ScorpionSting Absent Member.
Absent Member.
1212 views

Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

When oh when will NetIQ actually release a script that is properly tested and can cope with special characters in passwords?!? Its been such an ongoing issue and is such a pain in the proverbial


Upgrading the Novell Access Manager Configuration Store:

ldap_bind: Invalid credentials (49)
additional info: NDS error: failed authentication (-669)
sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory
sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory


Unloading dstrace.

Visit my Website for links to Cool Solution articles.
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

On 12-04-2019 7:26 PM, ScorpionSting wrote:
>
> When oh when will NetIQ actually release a script that is properly
> tested and can cope with special characters in passwords?!? Its been
> such an ongoing issue and is such a pain in the proverbial
>
>
> Code:
> --------------------
>
> Upgrading the Novell Access Manager Configuration Store:
>
> ldap_bind: Invalid credentials (49)
> additional info: NDS error: failed authentication (-669)
> sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory
> sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory
>
>
> Unloading dstrace.


Yeah, i had the same and my password didn't have a special character tho it has a capital in it but i didn't type it (password01 instead of
Password01) and it failed at the same point. I just reinstalled my box instead of upgrade


--
Cheers,
Edward
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

edmaa;2498261 wrote:
On 12-04-2019 7:26 PM, ScorpionSting wrote:
>
> When oh when will NetIQ actually release a script that is properly
> tested and can cope with special characters in passwords?!? Its been
> such an ongoing issue and is such a pain in the proverbial
>
>
> Code:
> --------------------
>
> Upgrading the Novell Access Manager Configuration Store:
>
> ldap_bind: Invalid credentials (49)
> additional info: NDS error: failed authentication (-669)
> sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory
> sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory
>
>
> Unloading dstrace.


Yeah, i had the same and my password didn't have a special character tho it has a capital in it but i didn't type it (password01 instead of
Password01) and it failed at the same point. I just reinstalled my box instead of upgrade


--
Cheers,
Edward


I let mine continue on....only thing that doesn't work now is Mobile Access App......but not sure if this is a change that doesn't cope with custom CA or the OAuth config change or the App is just outdated....its the only OAuth "thing" I have

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

ScorpionSting;2498263 wrote:
I let mine continue on....only thing that doesn't work now is Mobile Access App......but not sure if this is a change that doesn't cope with custom CA or the OAuth config change or the App is just outdated....its the only OAuth "thing" I have


Good old Sentinel....apparently there's a new URL somewhere...


GET /osp/a/t1/auth/oauth2/metadata


I thought this would be /nidp/osp

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

ScorpionSting;2498263 wrote:
I let mine continue on....only thing that doesn't work now is Mobile Access App......but not sure if this is a change that doesn't cope with custom CA or the OAuth config change or the App is just outdated....its the only OAuth "thing" I have


Appears to be something they're trying to do with AAF config....it talks about the attribute nidsOAuth2CFGXML but it doesn't appear to exist on the old objects or new....I'm not sure what they're trying to do, but the manual steps (fixed ac_upgrade.sh script) come out as:


ids:~ # cat oauth2cfgxml.ldif
dn:cn=OAT3crz57,cn=OACqq1wa1,cn=SCCrtedff,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell
changetype: modify
delete: nidsOAuth2CFGXML


but mobile app now appears to have issues with AAF...I'm scared about logging out of my web session and trying to re-authenticate now 😞

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

edmaa;2498261 wrote:
On 12-04-2019 7:26 PM, ScorpionSting wrote:
>
> When oh when will NetIQ actually release a script that is properly
> tested and can cope with special characters in passwords?!? Its been
> such an ongoing issue and is such a pain in the proverbial
>
>
> Code:
> --------------------
>
> Upgrading the Novell Access Manager Configuration Store:
>
> ldap_bind: Invalid credentials (49)
> additional info: NDS error: failed authentication (-669)
> sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory
> sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory
>
>
> Unloading dstrace.


Yeah, i had the same and my password didn't have a special character tho it has a capital in it but i didn't type it (password01 instead of
Password01) and it failed at the same point. I just reinstalled my box instead of upgrade


--
Cheers,
Edward


SOAB!!!!

This is completely **** poor:

Line 274 of scripts/ac_upgrade.sh


oauth_path=`/opt/novell/eDirectory/bin/ldapsearch -x -D cn=admin,o=novell -w novell -b "cn=$f,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell" "(objectclass=nidsOAuthTenants)" | grep -A1 dn: | tr -d '\n' | tr -d ' ' | cut -c4-`


Notice anything wrong with that?!?!

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

On 12-04-2019 9:16 PM, ScorpionSting wrote:
>
> edmaa;2498261 Wrote:
>> On 12-04-2019 7:26 PM, ScorpionSting wrote:
>>>
>>> When oh when will NetIQ actually release a script that is properly
>>> tested and can cope with special characters in passwords?!? Its been
>>> such an ongoing issue and is such a pain in the proverbial
>>>
>>>
>>> Code:
>>> --------------------
>>>
>>> Upgrading the Novell Access Manager Configuration Store:
>>>
>>> ldap_bind: Invalid credentials (49)
>>> additional info: NDS error: failed authentication (-669)
>>> sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such

>> file or directory
>>> sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such

>> file or directory
>>>
>>>
>>> Unloading dstrace.

