Identity Console - LDAP Password Error

Hi, I have installed an Identity Console (without OSP Integration for start) but get the following error when starting the service (seen in edirapi.log)

{"ldapBind":"cn=svc-eDir-Admin1,ou=eDir,o=System","ldapServer":"MyServer:636","level":"fatal","msg":"LDAP Result Code 206 \"Empty password not allowed by the client\": ldap: empty password not allowed by the client","time":"Tuesday, 09-Nov-21 18:40:10 CET"}

I did set the password with 

su - nds -c "LD_LIBRARY_PATH=/opt/novell/lib64/:/opt/novell/eDirectory/lib64/:/opt/netiq/common/openssl/lib64/ /opt/novell/eDirAPI/sbin/passwdstore -a cn=svc-eDir-Admin1,ou=eDir,o=System -w Password"

Successfully written the password of svc-edir-admin1,edir,system to the local secret config file

and I see some files in /var/opt/novell/nici/<ID where nds:nds is owner>/

  • Is it OK that passwdstore confirms in typeless LDAP (looks strange)
  • How can I verify if I have a stored password for my User DN?
    • Are there some nici tools I can use to query the secret files?
    • How can I remove a password entry from the secret files?
    • How can I update my password in the secret files?
  • What else can I do or check to make my config work? For now, the service won't start:

systemctl status netiq-identityconsole.service

netiq-identityconsole.service - Identity Console service
Loaded: loaded (/usr/lib/systemd/system/netiq-identityconsole.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2021-11-09 18:40:10 CET; 7s ago
Process: 5518 ExecStart=/opt/novell/eDirAPI/sbin/edirapi -config /etc/opt/novell/eDirAPI/conf/edirapi.conf (code=exited, status=1/FAILURE)
Main PID: 5518 (code=exited, status=1/FAILURE)

Nov 09 18:40:10 sranel151 systemd[1]: Started Identity Console service.
Nov 09 18:40:10 sranel151 systemd[1]: netiq-identityconsole.service: Main process exited, code=exited, status=1/FAILURE
Nov 09 18:40:10 sranel151 systemd[1]: netiq-identityconsole.service: Unit entered failed state.
Nov 09 18:40:10 sranel151 systemd[1]: netiq-identityconsole.service: Failed with result 'exit-code'.

Thanks in advance

Steffen

  • The above error seems to go along with this error message, seen when starting the service via su - nds and /opt/novell/eDirAPI/sbin/edirapi -config /etc/opt/novell/eDirAPI/conf/edirapi.conf:

    panic: runtime error: makeslice: len out of range

    goroutine 1 [running]:
    edirapi/localsecret.GetLocalSecret(0xc0000aea60, 0x1b, 0xc0000aea60, 0x1b)
    /home/n4u_cm/jenkins4/workspace/edirapi_trunk-5XGEFNAY22VID53QLQWBWFQ6AJIVJG6A5IP4GZN36OXRVXSDRULQ/build/src/edirapi/localsecret/localsecret.go:97 +0x10c
    edirapi/handlers/schema.InitializeSchemaConnection()
    /home/n4u_cm/jenkins4/workspace/edirapi_trunk-5XGEFNAY22VID53QLQWBWFQ6AJIVJG6A5IP4GZN36OXRVXSDRULQ/build/src/edirapi/handlers/schema/attributesHandler.go:100 +0x269
    main.common(0x89116d, 0x0, 0x0)
    /home/n4u_cm/jenkins4/workspace/edirapi_trunk-5XGEFNAY22VID53QLQWBWFQ6AJIVJG6A5IP4GZN36OXRVXSDRULQ/build/src/edirapi/main_common.go:301 +0x199
    main.main()
    /home/n4u_cm/jenkins4/workspace/edirapi_trunk-5XGEFNAY22VID53QLQWBWFQ6AJIVJG6A5IP4GZN36OXRVXSDRULQ/build/src/edirapi/main_linux.go:55 +0xd9

  • Did you ever get any answer on your password error?

    I did a fresh install of Identity Console and I'm getting an LDAP password error as well, but it looks like invalid credentials (-669).  I was pretty sure I put them in right.  I tried to use passwdstore to set it again and I verified the password using ldapsearch.  So I opened a case.  And get this.  Support says there is NO WAY to change the password of the account used for Identity Console.  You must UNINSTALL the product and then REINSTALL it.  Seriously?  Whose ingenious design was that one?  Can anyone confirm?

    Also, what exact rights does this user need?  There is nothing in the documentation on it.

    I've installed it a few time elsewhere and so far I'm pretty underwhelmed by Identity Console.  But Micro Focus is sending end of life emails about iManager out so I think we're going to have to use it.

    Matt

  • Matt,

    Could you please share the support ticket number with me over email?

    Abhishek