Anonymous_User Absent Member.
Absent Member.
955 views

bidirectionnal eDirectory Driver - Protocol Error


Hi all,

I'm currently having troubles with the bidirectionnal edirectory
driver.

My Driver is configured to connect to an edirectory server using SSL,
and accepting every server certificate (Dev server).

When i try to start it, the driver immediatly stops, showing me a
"Protocol Error" in the logfile.
Looking for my solution, i saw that i forgot to install the ChangeLog
RPM on the connected system name.

In order to do that, i have stopped ndsd, installed the RPM (i had to
use --replacefiles because there was a conflict with DXMLEvents) and
restarted the ndsd service.

After that, the problem is still the same. I tried to install the RPM on
the IDM Server too, but didn't got more success.

Here is the part of the logfile showing the error:


Code:
--------------------
DirXML Log Event -------------------
Driver: \BLG-QUALTREE\system\DriverSet\Bi-directional eDirectory
Channel: Publisher
Status: Fatal
Message: Protocol Error
[12/06/13 10:06:06.308]:edirectory-bi PT:
DirXML Log Event -------------------
Driver: \BLG-QUALTREE\system\DriverSet\Bi-directional eDirectory
Channel: Publisher
Status: Fatal
Message: Code(-9005) The driver returned a "fatal" status indicating that the driver should be shut down. Detail from driver: Protocol Error<application>DirXML</application>
<module>Bi-directional eDirectory</module>
<object-dn></object-dn>
<component>Publisher</component>
[12/06/13 10:06:06.309]:edirectory-bi PT:Killing driver from publisher thread; after PublicationShim.start().
[12/06/13 10:06:06.309]:edirectory-bi PT:Requesting termination.
[12/06/13 10:06:06.312]:edirectory-bi PT:Ending publisher thread.
[12/06/13 10:06:06.335]:edirectory-bi ST:Leaving event loop.
[12/06/13 10:06:06.335]:edirectory-bi ST:Shutting down DirXML driver \BLG-QUALTREE\system\DriverSet\Bi-directional eDirectory.
[12/06/13 10:06:06.335]:edirectory-bi ST:Bi-directional eDirectory: DriverShim.shutdown()
[12/06/13 10:06:06.335]:edirectory-bi ST:Bi-directional eDirectory: EDIRPublicationShim.stop()
[12/06/13 10:06:06.335]:edirectory-bi ST:Bi-directional eDirectory: EdirPublisher.stop()
[12/06/13 10:06:06.335]:edirectory-bi ST:Bi-directional eDirectory: EdirPublisher.stop() : Thread is waiting, publisher can send last successful ChangeNumber if any
[12/06/13 10:06:06.839]:edirectory-bi ST:Bi-directional eDirectory: EdirPublisher.stop() : Unexpected error occured while stopping driver. Reason : Protocol Error
[12/06/13 10:06:06.839]:edirectory-bi ST:Bi-directional eDirectory: Cleaning up auto keystore : eDir2eDir-CE251421-83AC-4662-6386-211425CEAC83.keystore
[12/06/13 10:06:06.840]:edirectory-bi ST:Bi-directional eDirectory: SubShim.stop()
[12/06/13 10:06:06.840]:edirectory-bi ST:Bi-directional eDirectory: EDIRSub.stop()
[12/06/13 10:06:06.841]:edirectory-bi ST:DriverShim.shutdown() returned
--------------------



Thank you in advance!


--
sniceper
------------------------------------------------------------------------
sniceper's Profile: https://forums.netiq.com/member.php?userid=5188
View this thread: https://forums.netiq.com/showthread.php?t=49393

Labels (1)
0 Likes
16 Replies
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error

Whenever posting a trace, particularly of a startup failure like this, it
is important to post as much before the error as possible, as that is what
leads up to and often points out the reason for the error. Please post
the full startup trace from this config at level three (3).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error


ab;237734 Wrote:
> Whenever posting a trace, particularly of a startup failure like this,
> it
> is important to post as much before the error as possible, as that is
> what
> leads up to and often points out the reason for the error. Please post
> the full startup trace from this config at level three (3).
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


My Bad 🙂 Here is the entire log of the Starting Process, until the
error occurs:

http://codepad.org/xSAjr2D5


--
sniceper
------------------------------------------------------------------------
sniceper's Profile: https://forums.netiq.com/member.php?userid=5188
View this thread: https://forums.netiq.com/showthread.php?t=49393

