LUM configuration failure on upgrade to OES23.4

Greetings,

Just finished an upgrade from OES2023 to OES23.4 and patched to OES24.1.1.  This server is our "Mater" server, meaning it holds the rootCA, all of the mater replicas for all of our partitions, roughly six partitions, SLP DA, main LDAP server, etc....

During the upgrade when it got to the LUM screen where it re-configures all of the service property's it displayed an error message. 

""Unable to connect to LDAP server xxx.xxx.xxx.xxx or the specified user cn=admin,o=xxxxxxxx does not have enough privileges to configure Linux User Management. Error returned it 49:LDAP_INVALID_CREDENTIALS. Please correct the problem and re-run namconfig after the install. Other products dependant on LUM will also need to be reconfigured."

Attempting to reconfigure LUM in Yast post upgrade resulted in the same message.  Running "namconfig -k" rebuilds the certificates in /var/lib/novell-lum/, but does resolve the issue, the namcd service has stopped, logs state that it cannot connect to preferred servers or alternate servers.

I have also recreated server certificates and checked the server ldap by ldapsearch tests, all without issue.  I have gone through an ldap trace with ndstrace, only remarkable point was during the shutdown/restart of ldap during the trace was disconnect error messages, I am "assuming" that it is normal, but..... 

LDAP Shut down on one connection:

3334125312 LDAP: [2024/04/11  5:53:34.806] Monitor 0xc6bab700 shutdown destroying connection 0xf65b920
3202348800 LDAP: [2024/04/11  5:53:34.806] (xxx.xxx.xxx.xxx:48916)(0x0000:0x00) nds_back_unbind: Connection 0xf65b920
3202348800 LDAP: [2024/04/11  5:53:34.806] Server closing connection 0xf65b920, reason = 52
3202348800 LDAP: [2024/04/11  5:53:34.806] (xxx.xxx.xxx.xxx:48916)(0x0000:0x77) Sending operation result 52:"":"" to connection 0xf65b920
3202348800 LDAP: [2024/04/11  5:53:34.806] (xxx.xxx.xxx.xxx:48916)(0x0000:0x00) TLS shutdown failure 5 on connection 0xf65b920, setting err = -5875. Error stack:
3202348800 LDAP: [2024/04/11  5:53:34.806] Connection 0xf65b920 closed

LDAP Start, appears well:

3267852032 LDAP: [2024/04/11  5:53:35.201] LDAP Agent for NetIQ eDirectory 9.2.8 (40209.00) started
3267852032 LDAP: [2024/04/11  5:53:35.201] Updating server configuration
3267852032 LDAP: [2024/04/11  5:53:35.201] Work info status: Total:2 Peak:2 Busy:0
2713712384 LDAP: [2024/04/11  5:53:35.374] Listener applying new configuration
2713712384 LDAP: [2024/04/11  5:53:35.374] LDAPURL: ldap://xxx.xxx.xxx.xxx:389
2713712384 LDAP: [2024/04/11  5:53:35.374] LDAPURL: ldaps://xxx.xxx.xxx.xxx:636
2713712384 LDAP: [2024/04/11  5:53:35.374] Listener setting up cleartext port 389
2713712384 LDAP: [2024/04/11  5:53:35.374] Listener setting up TLS port 636
2713712384 LDAP: [2024/04/11  5:53:35.375] SSLv3 disabled for secure LDAP connections.
2713712384 LDAP: [2024/04/11  5:53:35.375] TLSv1 disabled for secure LDAP connections.
2713712384 LDAP: [2024/04/11  5:53:35.375] TLSv1.1 disabled for secure LDAP connections.
2713712384 LDAP: [2024/04/11  5:53:35.375] TLS HIGH ciphers required for TLS connections
2713712384 LDAP: [2024/04/11  5:53:35.375] TLS initialization successfully completed
2713712384 LDAP: [2024/04/11  5:53:35.379] Server certificate or certificate(s) in the Trusted Root Container has changed
2713712384 LDAP: [2024/04/11  5:53:35.457] TLS configured successfully
2713712384 LDAP: [2024/04/11  5:53:35.457] LDAPURL: ldap://xxx.xxx.xxx.xxx:389
2713712384 LDAP: [2024/04/11  5:53:35.457] LDAPURL: ldaps://xxx.xxx.xxx.xxx:636
2713712384 LDAP: [2024/04/11  5:53:35.457] LDAPURL: ldap://xxx.xxx.xxx.xxx:389
2713712384 LDAP: [2024/04/11  5:53:35.457] LDAPURL: ldaps://xxx.xxx.xxx.xxx:636
2713712384 LDAP: [2024/04/11  5:53:35.457] Adding SASL module dependencies
2713712384 LDAP: [2024/04/11  5:53:35.457] SASL initialized successfully
2713712384 LDAP: [2024/04/11  5:53:35.457] SASL configured successfully

