palumbog Absent Member.
Absent Member.
1597 views

Problems installing an iFolder slave server

Hi,

I have an iFolder 3.8.4.0 master server configured and working with an AD server. I am now trying to add a second iFolder server as a slave in this iFolder domain. I'm running simias-server-setup and choosing "Y" when I get to the "Slave Server?" prompt. I'm putting in the same iFolder admin user and proxy user and passwords that I used for the master server. However, I get a failure at the end that indicates a credential error. Since the conversation is SSL-encrypted, I can't get much useful information in a WireShark trace. I should note on this same server, if I configure it as another master, it works perfectly against the AD server with SSL, so I'd have to believe the SSL cert for the AD server is properly imported. Is there any type of debug logging I can enable or more detailed output tracing I can do to determine why this is failing?

Here is the error at the end of the simias-server-setup script:


----------- excerpt ---------------------

Ldap certificate :

Mono Certificate Manager - version 2.6.4.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


X.509 Certificate v3
Issued from: DC=local, DC=wwt, DC=test, CN=testad1
Issued to: CN=TESTAD1.test.wwt.local
Valid from: 02/06/2012 05:20:54
Valid until: 02/05/2013 05:20:54


----- ACCEPT LDAP CERTIFICATE -----


Accept LDAP Certificate? :
Done
Connecting to ldaps://10.2.2.164/...
at Novell.Directory.Ldap.LdapResponse.chkResultCode () [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.chkResultCode (Novell.Directory.Ldap.LdapMessageQueue queue, Novell.Directory.Ldap.LdapConstraints cons, Novell.Directory.Ldap.LdapResponse response) [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, System.String dn, System.SByte[] passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, System.String dn, System.String passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.Bind (System.String dn, System.String passwd, AuthenticationTypes authenticationTypes) [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.Bind (System.String dn, System.String passwd) [0x00000] in <filename unknown>:0
at Novell.iFolder.Utility.LdapUtility.Connect () [0x00000] in <filename unknown>:0
at Novell.iFolder.SimiasServerSetup.SetupLdap () [0x00000] in <filename unknown>:0
Removing slave from master
Url https://testif1.wwt.com/simias10/HostAdmin.asmx
Url https://testif1.wwt.com/simias10/DomainService.asmx
Failed

LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
LdapException: Matched DN:
at Novell.Directory.Ldap.LdapResponse.chkResultCode () [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.chkResultCode (Novell.Directory.Ldap.LdapMessageQueue queue, Novell.Directory.Ldap.LdapConstraints cons, Novell.Directory.Ldap.LdapResponse response) [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, System.String dn, System.SByte[] passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.Bind (Int32 version, System.String dn, System.String passwd, Novell.Directory.Ldap.LdapConstraints cons) [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.Bind (System.String dn, System.String passwd, AuthenticationTypes authenticationTypes) [0x00000] in <filename unknown>:0
at Novell.Directory.Ldap.LdapConnection.Bind (System.String dn, System.String passwd) [0x00000] in <filename unknown>:0
at Novell.iFolder.Utility.LdapUtility.Connect () [0x00000] in <filename unknown>:0
at Novell.iFolder.SimiasServerSetup.SetupLdap () [0x00000] in <filename unknown>:0

FAILED

---------------------------------------

In troubleshooting this error, I've noticed that when I re-run the simias-server-setup and point to the existing location of the Simias.config file that was partially created, when it gets to the point where it asks the admin user dn, it inserts an additional "dc=test" in the string below when it auto-suggests the admin user in [brackets]:

cn=ifadmin,cn=Users,dc=test,dc=test,dc=wwt,dc=local

I found this line in the master server's Simias.config file and corrected it to reflect the proper dn for the ifadmin user:

cn=ifadmin,cn=Users,dc=test,dc=wwt,dc=local

I then re-ran the simais-server-setup, and this time it auto-suggested the correct path, however it fails with a different error that states the admin user is in an invalid context, and it shows the "cn" of Users as an "ou":

cn=ifadmin,ou=Users,dc=test,dc=wwt,dc=local

So something is different between the master and slave configuration in the setup program, but I can't tell what I need to enter to make it work. Any suggestions would be greatly appreciated!!

Best regards,
Greg
Labels (1)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Problems installing an iFolder slave server

palumbog,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://forums.novell.com/

0 Likes
palumbog Absent Member.
Absent Member.

Re: Problems installing an iFolder slave server

I was eventually able to resolve this issue myself. In an effort to help someone else if they should have the same problem, I will relay the details. What I ended up doing is opening the port in my firewall between the iFolder server and the AD server to allow LDAP cleartext (389) and then running a WireShark trace on the AD server to see what was actually going on. As is typical with software installation problems, the problem turned out to be rather simple, however the logs didn't really give enough detail as to what was failing (see above, which is all I got when it failed).

I had already found out anecdotally when re-running the install script that I had one typo in the master iFolder server's Simias.config file (an extra "dc=test" somehow got inserted into the path of the "iFolder admin user" (ifadmin in our case)):

cn=ifadmin,cn=Users,dc=test,dc=test,dc=wwt,dc=local

I found this line in the master server's Simias.config file and corrected it to reflect the proper dn for the ifadmin user:

cn=ifadmin,cn=Users,dc=test,dc=wwt,dc=local

I then re-ran the Simias-server-setup, and this time it auto-suggested the correct path, however it fails with a different error that states the admin user is in an invalid context, and it shows the "cn" of Users as an "ou":

cn=ifadmin,ou=Users,dc=test,dc=wwt,dc=local


What I didn't see until I did the wireshark trace is that after the slave server contacts the master server on it's SOAP URL, it pulls down the LDAP search contexts that are configured on the master, and it then tries to verify each one against the LDAP server. If it gets to one that does not verify, it bails and ends with the "LDAP Credentials" error seen on my earlier post. The thing I was confused on, is the "second" error shown just above, where it changes "cn=Users" to "ou=Users" in the dn for the ifadmin user. That turned out to be another line in the LDAP search contexts pulled from the master's Simias.config file. That was configured in the file as "ou=Users,dc=test,dc=wwt,dc=local". Someone familiar with LDAP and eDirectory, like myself, won't immediately find anything wrong with that, since "users" is a container, and in our way of thinking really is an "OU". For AD, for whatever stupid reason, Microsoft decided that the "users" container is a "CN", whereas the "groups" container is an "OU". Nice consistency. My Master server worked with this typo, because we don't have any production users under the "CN=users..." container (except ifadmin, which is called out by FQDN earlier in the config file), so it never needs to search in that container anyway. In the WireShark trace, you could see the AD server failing on validation of that OU (err, I mean CN) of "Users", and that is where the simias-server-setup script bombed. An extra properly-worded line of explanation in the setup script would have prevented a few hours of hair-pulling, but at least it's working now. Hope it helps someone in the future.

Best regards,
Greg
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.