Novell EDIRECTORY 8.8 Troubleshooting Manual
Novell
eDirectory
8.8
September 30, 2005
www.novell.com
TROUBLESHOOTING GUIDE
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express
or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties
of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software,
at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries.
You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables.
You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the
U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to
www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any
necessary export approvals.
Copyright © 2005 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and
one or more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Novell eDirectory 8.8 Troubleshooting Guide
September 30, 2005
Online Documentation: To access the online documentation for this and other Novell products, and to get updates, see
www.novell.com/documentation.
Novell Trademarks
Client32 is a trademark of Novell, Inc.
eDirectory is a trademark of Novell, Inc.
NetWare is a registered trademark of Novell, Inc. in the United States and other countries.
NetWare Core Protocol and NCP are trademarks of Novell, Inc.
NMAS is a trademark of Novell, Inc.
Novell is a registered trademark of Novell, Inc. in the United States and other countries.
Novell Client is a trademark of Novell, Inc.
Novell Directory Services and NDS are registered trademarks of Novell, Inc. in the United States and other countries.
Ximiam is a registerd trademark of Novell, Inc. in the United States and other countries.
ZENworks is a registered trademark of Novell, Inc. in the United States and other countries.
Third-Party Materials
All third-party trademarks are the property of their respective owners.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org).
4 Novell eDirectory 8.8 Troubleshooting Guide
Contents
About This Book 5
1 Resolving Error Codes 7
2 Installation and Configuration 9
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Installation Not Successful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Installation Takes a Long Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
eDirectory Install Fails for Container Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Unable to Install into an Existing Tree over the WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
NICI Installation Failed - 1497 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Naming Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
NICI Does Not Get Installed in the Server Mode on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Tree Name Lookup Failed: -632 Error While Configuring eDirectory 8.8 on Linux . . . . . . . . . . . . . . . . . . 11
Multiple Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
If the First Instance is Down, HTTP Does Not Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Determining the eDirectory Version Number 13
NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4 Log Files 19
modschema.log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
dsinstall.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5 Troubleshooting LDIF Files 21
Understanding LDIF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
LDIF File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
LDIF Content Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
LDIF Change Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Line Folding within LDIF Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Hashed Password Representation in LDIF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Debugging LDIF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Enabling Forward References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Checking the Syntax of LDIF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Using the LDIF Error File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Using LDAP SDK Debugging Flags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Using LDIF to Extend the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Adding a New Object Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Adding a New Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Adding or Removing Auxiliary Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
6 Troubleshooting SNMP 39
Traps Might Not Get Generated As Expected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
SNMP Group Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
SNMP Initializing Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
SNMP Subagent Does Not Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
SNMP on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Contents 1
SNMP on HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Error while Contacting the SNMP Master Agent from the MIB Browser . . . . . . . . . . . . . . . . . . . . . . . . 40
Problems Configuring NET-SNMP-5.0.8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Problems Configuring the NAA Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Unable to Get the SNMP Query Result from the MIB Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Traps are Not Received at the SNMP Console or the MIB Browser. . . . . . . . . . . . . . . . . . . . . . . . . . 41
SNMP Issues After Upgrading from eDirectory 8.7.3 to eDirectory 8.8 . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7 Obituaries 43
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Deleting an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Moving an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Impact of Stuck and Orphaned Obituaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Previous Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
8 Migrating to Novell eDirectory 49
Migrating the Sun ONE Schema to Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Step 1: Perform the Schema Cache Update Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Step 2: Rectify the Error LDIF File to Eliminate the Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Step 3: Import the LDIF File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Migrating the Active Directory Schema to Novell eDirectory Using ICE. . . . . . . . . . . . . . . . . . . . . . . . . . 52
