New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Captain
Captain
710 views

idm-install-schema utility not responding after entering credentials

Hi,

We are installing the eDirectory 9.2 and IDM 4.8 on RHEL 7.7 on the Cloud (Azure) server and adding the server to our On premise eDirectory tree.
We have installed eDirectory and added the cloud server to On premise replica.

We are able to connect via ldap browser to cloud server and able to read objects.

But when we try to extend the IDM engine schema using the command line utility (./idm-install-schema), its not responding.
We have waited for more than 1 hour, but nor response.
[root@CLOUDSRV1533 bin]# ./idm-install-schema
======================================================================
Found eDirectory instance /etc/opt/novell/eDirectory/conf/nds.conf
======================================================================
Extend schema for this instance? [y/n]:y Admin User DN (e.g. admin.myorg): admin.system.myorg
Password:

We have verified the network connectivity, port openings 525,636. All are fine.

After the password prompt, there is no progress/status update (waited for more than 60 minutes, but no update).
Please let me know if anyone encountered the same issue and assist to fix.

Thanks
dk

Labels (1)
Tags (1)
11 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

A stupid and simple suggestion: could you start LDAP trace on the server, where you start your schema update and look, what exactly going on?

 

In theory, it can be next case:

1. You trying to add a "new" server in the Cloud to your on-premises environment.

2. I believe, that during installation, you provided IP of your server with Master replica (on-premise)

3. The cloud server pulls info from the local server. (Do you have proper routing/connectivity from Cloud server to the local server?)

4. "Similar" situation with the schema extension process.

 

LDAP trace will help you to find, where exactly you have an issue. Is it a slow synchronization case? Connectivity issue? or anything else.

 

My personal suspicious, that you have an issue with local/cloud servers connectivity.

Highlighted
Vice Admiral
Vice Admiral

You did mean port 524 not 525, correct?
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Good catch, Rob! 🙂
Highlighted
Captain
Captain

sorry its typo.. Yes its 524

 

On Premises server <--- 636/524 ----> Cloud servers - The ports are opened in both directions.

Both the ports are open on firewall. And we can see the data is synced when we added root partition.

But the schema update is not happening when I run the command line utility.

I ran the ndstrace and switched on Schema trace but there is nothing displayed on the trace log.

Thanks

dk

 

Highlighted
Admiral
Admiral

Does the on prem server have direct access to the cloud server and the same the other way?

The reason for the question is that eDirectory (NCP) cannot work through NAT.

Highlighted
Captain
Captain

Does the on prem server have direct access to the cloud server and the same the other way?

dk - I am not sure what does it mean by direct access.

We have the port openings on firewall from Cloud to On premises and vice versa for the ports 427,524,636.

The reason for the question is that eDirectory (NCP) cannot work through NAT.

dk-If you could elaboration what does that mean, I will try to reach out the network guys to check further on this.

 

Thanks

dk

Highlighted
Vice Admiral
Vice Admiral

If you are putting a server in the cloud it needs to be a private cloud clan so the address space is an extension of your on-prem network.

To make a server replicate over NCP from a public network you might be able to do some special tricks with hosts.nds files and set up static nats inbound but typical default NAT for outbound access would not work.
Highlighted
Admiral
Admiral

I'm not sure that even static nat will work, as the sync will use the serverIP from eDirectory to contact the oposite server. To my knowledge you need to have a direct route. VPN will work.

This is also why Designer never worked via NAT.

 

Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi dkdng,
Do you have any updates about your case?

Alex
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

This was a good one.....

I worked on this issue earlier today, and it appears there's some sort of oddity happening somewhere between the shell and the eDirectory utilities. On occasion, the ENTER key was not accepted by some of the eDir utilities, and we needed to issue a CTRL-D to get the input accepted!

A PAM solution was in place, so we will try and test this going direct to the server console.

Weird......

Highlighted
Captain
Captain

Hi Everyone,

The issue was with the enter key action was not sent to command line utility on the password prompt. The root cause is PAM application as we connected to putty session via PAM.

But when I connect to server without PAM, no issues. The command line utility work as expected.

We troubleshooted and found this after a long time, as we were about to cancel the command line utility by trying Ctrl+a,b,c,q,z,x,d. Finally it worked with Ctrl+d. Very peculiar issue, not seen/heard before.

As we have issues via PAM, we use Ctrl+D for password prompts. 

Note: This issues is not all happening with other command line utilities, like dxcmd.

So, we have to be careful when connecting via PAM. Its good to have direct access to server as well, in case of troubleshoot this kind of issues.

Thank you for everyone, helping on this issue.

-dk.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.