Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: LUM is cannot connect to LDAP

59 views
Skip to first unread message

a...@novell.com

unread,
Sep 29, 2009, 11:09:17 PM9/29/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looks like it can't reach the LDAP source. Want to post your
/etc/nam.conf file?

Good luck.

amarsanaa wrote:
> Hello,
>
> I have OES SP2 is had problem with LDAP and LUM.
> Show error on /var/log/messages
>
> Sep 30 02:15:25 AAA2 sshd[9041]: _nds_ldap_init: pam_ldap_init()
> failed, trying to connect to the alternative LDAP server
> Sep 30 02:15:25 AAA2 sshd[9041]: PAM_NAM: _nds_ldap_init() failed to
> get LDAP handle for the alternative LDAP server also, error 81.
> Sep 30 02:15:25 AAA2 sshd[9041]: PAM_NAM:_nds_loginUse():_nds_ldap_init
> failed
> Sep 30 02:15:25 AAA2 sshd[9041]: ldapmapstatus():pam_get_data() failed
> Sep 30 02:15:25 AAA2 sshd[9041]: PAM_NAM:_nds_clear_and_exit() could
> not return ldap handle
> Sep 30 02:15:25 AAA2 sshd[9041]: PAM_NAM : NDS Login failed
> Sep 30 02:15:25 AAA2 sshd[8828]: error: PAM: Authentication failure for
> user from 10.10.10.10
>
> Any reply would be appreciated
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKwsvcAAoJEF+XTK08PnB5s1wP/A7ydjp8AwStGgJlPaoPQAgT
yI3Rpj4GGSNk8H9GOtNAr2O/cqm/cx+tgkFMGBaZPhUlvT5CB3VRxYoAvV5IP/jf
L9ZKitiwI3ywtA1QfHpBK7lJIU/i1SvLW0pleeTUQY7xEv0FoyIlA4i6+d90cqgW
HbzOHiCCM7S/s58jQLfR5/gxcqK06lcriDj2AOpH6lmFwOqSCgy1sonF6vzWaYRG
c6n/OUOIDvBIe5dI7LDDZOSLOaOfwQxIz09PkOrhiQEBiRpqEciX8cqljye8Z4Cj
L67BQjWltS01rzexhKzS1NXZq5fWnhCRPhw8jTgvl5lFZFXCNArN3YrS8mOrpOB+
T6tP0PXJu5hybW8VAxwnUyFFduUXCEfTrdI0yIG2TuHhGIta5SUuF2WhoEDLGDLK
C3Yq0yalEszoM3GePdRdzaNNkKmRPEjjrHrgbADpQ7b/0eVIbezdk00IzlAw34Hx
B7h0QfmQZUiw8AfqJUTeVL1Bd0CYpvRPETBJTKZ/nfXmguh0+bqL8uMawFapVJMG
UamxR27Dd5//VNYLxMjdhzKH0hzwOKbulDga9KrnBSNRvtpp36WHAdmfTO0m7G14
ojToRiJUk6LF7ix6ZZf1DYOGLo/T+QDRNWWTD9wYiCP351svL5DbteRaPw+G+Dta
zpiwwhljMNxCtzXF2hSS
=yxCj
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Sep 30, 2009, 7:40:04 AM9/30/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From your LUM-enabled box get the output from the following, please:

netcat -zv 10.10.10.10 389 636

Good luck.

amarsanaa wrote:
> AAA2:/etc # more nam.conf
> base-name=o=prod
> admin-fdn=cn=admin,o=prod
> preferred-server=10.10.10.10
> num-threads=5
> schema=rfc2307
> enable-persistent-cache=YES
> user-hash-size=211
> group-hash-size=211
> persistent-cache-refresh-period=28800
> persistent-cache-refresh-flag=all
> create-home=yes
> type-of-authentication=2
> certificate-file-type=der
> ldap-ssl-port=636
> ldap-port=389
> support-alias-name=no
> support-outside-base-context=yes