Step 1: Perform the Schema Cache Update Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Step 2: Rectify the Error LDIF File to Eliminate the Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Step 3: Import the LDIF File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Migrating from OpenLDAP to Novell eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Migrating the OpenLDAP Schema to eDirectory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Migrating the Open LDAP Data to Novell eDirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Making PAM Work with Novell eDirectory After Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
9 Replication 57
Recovering from eDirectory Replica Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
10 Novell Public Key Infrastructure Services 59
PKI Operations Not Working . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
LDAP Search from Netscape Address Book Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Removing the configuration of an eDirectory server that is acting as a treekey server in a multiserver tree after having
moved the existing eDirectory objects to a different server fails with the error code for Crucial Replica. . . . . . . 59
While Uninstalling the eDirectory Server holding the CA, the KMOs created on that server will be moved to another server
in the tree and become invalid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
11 Troubleshooting Utilities on Linux and UNIX 61
Novell Import Convert Export Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
ndsmerge Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
ndstrace Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
ndsbackup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Using Ndsrepair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Troubleshooting ndsrepair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Using ndstrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Basic Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Debugging Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Background Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2 Novell eDirectory 8.8 Troubleshooting Guide
12 NMAS on Linux and UNIX 77
Unable to Log In Using Any Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
The User Added Using the ICE Utility Is Unable to Log In Using Simple Password . . . . . . . . . . . . . . . . . . . 77
13 Troubleshooting on Windows 79
The eDirectory for Windows Server Won't Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
The Windows Server Can't Open the eDirectory Database Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Restoring eDirectory on Windows after an Emergency Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
14 Accessing HTTPSTK When DS Is Not Loaded 81
Setting the SAdmin Password on NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Setting the SAdmin Password on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Setting the SAdmin Password on Linux, Solaris, AIX, and HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
15 Encrypting Data in eDirectory 83
Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
-6090 0xFFFFE836 ERR_ER_DISABLED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
-6089 0xFFFFE837 ERR_REQUIRE_SECURE_ACCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
-666 FFFFFD66 INCOMPATIBLE NDS VERSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Problem With Duplicate Encryption Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Encryption of Stream Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
16 The eDirectory Management Toolbox 87
Unable to Stop the eMTool Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
17 SASL-GSSAPI 89
Log File Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
18 Miscellaneous 91
Backing Up a Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Repeated eDirectory Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
NDS Error, System Failure (-632) Occurs When Doing ldapsearch for the User Objects . . . . . . . . . . . . . . . . 91
Disabling SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
On Linix and UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
On NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
On Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Contents 3
4 Novell eDirectory 8.8 Troubleshooting Guide
About This Book
This Installation Guide describes how to install Novell® eDirectoryTM 8.8. It is intended for
network administrators, and contains the following sections:
Chapter 1, “Resolving Error Codes,” on page 7
Chapter 2, “Installation and Configuration,” on page 9
Chapter 3, “Determining the eDirectory Version Number,” on page 13
Chapter 4, “Log Files,” on page 19
Chapter 5, “Troubleshooting LDIF Files,” on page 21
Chapter 6, “Troubleshooting SNMP,” on page 39
Chapter 7, “Obituaries,” on page 43
Chapter 8, “Migrating to Novell eDirectory,” on page 49
Chapter 9, “Replication,” on page 57
Chapter 10, “Novell Public Key Infrastructure Services,” on page 59
Chapter 11, “Troubleshooting Utilities on Linux and UNIX,” on page 61
Chapter 12, “NMAS on Linux and UNIX,” on page 77
Chapter 13, “Troubleshooting on Windows,” on page 79
Chapter 14, “Accessing HTTPSTK When DS Is Not Loaded,” on page 81
Chapter 15, “Encrypting Data in eDirectory,” on page 83
Chapter 16, “The eDirectory Management Toolbox,” on page 87
Chapter 17, “SASL-GSSAPI,” on page 89
Chapter 18, “Miscellaneous,” on page 91
Additional Documentation
For documentation on managing and administering eDirectory, see the Novell eDirectory 8.8
Administration Guide (http://www.novell.com/documentation/edir88/index.html).
Documentation Updates
For the most recent version of the Novell eDirectory 8.8 Installation Guide, see the Novell
eDirectory 8.8 Documentation (http://www.novell.com/documentation/edir88/index.html) Web
site.
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
within a cross-reference path.
About This Book 5
A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux and UNIX*, should use forward slashes as required by your software.
6 Novell eDirectory 8.8 Troubleshooting Guide
1 Resolving Error Codes
For a complete list and explanation of eDirectory error codes, see the Novell Error Codes Web
page (http://www.novell.com/documentation/lg/nwec/index.html).
