dxcmd login fails, ldap and imonitor work in IDM 4.8.7 - unable to update IDM/IDV to the version 4.9

Hi,

I want to update my IDM lab to the version 4.9, but it does not work. eDir/IDV update fails.

%%% Get the administrator credentials -

Enter administrator DN for instance /etc/opt/novell/eDirectory/conf/nds.conf (e.g: cn=admin.o=administrators): cn=admin.ou=sa.o=system

Enter administrator password for instance /etc/opt/novell/eDirectory/conf/nds.conf:

Login for cn=admin.ou=sa.o=system.MY_IDM_DEMO_TREE: failed, invalid request (-641)

Bad password

but I am sure the PW was correct. Then I tried to use dxcmd to verify the password and it failed as well.

NetIQ Identity Manager Command Line Utility

version 4.8.7.0100

Copyright (c) 2023 NetIQ Corporation. All Rights Reserved

Enter user name: admin.sa.system

Enter user's password:

Logging in using:

        host: my-idm-demo/192.168.1.250:524

        user: admin.sa.system

Using NDAP protocol

novell.jclient.JCException: login -641 ERR_INVALID_REQUEST

        at novell.jclient.JCContext.login(Native Method)

        at com.novell.nds.dirxml.util.DxCommand.jclientLogin(DxCommand.java:1173)

        at com.novell.nds.dirxml.util.DxCommand.login(DxCommand.java:1121)

        at com.novell.nds.dirxml.util.DxCommand.commandLine(DxCommand.java:560)

        at com.novell.nds.dirxml.util.DxCommand.main(DxCommand.java:522)

So, it looks the issue in the authentication process but I have no clue what is wrong. Login works over LDAP, and login works in iMonitor too.

Because Lothar had a similar issue a few years ago, I tried:

dxcmd -host 192.168.1.250 -user admin.sa.system -password myPassword

...but it did not work.

Any idea what's wrong?

Milan

  • Any chance there is a funny character that would break a script like & or \ in the password? Make another admin user with a simpler password and try that first?

  • no, no special characters. I also created a new "badmin" and made it a supervisor in eDir. Still, the same. I wonder whether there is a conflict in some libraries or so. I did an update from 4.8.6 to 4.8.7 first...

  • ...this is weird. Login works when I run dxcmd as a normal user.

    I put some debug message in the dxcmd command:

    ...
    
    echo "===== DUBUG ====="
    
    echo $dirxml
    
    echo $cp
    
    echo $LD_LIBRARY_PATH
    
    $JAVA -version
    
    echo "================="
    
    ....


    ##### NOT WORKING example #####

    mf-idm-demo:~ # dxcmd
    
    ===== DUBUG =====
    
    /opt/novell/eDirectory/bin/../lib/dirxml/classes
    
    /opt/novell/eDirectory/bin/../lib/dirxml/classes/dirxml_misc.jar:/opt/novell/eDirectory/bin/../lib/dirxml/classes/nxsl.jar:/opt/novell/eDirectory/bin/../lib/dirxml/classes/xp-1.0.0.jar:/opt/novell/eDirectory/bin/../lib/dirxml/classes/ldap.jar:/opt/novell/eDirectory/bin/../lib64/jclient.jar
    
    /opt/novell/eDirectory/bin/../lib64:/opt/novell/eDirectory/bin/../lib64/nds-modules:/opt/novell/eDirectory/bin/../../lib64:/opt/novell/eDirectory/bin/../lib64/jclnt:
    
    openjdk version "11.0.19" 2023-04-18 LTS
    
    OpenJDK Runtime Environment Zulu11.64+19-CA (build 11.0.19+7-LTS)
    
    OpenJDK 64-Bit Server VM Zulu11.64+19-CA (build 11.0.19+7-LTS, mixed mode)
    
    =================
    
    
    
    NetIQ Identity Manager Command Line Utility
    
    version 4.8.7.0100
    
    Copyright (c) 2023 NetIQ Corporation. All Rights Reserved
    
    
    
    Enter user name: admin.sa.system
    
    Enter user's password:
    