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKw0OTAAoJEF+XTK08PnB5SHQP/i5jeZ5NH7oCN2+PU3jZ3W02
+OFvGFZIL4NKgyCFQ+fkbhAy5RCXeUnlEFHoiNWHEqTCaApCf7m4KJuiUTZidKaE
arbIUDmXI6IfRrGUrT7fI4rLBssoMPrkvSZeAeoY8aVHYu+NToBvM9txJAtq5hu1
AkLf/OhO2r8kAjIUvobn2UV54lp5AojC98lcKV9J0SgKdiKErXrdGiUi7CGOGyyN
d3uPUf6eXuNzpaGAty2P3ZscJdsQ0tS8WZBX5GCb2dMw0UXwA2E07K+WS9EAeP8t
uNdkevYigJUkG03prAWPMlQ2uN6I82FiZnGWVyjPSwWRwc8aAl/CfjXfmLmmGxqA
oVKdbbUvOeTm1Y06bjaOQ/b3rbdLTVQGeVN70tEOt5xsJape6mNargtJH4jWTMfN
uEZXJHqWh7zClctP6opTe+WuN+MkLD8wXn0RZ8mogXEOVcH+Gb1YeHpRxozUeuM7
yvm5GOlr8NVC7lQspwtav/7jRWnofFh4y/y7Jgsi4/uLkrnqjjCsFw/Rlv1XodfY
toLvJJCs0z7d2k7/8yzEWrwynmoKWD7CZfHe/YpjmHSgbmiofCU8XsTyZObqhnV0
7OpKoGucZ6dlSkTBRI8vSgQkla0lVMg3U/pxZITXo9roE5t09Pqs/RG8S/UjGhKH
z0z4ucjyMP9p2p1s7O2W
=ovOs
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Sep 30, 2009, 10:37:50 PM9/30/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe the following command fixes that (run as root):

namconfig -k

Good luck.

amarsanaa wrote:
> Just follow up
>
> I suspect maybe CA certificate is expired.


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKxBX+AAoJEF+XTK08PnB5wY8QANahRVXPssFYHU0ZdmH1mLGi
8oFpwmSdDlNwmzH3Q8tItMXmQxmU1qp5Ib7MuGDmy7wIoSvhvs6Kx8P+ZdfJpdiv
t9MuOMPYD9lJ81bhZe8z+MNS721mDW3CJr0MtTp9hpLewmfIl9cbwWoPJchHu2qv
3OIIxyNAwXyuegGcAKiFxfSj+4U/NMl4ObnfKyLon0QK0SVn8g57nuqV8zvY3BmO
Ehp4zZlr2wPnQLn7f+dkCLGc79MYQVTLia2jGpryC3gv/6EOOjZfaM2LBTJpu4X/
4cYCOAx1FmET7/dexBpEq1MX1505JMCDFO4F92fTZlwxuDoMaqVYh0FmoVyZ8JQo
JHapTvrHrDs2b0Hd4CEeGQu2WaS1u9+If0MqvnDXYi0F/+MK7G+jNyWI1777/JHN
MHqPWX9OI0czg5QlXIudtl8BVRstQ9aczFpt2Ax29riGUpdycl2ejBfvdZoKqaVG
jxiU6Gu6HLj0YtFgiyVdMDb/tPTYEtvmtlwjjpskrcHlMcVg0LO82Jf1KaPQ/ecS
DG4gFw/QvnEKmdgakGjfCH5agJcNQ8K4bYmi1JgP6Vq5Ohxnsdecw+o2S/8Xta/b
Z9W/ll9pGW1ZFiI3y9gmE1fQ4A60sw+fgINznwxiPWEPZvMEVZLg7gMP76shw3U0
L/h90U7UAsiRPFD3J9v2
=OuKv
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Oct 19, 2009, 10:16:18 AM10/19/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No luck how? Didn't run? Didn't work? Didn't change anything? What do
the log files show?