Resolving Error Codes 7
8 Novell eDirectory 8.8 Troubleshooting Guide
2 Installation and Configuration
“Installation” on page 9
“Configuration” on page 11
“Multiple Instances” on page 11
Installation
Installation Not Successful
Check for the following error message in the /var/adm/messages directory:
Unable to bind to SLP Multicast Address. Multicast route not added?
This message is displayed if the Linux or Solaris machine is not configured for a multicast
route address.
Add the multicast route address and restart the slpuasa daemon.
If the
If you are installing eDirectory into a NetWare 5.1 tree, upgrade the eDirectory Master to
If you tried to upgrade an eDirectory for Solaris 2.0 installation and it was not successful, the
During installation, if the
1 Check whether multicast routing is enabled on the Solaris host that you are installing the
2 Specify the IP address of the master server of the Tree partition.
-632: Error description System failure error message appears during
installation, exit from the installation process.
Set the n4u.base.slp.max-wait parameter to a larger value, such as 50, in the /etc/opt/novell/
eDirectory/conf/nds.conf file, then restart the installation process.
NetWare 5.1 Support Pack 5 or later.
For more information, see “Installing or Upgrading Novell eDirectory on NetWare” in the
Novell eDirectory 8.8 Installation Guide.
installation might not complete the second time.
Delete the /var/nds/.n4s_upgrade file and try the installation again.
following:
product on.
Installation Takes a Long Time
Tree Name Not Found error message is displayed, do the
When you are installing eDirectory into an existing tree and the installation takes a long time to
complete, look at the DSTrace screen on the server. If the
is displayed, you need to reset the address cache.
-625 Transport failure message
Installation and Configuration 9
To reset the address cache, enter the following command at the system console:
set dstrace = *A
eDirectory Install Fails for Container Administrators
The eDirectory 8.8 installation program supports installations by administrators who have
supervisor rights to the container that the server resides in. In order to handle this, the first server
that eDirectory 8.8 is installed into must have supervisor rights to [Root] to extend the schema.
From that point on, subsequent servers do not have to have rights to [Root]. However, with
eDirectory 8.8, depending on the platform that eDirectory 8.8 is installed in to first, all schema
might not be extended, requiring supervisor rights to [Root] for subsequent server installations on
different platforms.
If eDirectory 8.8 will be installed on multiple platforms, make sure that you have supervisor rights
to [Root] for the first server eDirectory will be installed on for EACH platform. For example, if
the first server that eDirectory 8.8 is going to be installed on is running NetWare, and eDirectory
8.8 will also be installed on Solaris, the first server for each platform must have supervisor rights
to [Root]. Subsequent servers on each platform will only have to have container administrator
rights to the container where the server is being installed.
For additional information, see solution NOVL81742 (http://support.novell.com/cgi-bin/search/
searchtid.cgi?/10073723.htm) in the Novell eDirectory 8.7.x Readme Addendum.
Unable to Install into an Existing Tree over the WAN
You need a NetWare 5 or later server to install eDirectory on a Linux or Solaris system over the
WAN.
1 Enter the following command at the server console to run the Directory Agent (DA) on the
NetWare server:
slpda
2 On the server containing the master replica, edit the DA_ADDR parameter in slpuasa.conf:
DA_ADDR = IP_address_of_the_NetWare_server_where_the_DA_
is_ running
3 Restart the slpuasa daemon.
4 Install eDirectory over the WAN on the Linux or Solaris system.
4a Run nds-install to add the product packages.
Do not configure the product. See “Linux, Solaris, AIX, and HP-UX Packages for Novell
eDirectory ” in the Novell eDirectory 8.8 Installation Guide for more information.
4b Edit the /etc/opt/novell/eDirectory/conf/nds.conf and add the following parameters:
n4u.uam.ncp-retries = 5
n4u.base.slp.max-wait = 20
4c Edit the /etc/slpuasa.conf to add the following parameter:
DA_ADDR = IP_address_of_the_NetWare_server_where_the
_DA_is_running
4d Run ndsconfig to configure eDirectory.
10 Novell eDirectory 8.8 Troubleshooting Guide
NICI Installation Failed - 1497
NICI initialization failed means the NFK file is not right. Ensure that you have the right NFK file.
This problem might not come on Linux and UNIX platforms as by default the NFK file is part of
the NICI package.
