Re: LDAP initialization errors
a...@novell.com
Hash: SHA1
A lot of work has been done, unfortunately, without necessity. Still,
good job for at least trying. This limits the potential issues to just a
couple hopefully.
First, never remove LDAP and then install it again via the
nwconfig/install stuff. It used to be separate from eDirectory but is no
longer. As a result a new system should "just work" barring issues with
dependencies like PKI (you mentioned the CA was broken and have already
recreated that so hopefully all is well there now).
The part of the installation that you must do from ConsoleOne (or
iManager) involves linking the two LDAP objects (Server and Group) to
eachother. Each one references the other. Also there should be an
ldapConfigVersion attribute (as I recall... see the TIDs for details) on
each that should match one another. My guess is these are not there or
are not the same on both objects. Either that or the group does not refer
to the server or vice versa.
Good luck.
cybermanonline wrote:
> My viewing of this fourms and the web suggest that LDAP can be a
> bugger..Here is my plight:
>
> It started with Ldap failed to initialize within apache. Then I
> discovered the CA was not able to create KMO's and cleared this by
> deleting CA; Deleted CertificateIP/DNS, LDAP Group/LDAP serever, and
> recreated each.
>
> Still could not initialize LDap message then I proceeded to removing
> apache, Ifolder, tomcat, Ldap, Novell Certificate server, rebooting
> server, and then reinstalling everything but Ifolder.
>
> During Ldap install it did state the ConsoleOne would be needed to
> complete the installation; however, apache was able to load without any
> errors. I then recreated CertificateIP/DNS, LDAP Group/LDAP serever.
>
> Unloaded Nldap and reloaded Nldap but it said OK. However, performing
> DStrace renders errors (see below). In addition tckeygen renders the
> following error:
>
> Error importing certificate to keystore: sys:\asminsrv\conf\.keystore
> com.novell.ecb.commandexception: connection refused
>
> In addition, LDAP is not listed as listening on ports 389/636 in
> tcpcon
>
> DStrace log:
>
> LDAP Agent for Novell eDirectory 8.8 SP5 (20219.14) stopped
> Could not read LDAP Server name in ValidateLDAPObjects on iteration 2,
> err = no such attribute (-603)
> Could not validate Group in ReadConfigFromDS, err = no such attribute
> (-603)
> Could not update server configuration, err = no such attribute (-603)
> Could not read LDAP Server name in ValidateLDAPObjects on iteration 2,
> err = no such attribute (-603)
> Could not validate Group in ReadConfigFromDS, err = no such attribute
> (-603)
> Could not update server configuration, err = no such attribute (-603)
> Could not read LDAP Server name in ValidateLDAPObjects on iteration 2,
> err = no such attribute (-603)
> Could not validate Group in ReadConfigFromDS, err = no such attribute
> (-603)
>
> I would like to sleep in peace tonight...Thank You.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJK8xtlAAoJEF+XTK08PnB5OIYQALh8/OQjzErzUAaepMpbLZqY
TeojyVCCM5ClkFvDUat/GR3eidCwqXLSEXbYajUtPKEOQ9NFoCixz/lA+2a4zBCG
pteNiq6a8uRVNwq9vUt5ytxwcU/bl/Pag9cpLAo3izTz9lhBovq7J0NdapkBRzrC
22TxrLnYYruGX3PPh7k0/4Nw72CSARLQYFn5ZO8yOIojdwV/kx6LTw6kVKe7zFOl
pOAgm+FJ3hMppEm6OV6YlRXBpnKK9YSXvj9wkEtLiM8T6ytPha0No9GMqIvG6g30
5eL38EuPNfhX2a8kwLNTqoHco29KiL/RwSIrkuYMIdaF38fa6Hq/FRgu5llWR3j5
hHED6B3wwgeJ9tNk9SyF3Fp+eBWWhyI/A/smvdFfa1RTXgGJz2JxN542kCBxvdoI
Z9qgnmGJJse4stjwDcF+u57JDGSLM5sBaMLQcQQgCDQzLAVPR7+Ld7E3M7bqidpN
76pfbdWa4mnIYPRgx6/yFwE1ftBpys9SwYCodQW327fzy6tIpVA/g9+PiLeVGte9
mP1/E6DVO7V1UUtpvup36mfusoa7Mdu/BQH689pOuqNkpw/0kz2VZiTTHmAR5QMD
3gvDRBC47UDW61ck1dgT9Xvu6vx9/aVUe9E5Tm0uCaUCYb6+f7nMcLjAMU8L65f/
bGe6CilwVwVPfUtXmo8a
=GjWW
-----END PGP SIGNATURE-----
a...@novell.com
Hash: SHA1
This section implies that whatever you tried to do (bind anonymously) worked:
<quote>
New TLS connection 0x8a03e060 from 127.0.0.1:1073, monitor = 0x35f,
index = 1
Monitor 0x35f initiating TLS handshake on connection 0x8a03e060
DoTLSHandshake on connection 0x8a03e060
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x8a03e060
DoBind on connection 0x8a03e060
Treating simple bind with empty DN and no password as anonymous
Bind name:NULL, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x8a03e060
Monitor 0x35f found connection 0x8a03e060 ending TLS session
DoUnbind on connection 0x8a03e060
Connection 0x8a03e060 closed
</quote>
Maybe that was tckeygen that did that and if that is the case then that
means things are good. Try an LDAP Browser that is good (Apache Directory
Studio is good, as is LDAP Browser/Editor (LBE, the freeware Java-based
application) 2.8.x.
