LDAP initialization failed
charles...@metglas.com
reason. This stopped iManager and iFolders from working as well. I ran
pkdiag and it found two out of date certificates. I used pkdiag to fix
this and restarted the server but the problem persisted. I am getting
error messages on the Apache screen of our server console stating
that "LDAP initialization failed" and "Can't contact LDAP server(81)". I
have re-exported the SSL CertificateDNS object to
sys:\public\RootCert.der and restarted the server but still nothing. I
have tried LDAP authentication using a LDAP browser with anonymous and
authenticated authorization on ports 389 and 636 but it failed. I would
appreciate any suggestions.
Anders Gustafsson
> authenticated authorization on ports 389 and 636 but it failed. I would
> appreciate any suggestions.
>
- Anders Gustafsson, Engineer, CNE6, ASE
NSC Volunteer Sysop
Pedago, The Aaland Islands (N60 E20)
Novell does not monitor these forums officially.
Enhancement requests for all Novell products may be made at
http://support.novell.com/enhancement
Using VA 5.51 build 315 on Windows 2000 build 2195
Edward van der Maas
Besides Anders suggestion also check if LDAP is actually listening on
port 389 and 636. You can see it in TCPCON | Protocol information.
Maybe you have a more underlaying problem.
--
Cheers,
Edward
Anders Gustafsson
> Besides Anders suggestion also check if LDAP is actually listening on
> port 389 and 636. You can see it in TCPCON | Protocol information.
> Maybe you have a more underlaying problem.
>
the log.
charles...@metglas.com
It looks like our LDAP server is not initializing properly. Whenever I
unload and load the apache server and tomcat the logger screen indicates
it is waiting on LDAP to initialize. I cannot see any references to LDAP
in TCPCON and I get nothing when I connect to
https:\\our_ip_address:636. I tried running tckeygen but nothing
happens. The file sys:/adminsrv/conf/.keystore still has a last mod date
of when we installed the server. Any ideas?
Anders Gustafsson
> It looks like our LDAP server is not initializing properly. Whenever I
> unload and load the apache server and tomcat the logger screen indicates
> it is waiting on LDAP to initialize.
>
charles...@metglas.com
NLDAP from the server console several times with no error messages. The
problem starts when I execute AP2WEBUP. When I do this I get the error
message that it cannot connect to the LDAP server. I ran the pkidiag
utility last week and it found two certs that were invalid and fixed
both. It looks like maybe the SSL on LDAP may be the issue. The
knowledgebase said that when I type LOAD NLDAP this should automatically
load NTLS and SASL. It does not. As I mentioned earlier, when I try to
run the tckeygen utility nothing comes up. I'm not sure whether that may
be due to the LDAP/SSL piece or not.
Thanks,
Charles
Anders Gustafsson
> It looks like maybe the SSL on LDAP may be the issue. The
> knowledgebase said that when I type LOAD NLDAP this should automatically
> load NTLS and SASL.
>
then try an LDAP trace as you try 636
charles...@metglas.com
Apache logger screen repeatedly displays the following group of messages.
LDAP initialization failed.
Configured LDAP was found ready to use.
NIF CertHandler: Root certificate file for master ldap not found,
requesting a new one from server.
NIF CertHandler: # Root Certs=1.
NIF CertHandler: Retrieved certificate of size=1332.
*MASTER[CWYFS102.metglas.com][-1] ldap_simple_bind: Cant contact LDAP
server(81)
ldap *MASTER[CWYFS102.metglas.com] down
LDAP initialization failed. Check LDAP and restart apache.
Does this help any?
Anders Gustafsson
> Does this help any?
>
No. You need to find if NLDAP is loaded. Do this:
M NLDAP*
Does it show loaded?
Next. In ConsoleOne, LDAP Server/Group object (can't remember which
one) Screen Options tab. Turn on EVERYTING but the bottom-most. Then:
LOAD DSTRACE
-ALL
+LDAP
DSTRACE SCREEN on
DSTRACE FILE ON
Try unload NLDAP, then LOAD NLDAP
DSTRACE FILE off
Post dstrace.log here
Anders Gustafsson
> Could not update server configuration, err = no such attribute (-603)
>
OK. Your LDAP objects are corrupt. In your initial post, you said: "Our LDAP server stopped working a couple of weeks ago for no apparent
reason." Are you sure nothing changed? DS upgrade?