Naming Objects
When you use special characters while naming objects, the -671 No Such Parent error
message appears. Avoid using any of the following special characters when naming objects:
\ /, * ? .
NICI Does Not Get Installed in the Server Mode on Windows
In the Properties dialog box of the NICIFK file there is a tab called Security. If there are no names
in the Group or user names field, then this issue occurs.
To work around this problem, do the following:
1 Remove the NICIFK file.
This is present in C:/Windows/system32/novell/nici if the system root is C:/Windows/
system32. If the system root is F:/Windows/system32 then this file is present in F:/Windows/
system32/novell/nici.
2 Install eDirectory.
Configuration
Tree Name Lookup Failed: -632 Error While Configuring eDirectory 8.8 on Linux
While configuring eDirectory 8.8 on Linux, you might get the Tree name lookup failed: -632 error.
To resolve this, do the following:
1 After installing the SLP package, ensure that you manually start SLP as follows:
/etc/init.d/slpuasa start
2 After uninstalling the SLP package, ensure that you manually stop SLP as follows:
/etc/init.d/slpuasa stop
Multiple Instances
If the First Instance is Down, HTTP Does Not Work
On Linux and UNIX platforms, if eDirectory is configured on a box with multiple NIC cards and
if HTTP is bound to more than one interface; if the first interface goes down, HTTP would not be
accessible from the remaining interfaces.
This is because the remaining interfaces will redirect the request to the first one, but the first
interface is down.
To resolve this issue, if the first interface goes down, restart eDirectory.
Installation and Configuration 11
12 Novell eDirectory 8.8 Troubleshooting Guide
3 Determining the eDirectory Version Number
NetWare
The following sections list ways you can determine the version of eDirectory installed on a server:
“NetWare” on page 13
“Windows” on page 14
“Linux” on page 14
“Solaris” on page 15
“AIX” on page 16
“HP-UX” on page 16
Run ds.nlm, or any other .nlm.
At the server console, enter ds.nlm. This displays both the marketing string (for example,
Novell eDirectory 8.7) and the internal build number (for example, DS v10410.xx).
Run iMonitor.
On the Agent Summary page, click Known Servers. Then under Servers Known to Database,
click Known Servers. The Agent Revision column displays the internal build number for each
server. For example, an Agent Revision number for Novell eDirectory 8.7.1 might be
10510.64.
For information on running iMonitor, see “Accessing iMonitor” in the Novell eDirectory 8.8
Administration Guide.
Run nwconfig.
At the server console, enter nwconfig, then select Product Info. If the install registered
eDirectory (which it does with NDS
registered during the install. This is typically a hybrid of marketing and build numbers. For
example, you might see marketing version eDir 8.5 and build version 85.01.
LDAP shows configuration through DSTrace.
This is true for most utilities (for example, DSRepair or DSMerge) as they load. This method
will display the internal build number.
For more information on DSTrace, see Looking Into the Directory Services Trace (DSTrace)
Options (http://developer.novell.com/research/sections/netmanage/dirprimer/2001/august/
spv.htm) and More on Using the DSTrace Command (http://developer.novell.com/research/
sections/netmanage/dirprimer/2001/septembe/p010901.htm).
Read the eDirectory download filename.
®
eDirectory 8.5 and later), this will display what was
Determining the eDirectory Version Number 13
Windows
The eDirectory download filename usually matches the marketing string. For example, the
download filename for Novell eDirectory 8.7.1 is edir871.exe.
Enter version at a console prompt.
This will display the eDirectory version.
Run iMonitor.
On the Agent Summary page, click Known Servers. Then under Servers Known to Database,
click Known Servers. The Agent Revision column displays the internal build number for each
server. For example, an Agent Revision number for Novell eDirectory 8.7.1 might be
10510.64.
For information on running iMonitor, see “Accessing iMonitor” in the Novell eDirectory 8.8
Administration Guide.
Run NDSCons.exe.
In the Windows Control Panel, double-click Novell eDirectory Services. In the Services
column, select ds.dlm, then click Configure. The Agent tabs displays both the marketing
string (for example, Novell eDirectory 8.7.1) and the internal build number (for example,
10510.64).
Linux
Run an eDirectory utility.
