Highlighted
Absent Member.
Absent Member.
2260 views

Illegal containment error when adding server to existing tree

Hello!

I have a test tree with one server running on OES2 SP1 (Linux). Now I'm
trying to add another server to the same tree, but when OES2 install
reaches to the stage of configuring eDirectory, it fails with error:

ndsconfig failed to configure and start eDirectory

The detailed log ends with this message:

A call to create NDS database failed. Error description: Illegal
containment. Novell eDirectory Server configuration failed.

I did run eDirectory health check before starting the new server install
and it showed no problems.

Perhaps I should mention that this tree has Domain Services for Windows in
non-name-mapped mode. The new server object is attempted to be created in
context cn=Users,dc=domain,dc=com, which I find strange but the installer
doesn't allow me to change that. The existing server is under
cn=novell,dc=domain,dc=com.

Any ideas?

--
Toomas
Labels (2)
0 Likes
5 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Illegal containment error when adding server to existing tree

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Use ndsconfig manually to specify the location for the server to reside.
cn=Users is definitely wrong. There is a parameter with ndsconfig to
specify a context though when joining a tree (-n).

Good luck.





Toomas Aas wrote:
> Hello!
>
> I have a test tree with one server running on OES2 SP1 (Linux). Now I'm
> trying to add another server to the same tree, but when OES2 install
> reaches to the stage of configuring eDirectory, it fails with error:
>
> ndsconfig failed to configure and start eDirectory
>
> The detailed log ends with this message:
>
> A call to create NDS database failed. Error description: Illegal
> containment. Novell eDirectory Server configuration failed.
>
> I did run eDirectory health check before starting the new server install
> and it showed no problems.
>
> Perhaps I should mention that this tree has Domain Services for Windows in
> non-name-mapped mode. The new server object is attempted to be created
> in context cn=Users,dc=domain,dc=com, which I find strange but the
> installer doesn't allow me to change that. The existing server is under
> cn=novell,dc=domain,dc=com.
>
> Any ideas?
>
> --
> Toomas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKS5wXAAoJEF+XTK08PnB54iUQAI6gZAI2y/yyz7qUg7/9ugfI
KlJynb+G+hsSPGnIEUCXZ7V8uNVnF7o63zZgNrSCSZyuucZA7IvWSBOWO23iosTo
lpQ+NqOBLuv5uvFnQ61TfKUfxlI9Qk2MG1aGVzdfV9cDQSOCFJxQjdXktZYl4ni9
T09edWZdd5kMdLR01zdeR6Rw3+93anvsAvkTdBXTIYMj9cVlbXuz9k2g9PpjtHP3
FbI22jtrfK597DBkpegGvRaCGBQloTVUFKZHxFTVt8QyQtY0a28rOMRgoXEuPTpz
XeEnvaayr7gXiP5PImydTbvGyetZhXTo9oGsgwkuvI6Ui58UrT1yDf62FSnmh7t9
DGyAB07iC3ZsT3PWiM3DQ8AUS1rYl8NQK14Si4LvNNOW9/RxBq7j69I+FdQZYBEP
1nDHo3uF7GYw2INJm5KHtjgGIIu/pc5Zpx9Q5nX1ldq1IxK7Q1L0+VjL0WMNR4xq
w6Ca3YeJ2fmEEvZV9Idp3A/IYSBVwX6Tp/i4avwT63+jq3zv2sY3DOyQhYXV6l7w
2SJuSNmht2X2xveXEqvGEH6QBuiwRG5r/TbOzD7WlbRZDoRwkcpDzkeRgIDErX3G
iuM1FTfxhfBXKrLEwET0RauPmRSGZzoTmf2LHbNz03uz0CfJ4Ymwuz80h+DuBTu7
7/scTYQ+Xhwl+m2vuVDH
=AjvW
-----END PGP SIGNATURE-----
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Illegal containment error when adding server to existing tree

ab@novell.com wrote:

> Use ndsconfig manually to specify the location for the server to reside.
> cn=Users is definitely wrong. There is a parameter with ndsconfig to
> specify a context though when joining a tree (-n).
>


Actually I discovered that there is an error earlier in the process. I'm
really sorry for not mentioning it yesterday.

This is when the installer prompts for the Forest Root Domain, I enter the
domain name and press Next, the error message comes up:

Server was unreachable during check forest root domain:192.168.6.3.
Continue anyway?

It is my understanding that the server context should be determined at this
step but this fails.