Does this apply?
charles...@metglas.com
on troubleshooting iMonitor this morning and it directed me to do the
same thing for DSTRACE. The iMonitor and iFolders are not working,
probably since tomcat is not loading. Root cause seems to come back to
LDAP. Anyway, here is the DSTRACE log file:
Could not read LDAP Server name in ValidateLDAPObjects on iteration 2,
603)
Could not update server configuration, err = no such attribute (-603)
Could not read LDAP Server name in ValidateLDAPObjects on iteration 2,
603)
Could not update server configuration, err = no such attribute (-603)
603)
Could not update server configuration, err = no such attribute (-603)
603)
Could not update server configuration, err = no such attribute (-603)
Could not read LDAP Server name in ValidateLDAPObjects on iteration 2,
603)
Could not update server configuration, err = no such attribute (-603)
I really appreciate your help on this Anders.
Charles
charles...@metglas.com
07:30 AM they were not working. There have been no upgrades or anything
done to the server. In fact, it still had the sp1 overlay that was used
during install. Obviously something happened I just don't know what. I
looked over the article you referenced and added the LDAP server to the
NCP server. It was not there before I added it. You said that the LDAP
objects were corrupted. Is there a way to re-generate them?
Charles
Edward van der Maas
> Could not validate Group in ReadConfigFromDS, err = no such attribute
> (- 603)
> Could not update server configuration, err = no such attribute (-603)
> LDAP Agent for Novell eDirectory 8.7.3.7 (10554.24) stopped
> Could not read LDAP Server name in ValidateLDAPObjects on iteration
> 2, err = no such attribute (-603)
> Could not validate Group in ReadConfigFromDS, err = no such attribute
> (- 603)
> Could not update server configuration, err = no such attribute (-603)
Besides Anders' suggestion check also the other fields of both the ldap
server and the ldap group object. Looks like you are missing a few bits
somehow. Make also sure you are using a valid certificate.
If all this doesn't work delete the 2 objects and recreate them.
--
Cheers,
Edward
Anders Gustafsson
> I
> looked over the article you referenced and added the LDAP server to the
> NCP server. It was not there before I added it.
>
charles...@metglas.com
create the objects I recreated the LDAP server and group objects, but
this did not help. I was looking around in the SSL CertificateDNS object
and realized that the public key certificate expired sometime during the
day on 11/13/2005. It was created on 11/13/2003 and had a two year
lifetime. This is consistent with the fact that it worked on 11/12/2005
but not on 11/14/2005. I re-created the objects, did a ap2webdn and
unload/load nldap then an ap2webup. It still said that ldap init failed
but said that the ldap ssl certificate was invalid and that I should
manually copy the cert to <ifolderserver>/ldap/_master.der. I exported
the SSL CertificateDNS and copied it to this path then did a tckeygen
(which worked this time) and everything started working. Thank you very
much for your help and patience.
Charles
Anders Gustafsson
> I was looking around in the SSL CertificateDNS object
> and realized that the public key certificate expired sometime during the
> day on 11/13/2005
>
GMT
charles...@metglas.com
19:50:22
> GMT
>
> - Anders Gustafsson, Engineer, CNE6, ASE
> NSC Volunteer Sysop
> Pedago, The Aaland Islands (N60 E20)
at the suggestion of one of our internal netware people from
another site and it said it found and fixed two certificates.
Maybe it did, but it did nothing about the fact that the
certificates were expired. It didn't even hint at that fact.
Charles
Anders Gustafsson
> Unfortunately should have doesn't mean it did. I ran pkidiag
> at the suggestion of one of our internal netware people from
> another site and it said it found and fixed two certificates.
> Maybe it did, but it did nothing about the fact that the
> certificates were expired. It didn't even hint at that fact.
>
- Anders Gustafsson, Engineer, CNE6, ASE
NSC Volunteer Sysop
Pedago, The Aaland Islands (N60 E20)
Novell does not monitor these forums officially.
Anders Gustafsson
> Dont forget that NW 6 and above doesnt support port 636. Only clear
> text
>
What? 6.0 and 6.5 support encrypted LDAP just fine.
- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)
Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms
Peter Kuo
> I get nothing when I connect to
> https:\\our_ip_address:636.
Pointing a HTTP request to a LDAP port isn't going to get you very far ...
--
Peter
eDirectory Rules!
http://www.DreamLAN.com
a...@novell.com
Hash: SHA1
Especially when using backslashes instead of slashes.....
To test a port use a port-tester like netcat or nmap:
netcat -zv our_ip_address 636
nmap -p 636 our_ip_address
Good luck.