Good luck.
cybermanonline wrote:
> Ok I've gotten further by:
>
>
> Deleted CA/CertIP/CertDNS/LDAP Server-Group. Recreated CA,
> Pkidiag,tckeygen, fresh LDAP server/group, exporting CA and importing
> via Console one.
>
> However, I still get this:(LDap dstrace)
>
> Waiting for 0 worker threads, 1 monitor threads, and 2 misc threads to
> terminate
> Connector thread 0x19a terminated
> Background thread 0x18c terminated
> Monitor 0x1c5 terminating
> Listener closing cleartext port 389
> Listener closing TLS port 636
> Removing TLS module dependencies
> Removing SASL module dependencies
> Deallocating list of search rewriter callbacks
> Deallocating list of computed attribute evaluators
> Deallocating list of value translation callbacks
> LDAP Agent for Novell eDirectory 8.8 SP5 (20219.14) stopped
> Waiting for 0 worker threads, 1 monitor threads, and 2 misc threads to
> terminate
> Connector thread 0x116 terminated
> Background thread 0x114 terminated
> Monitor 0x17c shutdown destroying connection 0xa18751c0
> Server closing connection 0xa18751c0, reason = 52
> Sending operation result 52:"":"" to connection 0xa18751c0
> TLS shutdown failure 5 on connection 0xa18751c0, setting err = -5875.
> Error stack:
> Connection 0xa18751c0 closed
> Monitor 0x17c shutdown destroying connection 0xa1875320
> Server closing connection 0xa1875320, reason = 52
> Sending operation result 52:"":"" to connection 0xa1875320
> TLS shutdown failure 5 on connection 0xa1875320, setting err = -5875.
> Error stack:
> Connection 0xa1875320 closed
> Monitor 0x17c shutdown destroying connection 0xa0a95480
> Server closing connection 0xa0a95480, reason = 52
> Sending operation result 52:"":"" to connection 0xa0a95480
> TLS shutdown failure 5 on connection 0xa0a95480, setting err = -5875.
> Error stack:
> Connection 0xa0a95480 closed
> Monitor 0x17c shutdown destroying connection 0xa0a95320
> Server closing connection 0xa0a95320, reason = 52
> Sending operation result 52:"":"" to connection 0xa0a95320
> TLS shutdown failure 5 on connection 0xa0a95320, setting err = -5875.