Good luck.


amarsanaa wrote:
> I tried that command. But still no luck.


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJK3HSyAAoJEF+XTK08PnB5qB0P/iuMkgljJAtx7pNz2vsfdA9O
m02LHNTwH/TsQKo0qLXwisQZ8s8yjdOVcE5WRdU8bplbKinYhZmGCJUqS7thqns/
KxZEWXWvGcG/g1WAs5S9rJ1987pCiZ/clvgXsdXXnKTj9luyg9ZbCxdMUccZ6v0n
enkWoZvMbrRJEKT+EeMA8GlpnL6zYmH/4UAfNlc6J8MkOVaQWd6yDsbxiZTVk+gi
GN+eibDpHL8gZWmefNqsnMtNoZbOO2qlA7lgU0+dMrAeAeJFqDfa3ER+69oAiF5c
Ui/gJSTtnyK3KvobeYs7db/IHnwA160BkiDHDvCZpTWxG4BSlGdn/ozvxIURSyIL
yQadnLM3oCA7r9vpdvZdSHKnk+kFIoi8GYmacfIdomWpzNq9DYJe+VSDIqb+da9b
rVIA4K8MsOXZY69qInRR6lerVunKkPHvdHVIPkesX7iMm61MtEXp7dmlRKHONc9+
tzwdvH4FfUoJ0pWe/uNazZ8xk5ZeLomp0R3PeimS9HIJ93DJBPwXjbNiiEbRGXkH
l3/DOhHLcipLecfpI1l046VWymE9d/AxfqCdf/p9whIIUmAzFMsafFrJqCUOwQgd
CONpsPKcvw2JiEycmy+wz0A5LtwwrUEYRCTmEu0oUO5VkpPtiSEa3YOpPEvtIzHS
HusdCSywriEILwjd1PgH
=zXq3
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Oct 20, 2009, 10:03:20 AM10/20/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shouldn't you be specifying port 636 as well? Use netcat to verify things
are working TCP-wise and post the full command and result:

netcat -zv 10.10.10.10 389 524 636

Good luck.

amarsanaa wrote:
> After that i tried this command
> AAA2:/ # /usr/ldaptools/bin/ldapsearch -e /var/nam/.10.10.10.10.der -h
> 10.10.10.10 -b "" -s base
> ldap_bind: Can't contact LDAP server
> AAA2:/


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJK3cMoAAoJEF+XTK08PnB5BcQQAKoEgR4oZ+/c3ISPHrwxxg+L
mqn0uxNqPeyc92w6SnASi/eG7mONYozu1q1KOI0TfZMrNAsxjfa1IWv6nkk/Plz5
8fxLBN0fomZgnFf9ZcckjGTEgyHEFXDtlvL6plD8rII/2hFh7edNp/ONVBu4zIuE
WOwLoij1zBKSL43dFTMJZtJXwSPiEY+3pnU6h4ygheCmvqheWD2BQO4J4vGY/FLH
eWOqJxCdMuAoDhdNjH1NMbOCVEkqkzk032BdWCjPA2gtcbBR7mO5R+2Xl7MJmg72
AKCsMG72BPLMTzl9DRYZOa/npDVEsydDDZ/OV7ZGCOEB8LiH2A8mJGinQI2fAajn
vfOM+oloorw/C+UqF8equsdF2tjWGu0Fkji75eudErMyg0JTMfgENl04aVZn7/8F
Y9Lq2uW9WLtfP87w06eEAgs0yc7S8R4qFzsKHvR4gjjknlPptjLJtYAZB9qT7vx8
KqZmbN1Fcgom1wRRNBOdZqYtRXhOeaRXHvgMlGUanOkB2q4PHSBvoJzlFWir6Pdu
fH3h34Ki9CI77f0EARwvPdZee5HkfQrYrumpf81hpYy3NHZqYGChxelbwcI/GKFw
VmC0aoropRRx6UCgbhPySkQ2aVTTW0S7g9wSzvYMOnW4e29eNMRaPOC2uwpT20GX
v1czbB7lqtblkMQcLnAL
=JS92
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Nov 19, 2009, 10:29:50 AM11/19/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is there a reason it is going to the alternative LDAP server vs. the
primary? That server was not in your nam.conf when you first posted so
please post it again and keep us updated with any other changes you are
making or troubleshooting could easily be invalid based on poor assumptions.

