akeaveney Absent Member.
Absent Member.
2876 views

Users cannot login to ZCM

Hi

I have just returned from leave to find there was a problem with users unable to login to ZCM last week. The problem was solved at the time by my colleagues restarting the ZCM SUSE Servers and also restarting the NetWare LDAP server that is used for authentication and this fixed the problem.

I have been asked to investigate what caused the actual problem. Does anyone know what logs are on the Linux Server and in what location which would show if there was a problem with LDAP at the time and the failed logins? There are no errors in the logs on the NetWare LDAP Server, so I want to find out what was the definite cause.

Many thanks in advance.

Anthony
Labels (2)
0 Likes
7 Replies
shaunpond Absent Member.
Absent Member.

Re: Users cannot login to ZCM

0 Likes
nop19832 Absent Member.
Absent Member.

Re: Users cannot login to ZCM

Shaun,

Not that fast typing on an iPad, did not see you had made a post 🙂

-- Niels I have always liked... Cowabunga! If you find this post helpful, please show your appreciation by clicking on the star below. A member must be logged in before s/he can assign reputation points.
0 Likes
nop19832 Absent Member.
Absent Member.

Re: Users cannot login to ZCM

You should be able to find the logs here: /var/opt/novell/log/zenworks/(loader-messages.log)

Bonus info; this behavior I've seen on our environment to, both in zcm10 and 11, the only thing thatworked was to rebott ALL the primaries. I've not seen this in 11.1a, so can't look further into it...
One thing that can invoke this problem, is if you reboot the db server, without rebooting the zcm primaries afterwards.

-- Niels I have always liked... Cowabunga! If you find this post helpful, please show your appreciation by clicking on the star below. A member must be logged in before s/he can assign reputation points.
0 Likes
akeaveney Absent Member.
Absent Member.

Re: Users cannot login to ZCM

nop1983;2166132 wrote:
You should be able to find the logs here: /var/opt/novell/log/zenworks/(loader-messages.log)

Bonus info; this behavior I've seen on our environment to, both in zcm10 and 11, the only thing thatworked was to rebott ALL the primaries. I've not seen this in 11.1a, so can't look further into it...
One thing that can invoke this problem, is if you reboot the db server, without rebooting the zcm primaries afterwards.


Many thanks Niels for listing the specific file and the additional info. I failed to find the messages originally as it has zipped up the old file which contained the errors.

I have checked the file and all was going well, until we started getting these errors:

[DEBUG] [1/1/12 4:50:21 AM] [] [ServiceStoreFactory] [] [Cleaned up 1 long-lived Hibernate sessions.] [] []
[DEBUG] [1/1/12 4:51:58 AM] [] [Loader.Status Storer Module] [] [Processing Status_d500ab4349672c41a51c782cb80c12ab_1325393477250.xml] [] []
[DEBUG] [1/1/12 4:51:58 AM] [] [Loader.Status Storer Module] [] [Processing Status_92f680ccd76ee94c9d1a8d9c954bd77e_1325393435750.xml] [] []
[DEBUG] [1/1/12 4:53:28 AM] [] [Loader.Status Storer Module] [] [Processing Status_34aac2490f9856448d3a6bb7df4e63e1_1325393518390.xml] [] []
[DEBUG] [1/1/12 4:58:28 AM] [] [Loader.Status Storer Module] [] [Processing Status_5f20890cbef63e44bdb5dbf51041264e_1325393851703.xml] [] []
[DEBUG] [1/1/12 5:03:58 AM] [] [Loader.Status Storer Module] [] [Processing Status_34bbf913bdde884b9a03bf606c8e1ca1_1325394316234.xml] [] []
[DEBUG] [1/1/12 5:06:28 AM] [] [Loader.Status Storer Module] [] [Processing Status_04760c5087577145b9fa4b02703b0966_1325394230078.xml] [] []
[DEBUG] [1/1/12 5:08:58 AM] [] [Loader.Status Storer Module] [] [Processing Status_c171d5f35936704eb36c9181c63bf4cc_1325394328437.xml] [] []
[DEBUG] [1/1/12 5:09:28 AM] [] [Loader.Status Storer Module] [] [Processing Status_94f3208bd1a6f742bc34e226e303d965_1325394583750.xml] [] []
[DEBUG] [1/1/12 5:15:58 AM] [] [Loader.Status Storer Module] [] [Processing Status_90399f3dfe115a479b11df89685c8063_1325394828515.xml] [] []
[DEBUG] [1/1/12 5:21:58 AM] [] [Loader.Status Storer Module] [] [Processing Status_3961d9a495d9c04e8f4a5ea0f826dba8_1325395927701.xml] [] []
[DEBUG] [1/1/12 5:21:59 AM] [] [Loader.Status Storer Module] [] [Failed to save status data because of Exception: com.novell.zenworks.datamodel.exceptions.InternalDataModelException: javax.naming.NamingException: [[LDAP: error code 80 - NDS error: ds locked (-663)]]] [] []
[DEBUG] [1/1/12 5:21:59 AM] [] [Loader.Status Storer Module] [] [com.novell.zenworks.datamodel.exceptions.InternalDataModelException: javax.naming.NamingException: [[LDAP: error code 80 - NDS error: ds locked (-663)]]
at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.handleAuthenticationException(LDAPUtil.java:997)
at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:459)
at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:321)
at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:261)
at com.novell.zenworks.datamodel.session.jndi.ldap.LdapAuthoritativeSourceSession.login(LdapAuthoritativeSourceSession.java:226)
at com.novell.zenworks.datamodel.services.authsources.AuthoritativeSourceSessionPool.getSession(AuthoritativeSourceSessionPool.java:77)
at com.novell.zenworks.datamodel.services.authsources.AuthoritativeSourceManager.getSession(AuthoritativeSourceManager.java:213)
at com.novell.zenworks.datamodel.services.authsources.AuthoritativeSourceManager.newAuthoritativeSourceService(AuthoritativeSourceManager.java:65)
at com.novell.zenworks.datamodel.services.authsources.AuthoritativeSourceManager.getAuthoritativeSourceService(AuthoritativeSourceManager.java:96)
at com.novell.zenworks.datamodel.services.ExternalReferenceResolver.getAuthoritativeSourceService(ExternalReferenceResolver.java:158)
at com.novell.zenworks.datamodel.services.ExternalReferenceResolver.resolveExternalUID(ExternalReferenceResolver.java:76)
at com.novell.zenworks.datamodel.services.status.StatusImpl.saveStatusEvent(StatusImpl.java:419)
at com.novell.zenworks.loader.modules.statusstorer.StatusStorerModule.processStatus(StatusStorerModule.java:310)
at com.novell.zenworks.loader.modules.statusstorer.StatusStorerModule.run(StatusStorerModule.java:218)
at com.novell.zenworks.loader.ZENModuleThread.run(ZENModuleThread.java:111)
Caused by: javax.naming.NamingException: [[LDAP: error code 80 - NDS error: ds locked (-663)]]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3115)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3017)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2818)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2732)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:424)
... 13 more
] [] []

It mentions LDAP, but is this definitely the problem? The LDAP server we use is used by other applications and no problems were reported with these. I have checked the account that is configured to login through ZCM configured sources and again this file has no passwords restrictions etc and nothing seems to have changed.

Kind regards,
Anthony
0 Likes
nop19832 Absent Member.
Absent Member.

Re: Users cannot login to ZCM

Hi Anthony

Now, I'm not that much into eDir/NDS, but have seen the -663 error code before, ei when I run DSREPAIR and try to make a request to it, read more here:
-663 FFFFFD69 DS LOCKED

So no, I don't think it's a LDAP problem either, but can never say never 🙂

How many servers is specified as connections to the usersource in ZCC?

-- Niels I have always liked... Cowabunga! If you find this post helpful, please show your appreciation by clicking on the star below. A member must be logged in before s/he can assign reputation points.
0 Likes
Highlighted
akeaveney Absent Member.
Absent Member.

Re: Users cannot login to ZCM

nop1983;2166225 wrote:
Hi Anthony

Now, I'm not that much into eDir/NDS, but have seen the -663 error code before, ei when I run DSREPAIR and try to make a request to it, read more here:
-663 FFFFFD69 DS LOCKED

So no, I don't think it's a LDAP problem either, but can never say never 🙂

How many servers is specified as connections to the usersource in ZCC?


Hi Niels

We have 2 servers specified, but it looks as though the certificate has just expired on the second one, so this wouldn't have kicked in if indeed it was an LDAP problem. I will fix this today.

I still don't believe it was an LDAP problem with the first server as other services would have failed in the organisation, but I can't be sure like you have said.

Thanks for all your help, this has given me a lot more information to provide on the incident.

Regards,
Ant
0 Likes
nop19832 Absent Member.
Absent Member.

Re: Users cannot login to ZCM

Anthony,

No problem, just glad you could use the informations 🙂

-- Niels I have always liked... Cowabunga! If you find this post helpful, please show your appreciation by clicking on the star below. A member must be logged in before s/he can assign reputation points.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.