Most eDirectory utilities have an About option on their Help menu that displays the version
number of the utility (for example, Merge Graft Utility 10510.35). Some utilities include the
internal build version in the main label of the utility (for example, DSRepair - Version
10510.37).
To load an eDirectory utility (such as DSMerge or DSRepair), double-click Novell eDirectory
Services in the Windows Control Panel. In the Services column, select the utility, then click
Start.
View the properties of an eDirectory .dlm file.
Right-click the .dlm in Windows Explorer, then click the Version tab in the Properties dialog
box. This will display the version number of the utility. The default location for eDirectory
.dlm files is C:\novell\NDS.
Run ndsstat.
The ndsstat utility displays information related to eDirectory servers, such as the eDirectory
tree name, the fully distinguished server name, and the eDirectory version. In the following
example, eDirectory 8.7.1 is the product version (marketing string), and 10510.65 is the
binary version (internal build number).
osg-dt-srv17:/>ndsstat
Tree Name: SNMP-HPUX-RASH
Server Name: .CN=osg-dt-srv17.O=novell.T=SNMP-HPUX-RASH.
Binary Version: 10510.65
Root Most Entry Depth: 0
Product Version: NDS/Unix - NDS eDirectory v8.7.1 [DS]
14 Novell eDirectory 8.8 Troubleshooting Guide
Solaris
For information on running ndsstat, see “Novell eDirectory Linux and UNIX Commands and
Usage” in the Novell eDirectory 8.8 Administration Guide, or the ndsstat man page
(ndsstat.1m).
Run ndsd --version.
For information on running ndsd, see “Novell eDirectory Linux and UNIX Commands and
Usage” in the Novell eDirectory 8.8 Administration Guide, or the ndsd man page (ndsd.1m).
Run iMonitor.
On the Agent Summary page, click Known Servers. Then under Servers Known to Database,
click Known Servers. The Agent Revision column displays the internal build number for each
server. For example, an Agent Revision number for Novell eDirectory 8.7.1 might be
10510.64.
For information on running iMonitor, see “Accessing iMonitor” in the Novell eDirectory 8.8
Administration Guide.
Run rpm -qi NDSserv.
Entering this command will display similar information to ndsd --version.
Run ndsstat.
The ndsstat utility displays information related to eDirectory servers, such as the eDirectory
tree name, the fully distinguished server name, and the eDirectory version. In the following
example, eDirectory 8.7.1 is the product version (marketing string), and 10510.65 is the
binary version (internal build number).
osg-dt-srv17:/>ndsstat
Tree Name: SNMP-HPUX-RASH
Server Name: .CN=osg-dt-srv17.O=novell.T=SNMP-HPUX-RASH.
Binary Version: 10510.65
Root Most Entry Depth: 0
Product Version: NDS/Unix - NDS eDirectory v8.7.1 [DS]
For information on running ndsstat, see “Novell eDirectory Linux and UNIX Commands and
Usage” in the Novell eDirectory 8.8 Administration Guide, or the ndsstat man page
(ndsstat.1m).
Run ndsd --version.
For information on running ndsd, see “Novell eDirectory Linux and UNIX Commands and
Usage” in the Novell eDirectory 8.8 Administration Guide, or the ndsd man page (ndsd.1m).
Run iMonitor.
On the Agent Summary page, click Known Servers. Then under Servers Known to Database,
click Known Servers. The Agent Revision column displays the internal build number for each
server. For example, an Agent Revision number for Novell eDirectory 8.7.1 might be
10510.64.
For information on running iMonitor, see “Accessing iMonitor” in the Novell eDirectory 8.8
Administration Guide.
Run pkginfo -l NDSserv.
Determining the eDirectory Version Number 15
AIX
Entering this command will display similar information to ndsd --version.
Run ndsstat.
The ndsstat utility displays information related to eDirectory servers, such as the eDirectory
tree name, the fully distinguished server name, and the eDirectory version. In the following
example, eDirectory 8.7.1 is the product version (marketing string), and 10510.65 is the
binary version (internal build number).
osg-dt-srv17:/>ndsstat
Tree Name: SNMP-HPUX-RASH
Server Name: .CN=osg-dt-srv17.O=novell.T=SNMP-HPUX-RASH.