>>
>> Yeah, i had the same and my password didn't have a special character tho
>> it has a capital in it but i didn't type it (password01 instead of
>> Password01) and it failed at the same point. I just reinstalled my box
>> instead of upgrade
>>
>>
>> --
>> Cheers,
>> Edward

>
> SOAB!!!!
>
> This is completely **** poor:
>
> Line 274 of scripts/ac_upgrade.sh
>
>
> Code:
> --------------------
>
> oauth_path=`/opt/novell/eDirectory/bin/ldapsearch -x -D cn=admin,o=novell -w novell -b "cn=$f,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell" "(objectclass=nidsOAuthTenants)" | grep -A1 dn: | tr -d '\n' | tr -d ' ' | cut -c4-`
>
> --------------------
>
>
> Notice anything wrong with that?!?!


LOL....clearly someone didn't particular test that very well 🙂 It explains the password failure...glad it wasn't me


--
Cheers,
Edward
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

ScorpionSting;2498255 wrote:
When oh when will NetIQ actually release a script that is properly tested and can cope with special characters in passwords?!? Its been such an ongoing issue and is such a pain in the proverbial


Upgrading the Novell Access Manager Configuration Store:

ldap_bind: Invalid credentials (49)
additional info: NDS error: failed authentication (-669)
sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory
sed: can't read /tmp/ldif_bkp/SCCrtedff_oauth2cfg.ldif: No such file or directory


Unloading dstrace.


Script is:


/opt/novell/eDirectory/bin/ice -v -C -n -S LDAP -v -L ${CA_CERT} -s "${DS_SERVER_ADDR}" -p "${DS_LDAP_PORT_SSL}" -d "${DS_ADMIN_DN}" -w "${DS_ADMIN_PWD}" -b ${oauth_path} -a nidsOAuth2CFGXML -c base -D LDIF -v -f ${backupfile} >> "$EDIR_INSTALL_LOG" 2>&1

sed -i "1,2d" ${backupfile}
sed -i "s#changetype: add#changetype: modify\nreplace: nidsOAuth2CFGXML#" ${backupfile}

#delete the nidsOAuth2CFGXML attribute value
/opt/novell/eDirectory/bin/ldapsearch -x -D "${DS_ADMIN_DN}" -w "${DS_ADMIN_PWD}" -b "cn=$f,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell" "(objectclass=nidsOAuthTenants)" | grep -A1 dn: | tr -d '\n' | tr -d ' ' >> oauth2cfgxml.ldif
echo " " >> oauth2cfgxml.ldif
echo "changetype: modify" >> oauth2cfgxml.ldif
echo "delete: nidsOAuth2CFGXML" >> oauth2cfgxml.ldif
/opt/novell/eDirectory/bin/ldapmodify -D "${DS_ADMIN_DN}" -w "${DS_ADMIN_PWD}" -f oauth2cfgxml.ldif >> "$EDIR_INSTALL_LOG" 2>&1


I'm going to try manual

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

Nice digging. Is it safe to assume your special character was a
dollar-sign? It should be pretty easy for them to fix that. Give it a
shot and we can report a bug with the solution attached:


DS_ADMIN_DN="${DS_ADMIN_DN//$/\\$}";


Put it anywhere before the password is actually used and it should escape
things.


> PWD='this$is$it';
> PWD="${PWD//$/\\$}";
> echo ${PWD};

this\$is\$it


Also, technically they should handle Bash specials in any variable where
they should not be interpreted as just basic sanity checking, else
somebody could do all kinds of interesting things in passwords (e.g.
"password$(rm -rf /)here").

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

ab;2498273 wrote:
Nice digging. Is it safe to assume your special character was a
dollar-sign? It should be pretty easy for them to fix that. Give it a
shot and we can report a bug with the solution attached:


DS_ADMIN_DN="${DS_ADMIN_DN//$/\\$}";


Put it anywhere before the password is actually used and it should escape
things.


> PWD='this$is$it';
> PWD="${PWD//$/\\$}";
> echo ${PWD};

this\$is\$it


Also, technically they should handle Bash specials in any variable where
they should not be interpreted as just basic sanity checking, else
somebody could do all kinds of interesting things in passwords (e.g.
"password$(rm -rf /)here").

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


Wasn't actually "coping with special characters" as the problem, was just bad bad bad development - see https://forums.novell.com/showthread.php/511944-Ugh%21-Ugh%21-Ugh%21-4-5-upgrade-script-failure?p=2498266#post2498266

Visit my Website for links to Cool Solution articles.
0 Likes
dvandermaas1 Absent Member.
Absent Member.

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

It gets even worse, it actually loses configuration after this. Started a ne thread https://forums.novell.com/showthread.php/512132-Upgrade-NAM-4-4-4-to-NAM-4-5-fails-configuration-lost?p=2499212#post2499212

The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
0 Likes
dvandermaas1 Absent Member.
Absent Member.

Re: Ugh! Ugh! Ugh! 4.5 "upgrade" - script failure

Just got word back, the customer center download contain a new build (191).
This should get rid of the bug in the ag_update.sh. Going to install now ...

The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.