> Error stack:
> Connection 0xa0a95320 closed
> Monitor 0x17c terminating
> Listener closing cleartext port 389
> Listener closing TLS port 636
> Removing TLS module dependencies
> Removing SASL module dependencies
> Deallocating list of search rewriter callbacks
> Deallocating list of computed attribute evaluators
> Deallocating list of value translation callbacks
> LDAP Agent for Novell eDirectory 8.8 SP5 (20219.14) stopped
> NDS attribute "NSCP:memberCertificateDesc" does not exist, mapping
> ignored
> NDS attribute "staticMember" does not exist, mapping ignored
> NDS class 'NSCP:mailGroup1' does not exist, mapping ignored
> NDS class 'NSCP:mailGroup1' does not exist, mapping ignored
> LDAP Agent for Novell eDirectory 8.8 SP5 (20219.14) started
> Updating server configuration
> Work info status: Total:2 Peak:2 Busy:0
> Thread pool status: Total:2 Peak:2 Busy:2
> Listener applying new configuration
> LDAPURL: ldap://:389
> Listener setting up cleartext port 389
> LDAPURL: ldaps://:636
> Listener setting up TLS port 636
> TLS EXPORT ciphers or higher required for TLS connections
> TLS initialization sucessfully completed
> TLS configured successfully
> Adding SASL module dependencies
> SASL initialized successfully
> SASL configured successfully
> Work info status: Total:2 Peak:0 Busy:0
> Thread pool status: Total:2 Peak:2 Busy:2
> Work info status: Total:1 Peak:0 Busy:0
> Thread pool status: Total:2 Peak:2 Busy:2
> Created new monitor 0x0
> Monitor 0x35f started
> New TLS connection 0x8a03e060 from 127.0.0.1:1072, monitor = 0x35f,
> index = 1
> Monitor 0x35f initiating TLS handshake on connection 0x8a03e060
> DoTLSHandshake on connection 0x8a03e060
> BIO ctrl called with unknown cmd 7
> Completed TLS handshake on connection 0x8a03e060
> DoBind on connection 0x8a03e060
> Treating simple bind with empty DN and no password as anonymous
> Bind name:NULL, version:3, authentication:simple
> Sending operation result 0:"":"" to connection 0x8a03e060
> TLS read failure 5 on connection 0x8a03e060, setting err = -5875. Error
> stack:
> Monitor 0x35f found connection 0x8a03e060 socket failure, err = -5875,
> 0 of 0 bytes read
> Monitor 0x35f initiating close for connection 0x8a03e060
> Server closing connection 0x8a03e060, socket error = -5875
> Connection 0x8a03e060 closed
> New TLS connection 0x8a03e060 from 127.0.0.1:1073, monitor = 0x35f,
> index = 1
> Monitor 0x35f initiating TLS handshake on connection 0x8a03e060
> DoTLSHandshake on connection 0x8a03e060
> BIO ctrl called with unknown cmd 7
> Completed TLS handshake on connection 0x8a03e060
> DoBind on connection 0x8a03e060
> Treating simple bind with empty DN and no password as anonymous
> Bind name:NULL, version:3, authentication:simple
> Sending operation result 0:"":"" to connection 0x8a03e060
> Monitor 0x35f found connection 0x8a03e060 ending TLS session
> DoUnbind on connection 0x8a03e060
> Connection 0x8a03e060 closed
> Work info status: Total:1 Peak:1 Busy:0
> Thread pool status: Total:4 Peak:4 Busy:3
> Work info status: Total:1 Peak:0 Busy:0
> Monitor 0x35f terminating
> Thread pool status: Total:4 Peak:3 Busy:3
>
> What is the missing link?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJK805dAAoJEF+XTK08PnB5ArMP+wYopCjo+Ymdb5z9lPhAqj0K
ziZt/wXYK2tKzYSpj9+mnAoqO8h+1uYL9yeHBzufIDykC8TpP04OHAzUmYMsjVF6
HwtFad/7y0t8AOjcZ9ZYcvg+p4s9GIiHQqwXjChMEsaNEM+waaqnzk99x6tY78QL
zPhev7jqEQ0DylAzQ+DF3IhvCp6EBgJfUW3FLqqcUTtjVyNijkJLKtxGzG5QhnUV
Zlm2kHE3e6pfWDnXnbJdbX2e2W3fD0BKWXcFXG5ci/JwMQtghbqf6fM3Q5tzu9Qh
KG962wqXISDMMjjuWQKrq1mlU7iRpt2CDYbstYo9VJdskIX2k+/Ch4wo8EIj3gdn
dk47f2qxehc10rz8gtkNLVT60qtUllAbz3ALJQLcfZdfA8tJXJFL8TU+Aj+7vk2g
gG4og8/BMndY9ssGoc+FZwQ5rLLl3EYgzwiVs7RCzm0b+VN0xWAX0DRHWDWmhUmS
fIL1gipftepmEfxNvf7qo5x9GFvXlow64fYnEJgLy5PX0ZXk6JwamaRl68POjS/n
HUqJzBRxVzlwAIkAUSziHX4Cx+jGLfoWNxNDduhc0LxDTINM/pIvszoTvgHDr+NR
ss/zVniQXyN/rRNnFK/uZoSDW/ZHufoxfaIO8n/z/xvr9hLvvNyIIJKJ7D/ghu0Z
I0X8jXnObELFc01uoahL
=qIbb
-----END PGP SIGNATURE-----
a...@novell.com
Hash: SHA1
Did you restart Tomcat after running tckeygen? Does iManager Workstation
2.7 SP3 work and, after installing the Universal Password plugins and
applying a UP poilcy to a user, can you set the UP?