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error


Oops, it has been cut by Codepad. I uploaded it on GDrive, here is the
link:

http://tinyurl.com/mmpxu7a


--
sniceper
------------------------------------------------------------------------
sniceper's Profile: https://forums.netiq.com/member.php?userid=5188
View this thread: https://forums.netiq.com/showthread.php?t=49393

0 Likes
Knowledge Partner
Knowledge Partner

Re: bidirectionnal eDirectory Driver - Protocol Error

On 12/6/2013 5:57 AM, sniceper wrote:
>
> Oops, it has been cut by Codepad. I uploaded it on GDrive, here is the
> link:
>
> http://tinyurl.com/mmpxu7a


It is this part that matters here:


[12/06/13 11:25:39.617]:edirectory-bi PT:Bi-directional eDirectory:
INFO : Located the user filter attributes....
[12/06/13 11:25:39.617]:edirectory-bi PT:Bi-directional eDirectory:
EDirPublicationShim : Performing Agent Registration...
[12/06/13 11:25:39.617]:edirectory-bi PT:Bi-directional eDirectory:
EdirPublisher - Initiating agent registration...
[12/06/13 11:25:39.617]:edirectory-bi PT:Bi-directional eDirectory:
OpenLDAPConnection - Connect to the server
[12/06/13 11:25:39.618]:edirectory-bi PT:Bi-directional eDirectory:
Opening SSL connection
[12/06/13 11:25:39.668]:edirectory-bi PT:Bi-directional eDirectory: Host
name: NDSServer1.BDGNet.com
[12/06/13 11:25:39.668]:edirectory-bi PT:Bi-directional eDirectory:
Port: 636
[12/06/13 11:25:39.668]:edirectory-bi PT:Bi-directional eDirectory: DN:
CN=driver-admin,ou=sa,ou=IdentityManager,o=IAM
[12/06/13 11:25:39.668]:edirectory-bi PT:Bi-directional eDirectory:
Protocol version=3
[12/06/13 11:25:39.668]:edirectory-bi PT:Bi-directional eDirectory: SDK
version=4.5
[12/06/13 11:25:39.670]:edirectory-bi PT:Bi-directional eDirectory:
LDAPInterface.registerDriverInstance() : Exception occured while
registration - Protocol Error
[12/06/13 11:25:39.670]:edirectory-bi PT:PublicationShim.start() returned:
[12/06/13 11:25:39.670]:edirectory-bi PT:
<nds dtdversion="4.0">
<source>
<product instance="Bi-directional eDirectory"
version="4.0.1.0">Identity Manager Bi-directional Driver for
eDirectory</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="fatal">Protocol Error</status>
</output>
</nds>

So the issue is talking to the Changelog it would appear.


So looking higher, the settings are:
<init-params src-dn="\BDG-QUALTREE\system\DriverSet\Bi-directional
eDirectory">
<authentication-info>
<server>NDSServer1.BDGNet.com:636</server>
<user>CN=driver-admin,ou=sa,ou=IdentityManager,o=IAM</user>
<password><!-- content suppressed --></password>
</authentication-info>
<driver-options>
<use-ssl display-name="Use SSL">true</use-ssl>
<accept-srv-ldaps-cert display-name="Always accept server
certificate">true</accept-srv-ldaps-cert>
<keystore display-name="Keystore path for SSL
certificate(s)"></keystore>
<use-mutual-auth display-name="Use mutual
authentication">false</use-mutual-auth>
<keyalias display-name="Key alias"></keyalias>
<keystore-pass display-name="Keystore password"
is-sensitive="true" type="password-ref"/>
<drv.edir.passwd.sync.ver display-name="Password sync
type">2</drv.edir.passwd.sync.ver>
<driverGUID display-name="Driver
GUID">{CE251421-83AC-4662-6386-211425CEAC83}</driverGUID>
<idvBaseDn display-name="User Container">data\Users</idvBaseDn>
</driver-options>
</init-params>



So you have set it to ignore the keystore issue:

accept-srv-ldaps-cert display-name="Always accept server
certificate">true</accept-srv-ldaps-cert>

And as it stops, you can see it clean up that temp keystore...