Binary Version: 10510.65
Root Most Entry Depth: 0
Product Version: NDS/Unix - NDS eDirectory v8.7.1 [DS]
For information on running ndsstat, see “Novell eDirectory Linux and UNIX Commands and
Usage” in the Novell eDirectory 8.8 Administration Guide or the ndsstat man page
(ndsstat.1m).
Run ndsd --version.
For information on running ndsd, see “Novell eDirectory Linux and UNIX Commands and
Usage” in the Novell eDirectory 8.8 Administration Guide, or the ndsd man page (ndsd.1m).
HP-UX
Run iMonitor.
On the Agent Summary page, click Known Servers. Then under Servers Known to Database,
click Known Servers. The Agent Revision column displays the internal build number for each
server. For example, an Agent Revision number for Novell eDirectory 8.7.1 might be
10510.64.
For information on running iMonitor, see “Accessing iMonitor” in the Novell eDirectory 8.8
Administration Guide.
Run ndsstat.
The ndsstat utility displays information related to eDirectory servers, such as the eDirectory
tree name, the fully distinguished server name, and the eDirectory version. In the following
example, eDirectory 8.7.1 is the product version (marketing string), and 10510.65 is the
binary version (internal build number).
osg-dt-srv17:/>ndsstat
Tree Name: SNMP-HPUX-RASH
Server Name: .CN=osg-dt-srv17.O=novell.T=SNMP-HPUX-RASH.
Binary Version: 10510.65
Root Most Entry Depth: 0
Product Version: NDS/Unix - NDS eDirectory v8.7.1 [DS]
For information on running ndsstat, see “Novell eDirectory Linux and UNIX Commands and
Usage” in the Novell eDirectory 8.8 Administration Guide, or the ndsstat man page
(ndsstat.1m).
Run ndsd --version.
16 Novell eDirectory 8.8 Troubleshooting Guide
For information on running ndsd, see “Novell eDirectory Linux and UNIX Commands and
Usage” in the Novell eDirectory 8.8 Administration Guide, or the ndsd man page (ndsd.1m).
Run iMonitor.
On the Agent Summary page, click Known Servers. Then under Servers Known to Database,
click Known Servers. The Agent Revision column displays the internal build number for each
server. For example, an Agent Revision number for Novell eDirectory 8.7.1 might be
10510.64.
For information on running iMonitor, see “Accessing iMonitor” in the Novell eDirectory 8.8
Administration Guide.
Determining the eDirectory Version Number 17
18 Novell eDirectory 8.8 Troubleshooting Guide
4 Log Files
This section contains information on the following log files:
“modschema.log” on page 19
“dsinstall.log” on page 19
modschema.log
The modschema.log file contains the results of all schema extensions that are applied when an
eDirectory server is installed into an existing tree. Each line of the log states which class or
attribute is being added or modified and gives the status of the modification attempt.
This log is created or overwritten each time the install process is run, so it only represents the
results of the last attempt. In addition to the eDirectory schema extensions, this log contains the
results of any other schema extensions (such as LDAP or SAS) applied by the DSINSTALL front
end prior to adding the new eDirectory server.
This log will not be generated when a standalone server is installed or if the version of the target
server is NDS 7.01 or later.
dsinstall.log
The first part of the log lists environment variables that are set. The second part contains status
messages documenting the eDirectory installation process.
Log Files 19
20 Novell eDirectory 8.8 Troubleshooting Guide
5 Troubleshooting LDIF Files
The Novell Import Conversion Export utility lets you easily import LDIF files into and export
LDIF files from eDirectory. For more information, see “Novell Import Conversion Export Utility”
in the Novell eDirectory 8.8 Administration Guide.
In order for an LDIF import to work properly, you must start with an LDIF file that the Novell
Import Conversion Export utility can read and process. This section describes the LDIF file format
and syntax and provides examples of correct LDIF files.
“Understanding LDIF” on page 21
“Debugging LDIF Files” on page 28
“Using LDIF to Extend the Schema” on page 33
Understanding LDIF
LDIF is a widely used file format that describes directory information or modification operations
that can be performed on a directory. LDIF is completely independent of the storage format used
within any specific directory implementation, and is typically used to export directory information
from and import data to LDAP servers.
