Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
Anonymous_User Absent Member.
Absent Member.
910 views

LDAP auth against replica

Hello all,

I have 3 eDirectory replicas of my root partition. The master partition
in on an older server that was originally of much older eDirectory
version but is now updated to 8.8 20601.18. The other 2 are almost brand
new.

2 servers have RHEL5 and newest one has RHEL6 operating system.

To my master partition server:
- I can login using any normal user account with LDAP (ldapsearch)

To the other 2 read-write replicas:
- I can NOT login using any normal user account with LDAP (ldapsearch)
- I CAN login with admin account with LDAP
- I CAN login with system viewer account that is in a different
organization with LDAP
- I can login any normal user account using iManager

Replicas are not filtered, they are read-write replicas. Both the admin
and user logins are on a same partition. I tried to switch on "Enable
local login" in the filter section but no change.

Any advice welcome.

Pekka
Labels (1)
0 Likes
14 Replies
Knowledge Partner
Knowledge Partner

Re: LDAP auth against replica

Pekka Kuronen wrote:

> Hello all,
>
> I have 3 eDirectory replicas of my root partition. The master
> partition in on an older server that was originally of much older
> eDirectory version but is now updated to 8.8 20601.18. The other 2
> are almost brand new.
>
> 2 servers have RHEL5 and newest one has RHEL6 operating system.
>
> To my master partition server:
> - I can login using any normal user account with LDAP (ldapsearch)
>
> To the other 2 read-write replicas:
> - I can NOT login using any normal user account with LDAP (ldapsearch)
> - I CAN login with admin account with LDAP
> - I CAN login with system viewer account that is in a different
> organization with LDAP
> - I can login any normal user account using iManager
>
> Replicas are not filtered, they are read-write replicas. Both the
> admin and user logins are on a same partition. I tried to switch on
> "Enable local login" in the filter section but no change.


log into imanager and go the LDAP section | select the LDAP servers
that are not working and on the screen options tab hit all check boxes.

Next go into imonitor (https://ip:8030) and go to dstrace. Hit clear
all, check LDAP and enable trace. Go the trace live screen and try to
authenticate via ldap search again. Click update and post the output
frlom the screen here.



--
Cheers,
Edward
0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP auth against replica

On Thu, 17 Nov 2011 12:35:07 +0000, Pekka Kuronen wrote:

> To the other 2 read-write replicas:
> - I can NOT login using any normal user account with LDAP (ldapsearch)


Post your ldapsearch command line, so we can see what options you're
using.

Post the output from ldapsearch, so we can see what error or message
you're getting.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
peterkuo Absent Member.
Absent Member.

Re: LDAP auth against replica


> - I can NOT login using any normal user account with LDAP

(ldapsearch)

And the error message being?


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=448352


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP auth against replica

Here is the trace from iMonitor:

14:31:27 FFFFFFFFA146E700 LDAP: Failed to authenticate local on
connection 0xf5ea040, err = failed authentication (-669)


- ldapsearch commands i tried (with novell and RHEL ldapsearch):

ldapsearch -x -W -h <dnsname> -D <full-dn> uid=login "*"
ldapsearch -Z -x -W -h <dnsname> -D <full-dn> uid=login "*"
ldapsearch -x -W -H <ldap uri> -D <full-dn> uid=login "*"
ldapsearch -x -W -H <ldaps uri> -D <full-dn> uid=login "*"


- ldapsearch response I got from my 2 replicas:

ldap_bind: Invalid credentials
additional info: NDS error: failed authentication (-669)

- ldapsearch with master worked
- ldapsearch with cn=admin,o=org bind with replicas succeeded


Here are some error / warning bits from ndstrace from the time of
authentication failure:

1891202816 SRCH: [2011/11/16 16:57:57.884] INFO: DSASearch,
Iterator->next:: Version 4, Iterator 0xffffffffffffffff, Base
..org.TREE., Scope 2, NodesToSearch 0, InfoType 1, Flags 0x800002,
Timeout 0, CommandNum 0 , EntryCount 1, Current Entry , Error failed,
iterator end of file hit (-765)
1891202816 SRCH: [2011/11/16 16:57:57.885] INFO: DSASearch, PutRefs::
Version 4, Iterator 0xffffffffffffffff, Base .org.TREE., Scope 2,
NodesToSearch 0, InfoType 1, Flags 0x800002, Timeout 0, CommandNum 0 ,
EntryCount 1, Error failed, iterator end of file hit (-765)
-----