[12/06/13 11:25:39.727]:edirectory-bi ST:Shutting down DirXML driver
\BDG-QUALTREE\system\DriverSet\Bi-directional eDirectory.
[12/06/13 11:25:39.727]:edirectory-bi ST:Bi-directional eDirectory:
DriverShim.shutdown()
[12/06/13 11:25:39.727]:edirectory-bi ST:Bi-directional eDirectory:
EDIRPublicationShim.stop()
[12/06/13 11:25:39.727]:edirectory-bi ST:Bi-directional eDirectory:
EdirPublisher.stop()
[12/06/13 11:25:39.727]:edirectory-bi ST:Bi-directional eDirectory:
EdirPublisher.stop() : Thread is waiting, publisher can send last
successful ChangeNumber if any
[12/06/13 11:25:40.229]:edirectory-bi ST:Bi-directional eDirectory:
EdirPublisher.stop() : Unexpected error occured while stopping driver.
Reason : Protocol Error
[12/06/13 11:25:40.230]:edirectory-bi ST:Bi-directional eDirectory:
Cleaning up auto keystore :
eDir2eDir-CE251421-83AC-4662-6386-211425CEAC83.keystore
[12/06/13 11:25:40.230]:edirectory-bi ST:Bi-directional eDirectory:
SubShim.stop()
[12/06/13 11:25:40.231]:edirectory-bi ST:Bi-directional eDirectory:
EDIRSub.stop()

What I would do next is watch on the remote eDir side with DSTRACE +LDAP
+DXML flags and see what happens when you start up.



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error


Thank you for your reply,

Here is what is written in DSTRACE with ldap and Dxml on the remote
eDir, when i start the bidirectionnal edirectory driver:

[image: http://upload.dinhosting.fr/0/f/8/Sans_titre.png]


--
sniceper
------------------------------------------------------------------------
sniceper's Profile: https://forums.netiq.com/member.php?userid=5188
View this thread: https://forums.netiq.com/showthread.php?t=49393

0 Likes
Knowledge Partner
Knowledge Partner

Re: bidirectionnal eDirectory Driver - Protocol Error

On 12/6/2013 9:14 AM, sniceper wrote:
>
> Thank you for your reply,
>
> Here is what is written in DSTRACE with ldap and Dxml on the remote
> eDir, when i start the bidirectionnal edirectory driver:
>
> [image: http://upload.dinhosting.fr/0/f/8/Sans_titre.png]


Use iMonitor at least, (http://serverIp:8030/nds/trace ) and do it there.

Also, in iManager, find the LDAP Server object (maybe it is group, I
always forget) and find the tracing tab, enable everything but the last
item.

This message is telling you that the changelog module is loading and
registering its LDAP extension, which the driver shim is connecting and
asking for.

If you enable the LDAP trace options, and do it again, you will see this
error:

New TLS connection 0x37e6a80 from 10.1.5.201:43315, monitor =
0xffffffffbf040700, index = 12
Monitor 0xffffffffbf040700 initiating TLS handshake on connection 0x37e6a80
DoTLSHandshake on connection 0x37e6a80
BIO ctrl called with unknown cmd 7
Completed TLS handshake on connection 0x37e6a80
DoBind on connection 0x37e6a80
Bind name:cn=idm,ou=it,o=acme, version:3, authentication:simple
Sending operation result 0:"":"" to connection 0x37e6a80
DoExtended on connection 0x37e6a80
DoExtended: Extension Request OID: 2.16.840.1.113719.1.14.100.200
Unable to find extension handler 2.16.840.1.113719.1.14.100.200 in
extension list
Sending operation result 2:"":"Unrecognized extended operation" to
connection 0x37e6a80
DoExtended on connection 0x37e6a80
DoExtended: Extension Request OID: 2.16.840.1.113719.1.14.100.200
Unable to find extension handler 2.16.840.1.113719.1.14.100.200 in
extension list
Sending operation result 2:"":"Unrecognized extended operation" to
connection 0x37e6a80
DoUnbind on connection 0x1848e000
Connection 0x1848e000 closed

Which is much more informative and obvious. If you use an LDAP browser
against the RootDSE, the extendedOperation list will NOT include this
OID, until you get Changelog installed properly on the remote box.

PS: Is there IDM installed on that remote server? I do not think
changelog and IDM can coexist on that server.