When you created your new certificate in iManager did you associate it
with your LDAP Server object replacing the old certificate value and then
restart eDirectory on that machine? Get the output from ndstrace when
trying to connect via LDAP as well as when reloading the nldap module:

sudo /opt/novell/eDirectory/bin/ndstrace
set dstrace=nodebug
dstrace +time +tags +nmas +auth +ldap
dstrace file on
set dstrace=*r
<perform connection test>
dstrace file off
exit

The ndstrace.log is, by default, in /var/opt/novell/eDirectory/log

Good luck.

amarsanaa wrote:
> I tried create new certificate via iManager and namconfig -k and
> restarted namcd. I still receive
>
> Nov 19 05:18:21 AAA2 sshd[25988]: _nds_ldap_init: pam_ldap_init()


> failed, trying to connect to the alternative LDAP server

> Nov 19 05:18:21 AAA2 sshd[25988]: PAM_NAM: _nds_ldap_init() failed to


> get LDAP handle for the alternative LDAP server also, error 81.

> Nov 19 05:18:21 AAA2 sshd[25988]:
> PAM_NAM:_nds_loginUse():_nds_ldap_init failed
> Nov 19 05:18:21 AAA2 sshd[25988]: ldapmapstatus():pam_get_data()
> failed
> Nov 19 05:18:21 AAA2 sshd[25988]: PAM_NAM:_nds_clear_and_exit() could
> not return ldap handle
> Nov 19 05:18:21 AAA2 sshd[25988]: PAM_NAM : NDS Login failed
> Nov 19 05:18:21 AAA2 sshd[25948]: error: PAM: Authentication failure
> for user from 10.10.10.12


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLBWRtAAoJEF+XTK08PnB54nsQANQM7p1s03i9ioGcLPJa1PKd
OAFvG1qqAt8YxfvigIBTFMBOpMD4GoZPBzyUxfnQfkABqu6UmFfg8tPuoD1f3voV
djW9iOZ0tWtu9KbHZr5mZcDB0wlbMxyle4ieuu/frVamh8xOq+06Z/Ujx+2pHZZQ
T9ZnfibMgbIqBcsyPRDFmR/UZ84tPLnlfvHPjEww0fK1lTClwCxMCDnHEYr7khZg
ESsk/vLcg3ntRDxdsvClcbZTLNewN7okrvctFUKqKKB/S7VD5kTkOWpujGQ/gq/Y
qdQwX81ZR62kHcteyNjrzDCNuEiyA1NAEeJSSpdRrKdKrIkajZZ633X/fwjc7SjT
Mmj2yWEQk1Cqe3gwtmc2wN713UBiBnyC842qF/8i/su2vwbSTeCLQn288bj43osP
rEFLCwSw9pUf+Q9oLaqWTuytYyQ208z/h4PRRegAjkztAeXO3thtyZgxNvkIJf4q
wu7tXv52vlP3+dRcy09fFs9o9++G2QuyX/AJlUPRr3O3Q1V2doufO29sOe+MDtdh
cwicuF8UWcsysZ7JsqeY/RAfJFrOwcHqENAwDYmYCB4BXv6axp4si62ujsVWIUDo
stCek5aURtsHrFVnabjqZhVKXfJNrp5zv36GZc9uJqTHPLFOc2hSp0MoBqMX6ybM
V65WPKxgtLqTQRifTJWy
=Z2xG
-----END PGP SIGNATURE-----

0 new messages