqkJF
q3DTJbrJpAwt8edN6yD1kxE=
=gr8R
-----END PGP SIGNATURE-----

Celso G. Lima

unread,
Jul 5, 2007, 3:34:12 PM7/5/07
to
That server was initially the master replica for a tree with 6 replicas.
It was also running DirXML 3.0.1 and iManager 2.6. It is running on VMWare
ESX 2.5.1.

I was in the process of building another tree and transfer the accounts
using an eDir Driver to another tree. After I created the edir driver I
noticed it was taking too long for all our data to synch. Thus, I
installed dirxml on a second server and ran the driver from this other
server. I don't know what happened but a 2nd partition with the same name
as the new driver set was created, and right after that all my drivers
died and could not be restarted. I immediately moved all my drivers to
this new driver set running on this other server in order to have our
account synch working. In the meantime I started working on the original
server, and noticed errors related to this new partition. I was afraid
something was coming up, so I moved the master replica to the new server,
and the original server was automatically changed to read/write. I noticed
something was really bad with that server, when after 4 days the servers
replica state was still listed as "new" insted of "on". We ran dsrepair
along with removing the server from the replica ring on both partitions
the original partition and the one with the same name as the driver set.
From then on everything went downhill. I cannot restart the server since
then. I applied OS patches and eDir patches and nothing happens.
We had also removed dirxml from the server.

Edward van der Maas

unread,
Jul 5, 2007, 5:00:08 PM7/5/07
to
Celso G. Lima wrote:

I'd say remove the DS from the server, clean up your tree and add it
back again. Easiest way probably to fix all this.

--
Cheers,
Edward

Celso G. Lima

unread,
Jul 5, 2007, 5:24:07 PM7/5/07
to
Earlier today I started building another VM, to transfer all the roles of
this dead sever to a new server. My next question is, what do I need to do
to bring another server up, so that it takes up the roles of the dead
server?
In other words, is it just a matter of copying the dib directory along
with some configuration files and firing up the new server? I am assuming
here the new server will have the same name, IP address and file path as
the original server.

I can easily add another server to the tree and have it join the replica
ring, however, what will I do with the cert server and whatver is left
installed on this dead server?

a...@novell.com

unread,
Jul 5, 2007, 5:29:17 PM7/5/07
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That would work... in theory, as long as only the source or the
destination server had life at a given point in time, but the DIB is
probably the part that is corrupt so copying it to a new box and trying
to bring it up is not likely to work. Still, give it a shot if you want
just in case but I wouldn't dare to hope too hard in this case that it
will work.

Adding another server to the tree and adding replicas is the easiest way
to go. eDirectory has and recommends multiple replicas for this very
reason. In regard to your CA and stuff you should have a backup of the
CA server's certificates (with private key) to import to a new server.
If you don't then you'll get to create a new one and make new
certificates. Tree key information should be synchronized and making a
new server the Key server is trivial as long as the keys are synchronized.

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjWJd7eGRNwWOK9IRAtDnAJ491AB9i77LeujzYo1el0VEEDaYeQCcDQ4f
1IFn8bC8/5mV8qXsVxe0Nwg=
=7JSX
-----END PGP SIGNATURE-----

Edward van der Maas

unread,
Jul 5, 2007, 5:47:48 PM7/5/07
to
Celso G. Lima wrote:

I wouldn't copy the DIB over as you have no idea what state it is. I'd
install IDM on the new server, assign the driver set to the new server
and your done (although, if I'm correct its only there for some drivers
right ?)

--
Cheers,
Edward

Celso G. Lima

unread,
Jul 5, 2007, 6:11:49 PM7/5/07
to
I guess I will follow what you guys are recommending and start with a new
server. As you say, the database might be the problem since it could be
corrupted. Besides I don't want to risk bring a corrupted database online
and screw up the rest of the tree, even if that is a remote chance that
could happen.

I don't have a backup, in the form of an export, of the certificates/keys.
However I do have access to all the file on the original server. Are the
files I need stored under the dib directory in the certserv and cert.rfl
folders and the cert.* files (cert.db, cert.01, etc)?

Celso G. Lima

unread,
Jul 5, 2007, 6:14:30 PM7/5/07
to
Yes, the drivers have been fixed. In fact I transferred eveything right
away to a new server as soon as the original server they were on started
acting weird. I am safe in regard to my dirxml drivers.

Celso G. Lima

unread,
Jul 6, 2007, 10:51:40 AM7/6/07
to
I rebuilt my server and re-added it to the tree. I also created a new CA
with new certs. Now my questions is I don't have a backup, in the form of
an export, of the certificates/keys of my previous CA. However I do have

a...@novell.com

unread,
Jul 6, 2007, 2:44:36 PM7/6/07
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your original CA is lost I believe unless somebody has ever managed some
kind of recovery (don't think it's possible... eDirectory puts the
entire DIB in a couple huge files for the most part with the exception
of stream files and extracting requires a healthy DIB). For the future
though you can get backups immediately as covered by various TIDs and
sections of the eDirectory documentation. To start with Google for
'ndsrc.pl' and use it to get a complete backup of your DIB which can be
used if you lose your entire tree to restore it. Run it on a server
which holds a replica of the entire tree for the most benefit. It's
similar to running `dsrepair -rc` on a NetWare server.

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjo0+7eGRNwWOK9IRAsQIAJ9HHhW9e6C/ZgmIOw4m6pl55xxTbACgj2jH
9IYNtizwdfk3E9OOLH4i0rA=
=Wwjo
-----END PGP SIGNATURE-----

0 new messages