LDIF File Format
LDIF is usually easy to generate. This makes it possible to use tools like awk or perl to move data
from a proprietary format into an LDAP directory. You can also write scripts to generate test data
in LDIF format.
Novell Import Conversion Export imports require LDIF 1 formatted files. The following are the
basic rules for an LDIF 1 file:
The first noncomment line must be version: 1.
A series of one or more records follows the version.
Each record is composed of fields, one field per line.
Lines are separated by either a new line or a carriage return/new line pair.
Records are separated by one or more blank lines.
There are two distinct types of LDIF records: content records and change records. An LDIF
file can contain an unlimited number of records, but they all must be of the same type. You
can't mix content records and change records in the same LDIF file.
Any line beginning with the pound sign (#) is a comment and is ignored when processing the
LDIF file.
Troubleshooting LDIF Files 21
LDIF Content Records
An LDIF content record represents the contents of an entire entry. The following is an example of
an LDIF file with four content records:
1 version: 1
2 dn: c=US
3 objectClass: top
4 objectClass: country
5
6 dn: l=San Francisco, c=US
7 objectClass: top
8 objectClass: locality
9 st: San Francisco
10
11 dn: ou=Artists, l=San Francisco, c=US
12 objectClass: top
13 objectClass: organizationalUnit
14 telephoneNumber: +1 415 555 0000
15
16 dn: cn=Peter Michaels, ou=Artists, l=San Francisco, c=US
17 sn: Michaels
18 givenname: Peter
19 objectClass: top
20 objectClass: person
21 objectClass: organizationalPerson
22 objectClass: iNetOrgPerson
23 telephonenumber: +1 415 555 0001
24 mail: Peter.Michaels@aaa.com
25 userpassword: Peter123
26
This LDIF file is composed of the following parts:
Component Description
Version Specifier The first line of an LDIF file contains the version. Zero or more
spaces are allowed between the colon and the version number,
which is currently defined to be 1.
If the version line is missing, any application processing the LDIF
file is allowed to assume that the file is version 0. It's also possible
that the LDIF file could be rejected as syntactically incorrect. Novell
utilities that process LDIF assume a file version of 0 when the
version line is missing.
Distinguished Name Specifier The first line of every content record (lines 2, 6, 11, and 16 in the
example above) specifies the DN of the entry that it represents.
The DN specifier must take one of the following two forms:
dn: safe_UTF-8_distinguished_name
dn:: Base64_encoded_distinguished_name
Line Delimiters The line separator can be either a line feed or a carriage return/line
feed pair. This resolves a common incompatibility between Linux
and Solaris text files, which use a line feed as the line separator,
and MS-DOS* and Windows text files, which use a carriage return/
line feed pair as the line separator.
22 Novell eDirectory 8.8 Troubleshooting Guide
Component Description
Record Delimiters Blank lines (lines 5, 10, 15, and 26 in the example above) are used
Attribute Value Specifier All other lines in a content records are value specifiers. Value
LDIF Change Records
LDIF change records contain modifications to be made to a directory. Any of the LDAP update
operations (add, delete, modify, and modify DN) can be represented in an LDIF change record.
LDIF change records use the same format for the distinguished name specifier, attribute value
specifier, and record delimiter as LDIF content records. (See “LDIF Content Records” on page 22
for more information.) The presence of a changetype field is what distinguishes an LDIF change
record from an LDIF content record. A changetype field identifies the operation specified by the
change record.
as record delimiters.
Every record in an LDIF file including the last record must be
terminated with a record delimiter (one or more blank lines).
Although some implementations will silently accept an LDIF file
without a terminating record delimiter, the LDIF specification
requires it.
specifiers must take on one of the following three forms:
Attribute description: value
Attribute description:: Base64_encoded_value
Attribute description: < URL
A changetype field can take one of the following five forms:
The Add Change Type
An add change record looks just like a content change record (see “LDIF Content Records” on
page 22) with the addition of the changetype: add field immediately before any attribute value
fields.
Form Description
changetype: add A keyword indicating that the change record specifies an LDAP add
operation.
changetype: delete A keyword indicating that the change record specifies an LDAP delete
operation.
changetype: moddn A keyword indicating that the change record specifies an LDAP modify
DN operation if the LDIF processor is bound to the LDAP server as a
version 3 client or a modify RDN operation if the LDIF processor is
bound to the LDAP server as a version 2 client.
changetype: modrdn A synonym for the moddn change type.
changetype: modify A keyword indicating that the change record specifies an LDAP modify
operation.