1891202816 VCLN: [2011/11/16 16:57:57.937] DEBUG: DCDuplicateContextEx
Dest: Context 71790027, idHandle 00000001, connHandle 00000400,
/opt/novell/eDirectory/lib64/nds-modules/libnldap.so
1891202816 AUTH: [2011/11/16 16:57:57.937] DEBUG: [00008594]
<.login.Staff.unit.faculty.orgunit.org.TREE.> EmuVerifyPassword returned
error OS error of some sort (-255), conn: 27
-----

1891202816 AREQ: [2011/11/16 16:57:57.937] DEBUG: Calling DSAResolveName
conn:0 for client .server.org.TREE.
1891202816 ABUF: [2011/11/16 16:57:57.937] DEBUG: Request - (44)
0000 01 00 00 00 10 00 00 00 00 00 00 00 1C 00 00 00 ................
0010 5C 00 4C 00 55 00 54 00 5C 00 53 00 65 00 63 00 \.T.R.E.E.\.S.e.c.
0020 75 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 u.r.i.t.y.......
0030 09 00 00 00 0E 00 00 00 02 00 00 00 09 00 00 00 ................
0040 0E 00 00 00 ....

1891202816 DRLK: [2011/11/16 16:57:57.937] ERR: Primary object is ID_INVALID
1891202816 ABUF: [2011/11/16 16:57:57.937] DEBUG: Reply - (2a)


pekka

On 11/18/2011 12:26 AM, peterkuo wrote:
>
>> - I can NOT login using any normal user account with LDAP

> (ldapsearch)
>
> And the error message being?
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP auth against replica

On Fri, 18 Nov 2011 12:46:39 +0000, Pekka Kuronen wrote:

> 1891202816 VCLN: [2011/11/16 16:57:57.937] DEBUG: DCDuplicateContextEx
> Dest: Context 71790027, idHandle 00000001, connHandle 00000400,
> /opt/novell/eDirectory/lib64/nds-modules/libnldap.so 1891202816 AUTH:
> [2011/11/16 16:57:57.937] DEBUG: [00008594]
> <.login.Staff.unit.faculty.orgunit.org.TREE.> returned
> error OS error of some sort (-255), conn: 27


Weird. I can't say that I've ever seen that error before. Searching the
knowledgebase doesn't turn up anything for "EmuVerifyPassword", but TID
#10076861 turns up in a search for "-255", but it doesn't look to me like
that should apply to you here. Nothing else really looks right either.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
peterkuo Absent Member.
Absent Member.

Re: LDAP auth against replica


If I recall, a -255 OS error is a typical "catch-all" code, and as you
indicated, not a very useful one.


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=448352


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP auth against replica

On Sat, 19 Nov 2011 18:26:01 +0000, peterkuo wrote:

> If I recall, a -255 OS error is a typical "catch-all" code, and as you
> indicated, not a very useful one.


Yep, that's what it is - it's like a less severe version of the -699
"ERR_FATAL" error, basically says "something went wrong, but who knows
what it was..."

Jim



--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner
0 Likes
peterkuo Absent Member.
Absent Member.

Re: LDAP auth against replica


That's just the developer being lazy! Well, since its only numeric codes
are being assigned so one cann't just create new codes for errors - I
would likely have opted for alphanumeric so for such catch-all codes, I
could at least tag on a letter to indicate where in the code path the
error was generated.


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=448352


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
peterkuo Absent Member.
Absent Member.

Re: LDAP auth against replica


Pekka Kuronen;2154923 Wrote:
> Here is the trace from iMonitor:
>
>
> Here are some error / warning bits from ndstrace from the time of
> authentication failure:
>
> 1891202816 SRCH: [2011/11/16 16:57:57.884] INFO: DSASearch,
> Iterator->next:: Version 4, Iterator 0xffffffffffffffff, Base
> ..org.TREE., Scope 2, NodesToSearch 0, InfoType 1, Flags 0x800002,
> Timeout 0, CommandNum 0 , EntryCount 1, Current Entry , Error failed,
> iterator end of file hit (-765)
> 1891202816 SRCH: [2011/11/16 16:57:57.885] INFO: DSASearch, PutRefs::
> Version 4, Iterator 0xffffffffffffffff, Base .org.TREE., Scope 2,
> NodesToSearch 0, InfoType 1, Flags 0x800002, Timeout 0, CommandNum 0 ,
> EntryCount 1, Error failed, iterator end of file hit (-765)
> -----
>
> >


This is cosmetic and can be ignored - it simply indicates the end of
the search request has been reached and the search has been read.