    Logging in using:
    
            host: mf-idm-demo/192.168.1.250:524
    
            user: admin.sa.system
    
    Using NDAP protocol
    
    novell.jclient.JCException: login -641 ERR_INVALID_REQUEST
    
            at novell.jclient.JCContext.login(Native Method)
    
            at com.novell.nds.dirxml.util.DxCommand.jclientLogin(DxCommand.java:1173)
    
            at com.novell.nds.dirxml.util.DxCommand.login(DxCommand.java:1121)
    
            at com.novell.nds.dirxml.util.DxCommand.commandLine(DxCommand.java:560)
    
            at com.novell.nds.dirxml.util.DxCommand.main(DxCommand.java:522)

    ##### WORKING example #####

    mjuricek@mf-idm-demo:~> dxcmd
    
    ===== DUBUG =====
    
    /opt/novell/eDirectory/bin/../lib/dirxml/classes
    
    /opt/novell/eDirectory/bin/../lib/dirxml/classes/dirxml_misc.jar:/opt/novell/eDirectory/bin/../lib/dirxml/classes/nxsl.jar:/opt/novell/eDirectory/bin/../lib/dirxml/classes/xp-1.0.0.jar:/opt/novell/eDirectory/bin/../lib/dirxml/classes/ldap.jar:/opt/novell/eDirectory/bin/../lib64/jclient.jar
    
    /opt/novell/eDirectory/bin/../lib64:/opt/novell/eDirectory/bin/../lib64/nds-modules:/opt/novell/eDirectory/bin/../../lib64:/opt/novell/eDirectory/bin/../lib64/jclnt:
    
    openjdk version "11.0.19" 2023-04-18 LTS
    
    OpenJDK Runtime Environment Zulu11.64+19-CA (build 11.0.19+7-LTS)
    
    OpenJDK 64-Bit Server VM Zulu11.64+19-CA (build 11.0.19+7-LTS, mixed mode)
    
    =================
    
    
    
    NetIQ Identity Manager Command Line Utility
    
    version 4.8.7.0100
    
    Copyright (c) 2023 NetIQ Corporation. All Rights Reserved
    
    
    
    Enter user name: admin.sa.system
    
    Enter user's password:
    
    Logging in using:
    
            host: mf-idm-demo/192.168.1.250:524
    
            user: admin.sa.system
    
    Using NDAP protocol
    
    DirXML version is 4.8.7.0000 AE.
    
    Driver set driverset1.system.MF_IDM_DEMO_TREE. is associated with the server.
    
    
    
    
    
    DirXML commands
    
    
    
     1: Start driver
    
     2: Stop driver
    
     3: Driver operations...
    
     4: Driver set operations...
    
     5: Log events operations...
    
     6: Get DirXML version
    
     7: Job operations...
    
     8: Get JVM statstics
    
    99: Quit

    It looks the dxcmd is using the same variables, so I do not understand what's different and why it does not work when I am the root user.

    Any idea?

  • 641 errors seem to usually be related to functions related to IDM that are not working/supported. So if you did not install a driver on some server and make an IDM call (LDAP or NDAP) to use that function you get a 641.

    There are no major schema extensions between 4.8.6 and 4.8.7 (There must be some in4.9 due to changes in how some passwords are stored).  I woudl wonder if you tried a different target host, mayeb it has different IDM modules loaded?

  • But it does not work when I am using root or sudo, but it works when I am logged it as a normal user. This is so weird.

  • Probably because root or sudo do not have the paths properly set?  I.e. The context for users vs the context for root may have different environments...  So perhaps the library path is not properly set for root?  Maybe binary paths are incorrect?

    I think it was ndsstat that would update the path locally, so you might need to sudo ndsstat   and then on the same command line (Syntax for joinging commands elludes me) execute dxcmd.

  • Enter administrator password for instance /etc/opt/novell/eDirectory/conf/nds.conf:

    Login for cn=admin.ou=sa.o=system.MY_IDM_DEMO_TREE: failed, invalid request (-641)

    Bad password

    That means that your password is wrong, it could be that it has expired, it could be that the account is locked.

    The best tool to verify the password is 'ndslogin':

    $ ndslogin admin.sa.system <enter>

    Provide password, if that does not work, then try to change the password and see if it then works.

    Otherwise have a look at "ndstrace +time +tags +nmas +auth +misc"  to see if there is something interesting being shown.

  • is it a docker container? they use a local user for all the nds utils