Good luck.
cybermanonline wrote:
> Unfortunetly,I still can not run Imanager any thoughts?..Thx
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJK82YrAAoJEF+XTK08PnB5ujYQAKOjVsoGISDs/ggC20lxFf0v
Lqr2f6buk6mYhwXL1PRdn8lbN7/zWr+kqjm/KdRSFMBOjxuS/58spFDamFB4+tjt
de/WxWPP4q8LcKghHghd9F80ZoEOWrlBL3+1aZTIWs1kfo2+7rU3ucZXOb0Hnjj5
/TxZI2bidV4q2Md1m2LsiSg79HWaMTuo+tmCgKX0ujCbk1mC5jm8cTtJNl3Ttrnt
e0tAZCoFnPFu0HEKfmExYN3/Fqv6ySKSnnBpKzNaK/m0XuoLvwXAscNYid8H8R5n
oyBgdm354CF3yvag9R6FxzYak7CGD+fy3Dq7P0txOSys6o7G7u4BjDl5Ear9QRzB
jpTTwfXsdMBJDFXcmu4+R4CBypKJ5C9G5XesNrlxm2cTvvhgz/4PfnGJ5aiT/HBo
ydnxrPYNJVi2CxeCtJGrr9zRYerdll6LUaYJXHEfiple+G6al/W3oEqIkBFdC5g+
54Q4s8o5rONRN8cplKQQSRVU3Z3uXLc3RWJCL2UlbJQWoICxEUvh49RBOxWCD6Sz
RY9i00jJSHKH0VwdlCz/BwaRR8zAoM09+VE7JA3Sx6XpstcEY23YAyf77ueiCkTp
21W37Pit2uiT/vJfN/WTDm5w5auCv3OEKfEGO/I1Ya7ULlmlgVpBR0AwFgqSuGnH
w2rV/LvME+3kMr/JDYfu
=HAmN
-----END PGP SIGNATURE-----
a...@novell.com
Hash: SHA1
I'm glad to hear it is working. As a note iManager on Linux does not have
the certificate fun you went through for the connection back to eDirectory
so hopefully that hiccup will be avoided. Also fixing your CA/PKI stuff
is done with the `ndsconfig upgrade` command on its own so that is also
much easier now.
Good luck.
cybermanonline wrote:
> AB,
>
> I want to thank you for your support. After work with the certs, I
> reloaded the IManager on the server and things are working smoothly
> again. I usally would start a server fresh but this was definetly a good
> exercise as we move to Suse from 6.5 spk8.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJK86vFAAoJEF+XTK08PnB5tHEP+gJMlNiyuxvU1JItBg4eqHP7
zekh/YD+oge69z3MzIPe0QhvJBDo1+ewEDHDiiYaRZG5jHwatSzlIovTXd43ijpb
PNuypuYfO9NJKmr9umvaV2YtfXHDKCvDuQ36QhyREaIPfEyA1vMUsahgqPpFRVWQ
0FhJeq4rEaSRjWoFC9AnWIM4r4Q3Gc5qgQvR0QovZGpUBR7yr2TnVJ5lso5ptQqQ
/bmG1nI8n+o0I9EAwGk3DVc1SzPKHH4qFida3NboHAhwXDBiqY4qxgggntDCoqhb
RuWUuqqpBWaAEqT74hPvuB2Jun5CQmZydgxGFkahrxafcx4+76YoQ9xIDIAU/E7C
QLylWjHXYgavuOxTAQNG2hYSYs+XvuBdASslCWOp6jVIzPRz9dI9W9xBreF0tgQs
JSKcHSZ09HT4vG50TTT7UhdrvPOzKtF82EaJo46fhMRRsj12RNG7f4P5eXKnp1bq
DOqm1LR+UEaOSm5gCorWffNRVsfPt4XdqKBbmHVVAF7AO/Wg3Yd8KUkicZnLtfA1
GYYiCm1+vjLyFTFPkpJRFVPaUkdxv9VwUzjHNVZAbbXXM88YTsMNXjW/P2O7u0se
/4MxLQsYK8KOvaWPY3DxpBAujFneYCEqpy9rhCm1FBEs4lyrB8QvxpimKOCTizsq
mAr9pCEwMyjnQYmsf8fh
=8YEG
-----END PGP SIGNATURE-----