0 Likes
Knowledge Partner
Knowledge Partner

Re: bidirectionnal eDirectory Driver - Protocol Error

On 12/6/2013 9:33 AM, Geoffrey Carman wrote:
> On 12/6/2013 9:14 AM, sniceper wrote:
>>
>> Thank you for your reply,
>>
>> Here is what is written in DSTRACE with ldap and Dxml on the remote
>> eDir, when i start the bidirectionnal edirectory driver:
>>
>> [image: http://upload.dinhosting.fr/0/f/8/Sans_titre.png]

>
> Use iMonitor at least, (http://serverIp:8030/nds/trace ) and do it there.


I mean, look at DStrace in iMonitor, not on the server console screen.
You get a 10 meg (20 meg? I forget) buffer to look back at, which helps
(hard to scroll in ndstrace) and you can easily copy paste.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error


geoffc;237745 Wrote:
> On 12/6/2013 9:14 AM, sniceper wrote:
> >
> > Thank you for your reply,
> >
> > Here is what is written in DSTRACE with ldap and Dxml on the remote
> > eDir, when i start the bidirectionnal edirectory driver:
> >
> > [image: http://upload.dinhosting.fr/0/f/8/Sans_titre.png]

>
> Use iMonitor at least, (http://serverIp:8030/nds/trace ) and do it
> there.
>
> Also, in iManager, find the LDAP Server object (maybe it is group, I
> always forget) and find the tracing tab, enable everything but the last
> item.
>
> This message is telling you that the changelog module is loading and
> registering its LDAP extension, which the driver shim is connecting and
> asking for.
>
> If you enable the LDAP trace options, and do it again, you will see
> this
> error:
>
> New TLS connection 0x37e6a80 from 10.1.5.201:43315, monitor =
> 0xffffffffbf040700, index = 12
> Monitor 0xffffffffbf040700 initiating TLS handshake on connection
> 0x37e6a80
> DoTLSHandshake on connection 0x37e6a80
> BIO ctrl called with unknown cmd 7
> Completed TLS handshake on connection 0x37e6a80
> DoBind on connection 0x37e6a80
> Bind name:cn=idm,ou=it,o=acme, version:3, authentication:simple
> Sending operation result 0:"":"" to connection 0x37e6a80
> DoExtended on connection 0x37e6a80
> DoExtended: Extension Request OID: 2.16.840.1.113719.1.14.100.200
> Unable to find extension handler 2.16.840.1.113719.1.14.100.200 in
> extension list
> Sending operation result 2:"":"Unrecognized extended operation" to
> connection 0x37e6a80
> DoExtended on connection 0x37e6a80
> DoExtended: Extension Request OID: 2.16.840.1.113719.1.14.100.200
> Unable to find extension handler 2.16.840.1.113719.1.14.100.200 in
> extension list
> Sending operation result 2:"":"Unrecognized extended operation" to
> connection 0x37e6a80
> DoUnbind on connection 0x1848e000
> Connection 0x1848e000 closed
>
> Which is much more informative and obvious. If you use an LDAP browser
> against the RootDSE, the extendedOperation list will NOT include this
> OID, until you get Changelog installed properly on the remote box.
>
> PS: Is there IDM installed on that remote server? I do not think
> changelog and IDM can coexist on that server.


Sorry for the late answer, i had to work on other subjects. Indeed, the
remote edirectory server is also an IDM Server. So, you think that it
could be a problem to make changelog and IDM work simultaneously on the
same server? I'll post the results of the iMonitor as fast as possible.
Thank you in advance,

Sniceper.


--
sniceper
------------------------------------------------------------------------
sniceper's Profile: https://forums.netiq.com/member.php?userid=5188
View this thread: https://forums.netiq.com/showthread.php?t=49393

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error

sniceper wrote:

>
> Sorry for the late answer, i had to work on other subjects. Indeed,
> the remote edirectory server is also an IDM Server. So, you think
> that it could be a problem to make changelog and IDM work
> simultaneously on the same server?


Definitely, as geoffrey has said, the "changelog" is essentially a
cut-down version of some of the same components that IDM uses.

So they will most likely conflict with each other. I doubt that this is
a supported or test configuration.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error


alexmchugh;237795 Wrote:
> sniceper wrote:
>
> Definitely, as geoffrey has said, the "changelog" is essentially a
> cut-down version of some of the same components that IDM uses.
>
> So they will most likely conflict with each other. I doubt that this is
> a supported or test configuration.

You're most definitely correct and I believe this is even documented in
the prerequisites section of the docs of the bi-dir. eDir driver. But I
could be wrong about that last one, I have seen so much documentation
about the bi-directional edir driver the past week....