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=448352


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
peterkuo Absent Member.
Absent Member.

Re: LDAP auth against replica


Pekka Kuronen;2154923 Wrote:
> Here is the trace from iMonitor:
>
> 14:31:27 FFFFFFFFA146E700 LDAP: Failed to authenticate local on
> connection 0xf5ea040, err = failed authentication (-669)
>
>
>
>
> - ldapsearch response I got from my 2 replicas:
>
> ldap_bind: Invalid credentials
> additional info: NDS error: failed authentication (-669)
>
> - ldapsearch with master worked
> - ldapsearch with cn=admin,o=org bind with replicas succeeded
>
>
>
> >


The invalid password error bothers me - it suggests the password for
the same (normal) user is not the same (ie not in sync) between two
replicas. Have you by chance performed a heath check on your tree?


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=448352


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP auth against replica

I did check with ndsrepair but how could it be broken, the server was
added to tree only 1 week ago. Maybe there is something wrong in the way
i added the server. Can one add a server to a tree in a way to make
authentication not functional?

On 11/19/2011 08:36 PM, peterkuo wrote:
>
> Pekka Kuronen;2154923 Wrote:
>> Here is the trace from iMonitor:
>>
>> 14:31:27 FFFFFFFFA146E700 LDAP: Failed to authenticate local on
>> connection 0xf5ea040, err = failed authentication (-669)
>>
>>
>>
>>
>> - ldapsearch response I got from my 2 replicas:
>>
>> ldap_bind: Invalid credentials
>> additional info: NDS error: failed authentication (-669)
>>
>> - ldapsearch with master worked
>> - ldapsearch with cn=admin,o=org bind with replicas succeeded
>>
>>
>>
>>>

>
> The invalid password error bothers me - it suggests the password for
> the same (normal) user is not the same (ie not in sync) between two
> replicas. Have you by chance performed a heath check on your tree?
>
>

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP auth against replica

On Mon, 21 Nov 2011 08:18:38 +0000, Pekka Kuronen wrote:

> I did check with ndsrepair but how could it be broken, the server was
> added to tree only 1 week ago. Maybe there is something wrong in the way
> i added the server. Can one add a server to a tree in a way to make
> authentication not functional?


ndsrepair really isn't a diagnostic tool - it's a repair tool.

The best way to check status is with iMonitor - go to the main iMonitor
page and select "Agent Health". Note any errors reported there and then
visit the "Known Servers" link and check the agent health link for each
server listed in the list (if you start from a server holding a copy of
[Root], you should see all of the servers in your tree).

Jim
--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP auth against replica

I managed to make it work.

The reason was selinux which was active in the beginning of the
installation. Everything installed fine with no complaints and I turned
selinux off after installation but obviously something got broken.

So i disabled selinux, removed the eDirectory server from the tree,
uninstalled eDirectory and all novell packages, cleaned the file
directories and reinstalled it all. After replication all worked like a
charm.

So lesson from this was: remember your selinux 🙂

My sincere thanks to people who helped me.


Pekka

PS. As a funny detail: before I reinstalled I tried updating NMAS
methods with nmasinst and it made _some_ of the logins work... how curious


On 11/21/2011 08:15 PM, Jim Henderson wrote:
> On Mon, 21 Nov 2011 08:18:38 +0000, Pekka Kuronen wrote:
>
>> I did check with ndsrepair but how could it be broken, the server was
>> added to tree only 1 week ago. Maybe there is something wrong in the way
>> i added the server. Can one add a server to a tree in a way to make
>> authentication not functional?

>
> ndsrepair really isn't a diagnostic tool - it's a repair tool.
>
> The best way to check status is with iMonitor - go to the main iMonitor
> page and select "Agent Health". Note any errors reported there and then
> visit the "Known Servers" link and check the agent health link for each
> server listed in the list (if you start from a server holding a copy of
> [Root], you should see all of the servers in your tree).
>
> Jim


0 Likes
peterkuo Absent Member.
Absent Member.

Re: LDAP auth against replica


Pekka Kuronen;2155258 Wrote:
> I did check with ndsrepair but how could it be broken, the server was
> added to tree only 1 week ago. Maybe there is something wrong in the
> way
> i added the server. Can one add a server to a tree in a way to make
> authentication not functional?
>
>


As you found out, SELINUX 😉


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: http://forums.novell.com/member.php?userid=88
View this thread: http://forums.novell.com/showthread.php?t=448352


-- eDirectory Rules! Peter www.DreamLAN.com
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.