It seems to me (see log below) that the new server attempts to contact
existing server via LDAPS but this fails because it is "unable to retrieve
the CA certificate". It then tries to use plain LDAP, but this also fails.
Using ldapbrowser from my own PC, I can successfully connect to the tree
using LDAPS, so I don't know why the OES installer cannot do the same. I
cannot connect via plain LDAP, so I assume this is disabled on the server
(which is of course a good thing).

I verified the certificate objects (SSL CertificateDNS and Organizational
CA) using iManager and they seem valid.

During this attempt, the following is written to /var/log/YaST2/y2log:

2009-07-02 11:05:29 <3> tetris(3037) [bash]
ShellCommand.cc(shellcommand):78
/opt/novell/xad/share/dcinit/ndsConfigServerContext.sh: LDAP Based utility
to retrieve server context for YaST
2009-07-02 11:05:29 <3> tetris(3037) [bash] hellCommand.cc(shellcommand):78
/opt/novell/xad/share/dcinit/ndsConfigServerContext.sh: DomainName
: test.tlvsise
2009-07-02 11:05:29 <3> tetris(3037) [bash]
ShellCommand.cc(shellcommand):78
/opt/novell/xad/share/dcinit/ndsConfigServerContext.sh:
NdsAdminName : cn=Administrator.cn=Users.dc=test.dc=tlvsise
2009-07-02 11:05:29 <3> tetris(3037) [bash]
ShellCommand.cc(shellcommand):78
/opt/novell/xad/share/dcinit/ndsConfigServerContext.sh:
ExistingServerIP : 192.168.6.3
2009-07-02 11:05:29 <3> tetris(3037) [bash]
ShellCommand.cc(shellcommand):78
/opt/novell/xad/share/dcinit/ndsConfigServerContext.sh:
ExistingServerPort: 0
2009-07-02 11:05:29 <3> tetris(3037) [bash]
ShellCommand.cc(shellcommand):78
/opt/novell/xad/share/dcinit/ndsConfigServerContext.sh: Unable to retrieve
the CA certificate. Secure LDAP will not be attempted...
2009-07-02 11:05:29 <3> tetris(3037) [bash]
ShellCommand.cc(shellcommand):78
/opt/novell/xad/share/dcinit/ndsConfigServerContext.sh: Unable to reach the
server in secure port. Attempting clear....
2009-07-02 11:05:29 <3> tetris(3037) [bash]
ShellCommand.cc(shellcommand):78
/opt/novell/xad/share/dcinit/ndsConfigServerContext.sh: Unable to contact
or authenticate to the given server. Exiting...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Illegal containment error when adding server to existing tree

Toomas Aas wrote:

> It seems to me (see log below) that the new server attempts to contact
> existing server via LDAPS but this fails because it is "unable to
> retrieve the CA certificate". It then tries to use plain LDAP, but this
> also fails. Using ldapbrowser from my own PC, I can successfully connect
> to the tree using LDAPS, so I don't know why the OES installer cannot do
> the same. I cannot connect via plain LDAP, so I assume this is disabled
> on the server (which is of course a good thing).


This being a test environment, I went into iManager and unchecked "Require
TLS for simple binds with password". After that, I no longer get the
"server was unreachable" problem, but the "illegal containment" problem
remains. I'm not sure whether I should try to override it by running
ndsconfig manually, since I'm afraid this can upset something else in the
DSfW spaghetti.

--
Toomas

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Illegal containment error when adding server to existing tree

Since I couldn't think of anything better, I wiped the test-vm and made a
second attempt with these differences:

1. Used 32-bit SLES and OES instead of 64-bit
2. Allocated 1.5 GB of RAM to the VM instead of 1 GB
3. Before installing OES to new server, made sure that "Require TLS for
simple binds with password" is unchecked in the properties of existing LDAP
Group object.

At least one of these must have been helped, because the install went
smoothly. The server context was now automatically set to
ou=novell.dc=domain.dc=com instead of cn=Users,dc=domain,dc=com.

--
Toomas
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Illegal containment error when adding server to existing

I Have this problem and take a look on interenet and i get this post.

Looking on my configuration the problem is i have this eDirectory objects

dc=es,dc=promosoft

ou=gwextra


I Add a new server to the tree, but because they have domain services for Windows i can not add the server on ou=gwextra,dc=promosoft,dc=es. I Need to install oon dc=es,dc=promosoft.

The name of the server is gwextra. The the problem is the name of the server its duplicate with another eDirectory object (on this case ou=gwextra)

Regards
Victor
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.