Peter Kuo wrote:
> charles...@metglas.com wrote:
>
>> I get nothing when I connect to
>> https:\\our_ip_address:636.
>
> Pointing a HTTP request to a LDAP port isn't going to get you very far ...
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJK45AoAAoJEF+XTK08PnB5niMQAJ7NASzPiYCCPCwwAg2JNd+s
WBfAJh3K0L2Yu/q+Cr7hLFJCZUfZvH9FNA8wJc7+N9vRFcPqkFKgj4PH1/eMVKSh
uL6vN+UtVv4W4ibw4rEH29zR5ZvncyCHAcGiyEF0tZFVbGemEkoFuk8p22MrcKri
X5VTmU7LdkVQtk5k2wq8g/9vagaNgKzrlVE7gdZUE1PVKK+5x1OMLRq5KhSI+NMz
T3ktWSMIo6ZTB2nZWsBi6LJ7vhe7+p6nYOl5l6qRAYCxl2hhjeLMGJq1T+ZgUuJz
G9Oc1lYTbATL1n39V3Ny+VqF7rRS9XTCvrI+MqA7YK1s1AD3yDGYRYususFd98zI
vcVrfEhyfYVnDT6M8VtQAKZOJmtLgdPjaZMxoTWcY/8bapfrT6xXJOyw3chjbwHq
MZwbbxhJuhNYq1kSm9lEkM5ElKoCPoJosC/TqO/OYfnSgmumu6Z5/fuew+TEusLE
e51uIgZqaJevhd+TlyfDeTNmXzaQP1yrqc5hoClS+++3BSn1nFUZnZOFdC0wHgQi
zCIBktHGoXMge90AQm7Sq0sFH56WmOJFbC3Z95r7NnX0n9BJXvoBWC7ena4C8Jbz
0TcmIarZkKWzsfkO8S3i+rbcqws3IHjDz4z/me4c7wb8KmcScXXM5NZaH/sVxTRS
rsJqLbNXP8Sf1fvu1sMe
=H/q9
-----END PGP SIGNATURE-----
Edward van der Maas
> Dont forget that NW 6 and above doesnt support port 636. Only clear
> text
Completely incorrect. Where did you get this information from ?
--
Cheers,
Edward
a...@novell.com
Hash: SHA1
Not only that, but is there a reason this is a new reply to a
multi-year-old post? Is this a troll or just somebody not reading dates?
Either way the information is wrong.
Good luck.
Edward van der Maas wrote:
> ehtkhr wrote:
>
>
>> Dont forget that NW 6 and above doesnt support port 636. Only clear
>> text
>
> Completely incorrect. Where did you get this information from ?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJK45wXAAoJEF+XTK08PnB5HUIQAKTZp4Y670v3W+yK8Tk8ltuv
BOGQRN5pcfJARbm7wNeQDpUjlERsOkhQLWRs2ztkKDlgYUnBVn5VtAT0YowQ05ie
jyw6J9XPGFVOgnh4jYSRx4GpNqoJs0EtBT3sGteIhU7fQWL6emLpDEct1Nl/0c0P
9TZUpMk1bF2kVCq5O1ZJtXmIsIDJo0Y7bv7aJX4cTosbXHm9ino+evS6bGHgoMX/
Zza1LDdx96LfwyT6qZ9JuDvNKEjYMl0ZjLecP8+uJNsBlBH1t91fDbplTZLpS59Y
UxZvWkCMEwxcWSPyemvNORaGhphZGg+JJYgKnmsClt08hBgfjgS09KjlNdK3y5bn
pfHMG7KB2r6wMl22vGrCkiMXi1UlDn3ZvB7eGifiZ+UnwdGRel63115fgYsYzT8J
PM+hlFjlDiOGzYNjnUt1QZWjZ+01J/nmsnkRNg77wGVA8q6KeRGCy0hZyihY23b9
XqdukBDnt5vf4f22D9XUbiDR15/gYtF53HGJc8u52H9NjPOD1x5bZsTX4p65JQb4
YMz1wlKXnlFdk0pSvbrdF/+zfdjfqzs1XDjLP+OlxMtar4hP/WJrn/UR/moqsRki
O47+OcJ9djtLqVFXq22ernq8rjBx4HUmBk5hw8ZRyda13jcdP26Ej0Q2WREn/K7L
h3jHBu/81E/41qm+gF91
=2hE7
-----END PGP SIGNATURE-----