--
bpenris
------------------------------------------------------------------------
bpenris's Profile: https://forums.netiq.com/member.php?userid=5485
View this thread: https://forums.netiq.com/showthread.php?t=49393

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error


Well, here is the iMonitor Trace i got, catching LDAP, DXML and
DirXMLDrivers events:


Code:
--------------------
12/09/13
16:41:30 51CE0710 LDAP: BIO ctrl called with unknown cmd 7
16:41:30 FFFFFFFF90955710 LDAP: Skipping sending class definition "App:Application" because unable to find mapping for mandatory attribute "App:Path"
16:41:33 FFFFFFFF91561710 LDAP: BIO ctrl called with unknown cmd 7
16:41:33 FFFFFFFF9135F710 LDAP: Unable to find extension handler 2.16.840.1.113719.1.14.100.200 in extension list
16:41:33 52FD9710 LDAP: Unable to find extension handler 2.16.840.1.113719.1.14.100.200 in extension list
--------------------


I'm currently installing a new NDS Server on my lab (without any IDM
Service on it) in order to make it work properly. I keep you in touch 😉


--
sniceper
------------------------------------------------------------------------
sniceper's Profile: https://forums.netiq.com/member.php?userid=5188
View this thread: https://forums.netiq.com/showthread.php?t=49393

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: bidirectionnal eDirectory Driver - Protocol Error


The change-log module is intended to be installed on a non-idm
eDirectory. You should NOT install it on an IDM server.

The protocol error is thrown if the driver is unable to communicate to
the change-log module.


--
krajiv
------------------------------------------------------------------------
krajiv's Profile: https://forums.netiq.com/member.php?userid=5920
View this thread: https://forums.netiq.com/showthread.php?t=49393

0 Likes
Knowledge Partner
Knowledge Partner

Re: bidirectionnal eDirectory Driver - Protocol Error

On 12/18/2013 9:14 AM, krajiv wrote:
>
> The change-log module is intended to be installed on a non-idm
> eDirectory. You should NOT install it on an IDM server.
>
> The protocol error is thrown if the driver is unable to communicate to
> the change-log module.


There are some other uninformative error codes in this shim that could
easily be changed to help troubleshoot.

I have a CS article demonstrating a bunch coming, but my favorite is
that if set the Auth Context to ldap.myserver.com and forget the :389 at
the end, you get a string out of bounds error. Be nice to get a "You
forgot the port" or a default assumption of 389. (or 636 if SSL selected).


0 Likes
Knowledge Partner
Knowledge Partner

Re: bidirectionnal eDirectory Driver - Protocol Error

On 12/6/2013 9:14 AM, sniceper wrote:
>
> Thank you for your reply,
>
> Here is what is written in DSTRACE with ldap and Dxml on the remote
> eDir, when i start the bidirectionnal edirectory driver:
>
> [image: http://upload.dinhosting.fr/0/f/8/Sans_titre.png]


I also am working on an article about troubleshooting this driver, since
I am deploying it, collecting the errors I run into, their resolutions,
so you can see what it SHOULD look like, what it looks like when
specific errors occur, and hopefully ways to fix them all.

Just not finished, but was handy, since I ran into this error as well,
and it was easy to figure out.

I recommend you do the same. When you see an error, snag it into a text
file, then when you figure out the cause, write it below it. Then
submit it as an article to Cool Solutions.

I have a series dissecting early versions of the biDir packages. I know
they fied alot of my complaints, but it was interesting to read through.

http://www.novell.com/communities/node/14086/walking-through-bidirectional-edirectory-driver-part-1

http://www.novell.com/communities/node/14087/walking-through-bidirectional-edirectory-driver-part-2
http://www.novell.com/communities/node/14088/walking-through-bidirectional-edirectory-driver-part-3
http://www.novell.com/communities/node/14089/walking-through-bidirectional-edirectory-driver-part-4
http://www.novell.com/communities/node/14090/walking-through-bidirectional-edirectory-driver-part-5


(Those should redirect to the proper NetIQ page now, after the page redo).

They reward you with points you can cash out, you get an online reminder
of your troubleshooting notes, and others can benefit from it. take a shot.

PS: My collection of all 350+ articles is here:

http://wiki.novell.com/index.php/Geoffrey_Carman%27s_personal_collection

My book on IDM Tokens is available here:

http://www.ninja-tools.com/definitive-guide-to-netiq-idm-tokens-hard-copy-p8.php





0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.