Current status of namcd:

systemctl status namcd.service
× namcd.service - Novell Linux User Management(LUM)
     Loaded: loaded (/usr/lib/systemd/system/namcd.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Thu 2024-04-11 07:55:01 CDT; 3min 15s ago
       Docs: man:namcd
             man:namconfig
    Process: 22587 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.namcdloaded (code=exited, status=0/SUCCESS)
    Process: 22588 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.namcdnotloaded (code=exited, status=0/SUCCESS)
    Process: 22589 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.group_info.* (code=exited, status=0/SUCCESS)
    Process: 22590 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.user_info.* (code=exited, status=0/SUCCESS)
    Process: 22591 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.refresh_info (code=exited, status=0/SUCCESS)
    Process: 22592 ExecStartPre=/usr/bin/rm -f /var/lib/novell-lum/.flush_check_file (code=exited, status=0/SUCCESS)
    Process: 22593 ExecStart=/usr/sbin/namcd (code=exited, status=1/FAILURE)
    Process: 22600 ExecStopPost=/usr/bin/rm -f /var/lib/novell-lum/.flush_check_file (code=exited, status=0/SUCCESS)

Apr 11 07:54:49 hcczen /usr/sbin/namcd[22594]:  main: Created PID file: /var/run/novell-lum/namcd.pid
Apr 11 07:54:49 hcczen /usr/sbin/namcd[22594]:  main: Language tables initialized
Apr 11 07:54:49 hcczen /usr/sbin/namcd[22594]:  readConfigParameter: Base context = o=hazelden
Apr 11 07:54:53 hcczen namcd[22594]:  ldap_initconn: LDAP bind failed to Preferred Server (error = [49]), trying to connect to alternative LDAP server
Apr 11 07:54:59 hcczen namcd[22594]:  ldap_initconn: Unable to bind to alternative LDAP servers either, error [49].
Apr 11 07:54:59 hcczen namcd[22594]:  main: init_pre_threads failed, err code is 206: Unknown error 206. Problem in namcd initialization, exiting...
Apr 11 07:55:01 hcczen /usr/sbin/namcd[22593]:  daemonize: Parent Process: LUM has failed to start
Apr 11 07:55:01 hcczen systemd[1]: namcd.service: Control process exited, code=exited, status=1/FAILURE
Apr 11 07:55:01 hcczen systemd[1]: namcd.service: Failed with result 'exit-code'.
Apr 11 07:55:01 hcczen systemd[1]: Failed to start Novell Linux User Management(LUM).


 Any help would be appreciated...

Thanks!

  • 0  

    is eDir running?

     #  systemctl status ndsd.service

    Can you connect to it with an LDAP client on port 636?

    what servers are listed to in your /etc/nam.conf file grep
      # grep server /etc/nam.conf

    and does the server have current *.der files for each of them as seen in
      # ll /var/lib/novell-lum/

    other LUM troubleshooting links in both the Docs and a KB article or two (this last one is my go-to one)


    I've seen mention of moving master's off of the box you are doing these upgrades, which is what I've been doing.  I haven't done a box with a CA yet (aiming for that tonight)

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0 in reply to   

    ndsd  Good

    both ldaps port open and responsive

    Have already tried creating new LUM certs, nam.conf has one primary server and two alternates, certs get created.  What is odd is systemctl status namcd shows it cannot connect to preferred or alternate servers.

    Thanks for the TID's, like the go-to one.

  • 0   in reply to 

    is eDir connecting to other boxes and syncing?

    #  ndsrepair -T
    #  ndsrepair -E

    can you connect into this system's iManager?  and/or other LDAP actual browsing, such as with JXplorer?

    You reminded me to move the masters off of the box for tonight. Goes fast to select Replica view of the destination server, and just change the type there. It happens so fast compared to so many of the other replica changes.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • Suggested Answer

    0 in reply to   

    Andy, thanks for you input and thoughts.  And again for the great go-to TID.

    Update, have been working with support, ended up being that needed to run common-proxy-fix-1.6.sh.  Odd though, just went through that with version 1.5 after a transfer ID six months ago and has been working fine.

    Good luck with your upgrade tonight!