All records must be the same type. You can't mix content records and change records.
Troubleshooting LDIF Files 23
1 version: 1
2 dn: c=US
3 changetype: add
4 objectClass: top
5 objectClass: country
6
7 dn: l=San Francisco, c=US
8 changetype: add
9 objectClass: top
10 objectClass: locality
11 st: San Francisco
12
14 dn: ou=Artists, l=San Francisco, c=US
15 changetype: add
16 objectClass: top
17 objectClass: organizationalUnit
18 telephoneNumber: +1 415 555 0000
19
20 dn: cn=Peter Michaels, ou=Artists, l=San Francisco, c=US
21 changetype: add
22 sn: Michaels
23 givenname: Peter
24 objectClass: top
25 objectClass: person
26 objectClass: organizationalPerson
27 objectClass: iNetOrgPerson
28 telephonenumber: +1 415 555 0001
29 mail: Peter.Michaels@aaa.com
30 userpassword: Peter123
31
The Delete Change Type
Because a delete change record specifies the deletion of an entry, the only fields required for a
delete change record are the distinguished name specifier and a delete change type.
The following is an example of an LDIF file used to delete the four entries created by the LDIF
file shown in “The Add Change Type” on page 23.
IMPORTANT: To delete entries you have previously added, reverse the order of the entries. If you don’t do
this, the delete operation fails because the container entries are not empty.
1 version: 1
2 dn: cn=Peter Michaels, ou=Artists, l=San Francisco, c=US
3 changetype: delete
4
5 dn: ou=Artists, l=San Francisco, c=US
8 changetype: delete
9
10 dn: l=San Francisco, c=US
11 changetype: delete
12
13 dn: c=US
14 changetype: delete
15
The Modify Change Type
The modify change type lets you to specify the addition, deletion, and replacement of attribute
values for an entry that already exists. Modifications take one of the following three forms:
24 Novell eDirectory 8.8 Troubleshooting Guide
Element Description
add: attribute type A keyword indicating that subsequent attribute value
specifiers for the attribute type should be added to the entry.
delete: attribute type A keyword indicating that values of the attribute type are to be
deleted. If attribute value specifiers follow the delete field, the
values given are deleted.
If no attribute value specifiers follow the delete field, then all
values are deleted. If the attribute has no values, this
operation will fail, but the desired effect will still be achieved
because the attribute had no values to be deleted.
replace: attribute type A keyword indicating that the values of the attribute type are
to be replaced. Any attribute value specifiers that follow the
replace field become the new values for the attribute type.
If no attribute value specifiers follow the replace field, the
current set of values is replaced with an empty set of values
(which causes the attribute to be removed). Unlike the delete
modification specifier, if the attribute has no values, the
replace will still succeed. The net effect in both cases is the
same.
The following is an example of a modify change type that will add an additional telephone number
to the cn=Peter Michaels entry.
1 version: 1
2 dn: cn=Peter Michaels, ou=Artists, l=San Francisco, c=US
3 changetype: modify
4 # add the telephone number to cn=Peter Michaels
4 add: telephonenumber
5 telephonenumber: +1 415 555 0002
6
Just as you can combine a mixture of modifications in a single LDAP modify request, you can
specify multiple modifications in a single LDIF record. A line containing only the hyphen (-)
character is used to mark the end of the attribute value specifications for each modification
specifier.
The following example LDIF file contains a mixture of modifications:
1 version: 1
2
3 # An empty line to demonstrate that one or more
4 # line separators between the version identifier
5 # and the first record is legal.
6
7 dn: cn=Peter Michaels, ou=Artists, l=San Francisco, c=US
8 changetype: modify
9 # Add an additional telephone number value.
10 add: telephonenumber
11 telephonenumber: +1 415 555 0002
12 13 # Delete the entire fascimiletelephonenumber attribute.
14 delete: facsimileTelephoneNumber
15 16 # Replace the existing description (if any exists)
Troubleshooting LDIF Files 25
Loading...