Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
1194 views

NDSD deand and no LDAP listening on TCP or TLS Ports


Server and Edir details:

Server OS = SLES 9
Server name = lxrba7
eDir = Novell eDirectory 8.8 SP2
Replica ring has 7 other servers in it and this server contains only
read/write replicas. Some SLES 9 with Novell eDirectory 8.8 SP2 and
some with Netware 6.5 and Novell eDirectory 8.8 SP5

This morning we had to reboot one of our Edir servers (lxrba7). When
the server came back up ndsd had not started and the following error was
displayed when I tried to start it manually:
-
lxrba7:~ # rcndsd start
Executing customized settings before starting the Novell eDirectory
server...
Starting Novell eDirectory server...

done
Executing customized settings after starting the Novell eDirectory
server...
/etc/init.d/nldap: line 179: [: /var/nds/dib: binary operator expected
Validation failed in post_ndsd_start script.
Please refer to //etc/init.d/post_ndsd_start.-

After some troubleshooting I found that it seemed like the issue was
being caused by duplicate entries in
/etc/opt/novell/eDirectory/conf/nds.conf. Apparently there is some bug
with adds duplicate entries to this file in some instances. In any event
I backed up the file and then removed to duplicate entries. When I
tried starting ndsd again the above error was gone but I was now getting
the following:

-lxrba7:/etc/opt/novell/eDirectory/conf # rcndsd start
Executing customized settings before starting the Novell eDirectory
server...
Starting Novell eDirectory server...

done
Executing customized settings after starting the Novell eDirectory
server...
Novell eDirectory LDAP Server is not listening on the TCP port.
Novell eDirectory LDAP Server is not listening on the TLS port.-

I have double checked that only one instance of ndsd is trying to
start. Also did the following to check relevant listening ports:

-lxrba7:~ # netstat -na | grep -i listen | egrep
"389|636|524|8028|8030"
tcp 0 0 127.0.0.1:524 0.0.0.0:*
LISTEN
tcp 0 0 191.96.111.157:8028 0.0.0.0:*
LISTEN
tcp 0 0 191.96.111.157:8030 0.0.0.0:*
LISTEN-

As you can see there is nothing listening on 389 and 636.

Below is sample output from "NDSTRACE +LDAP +TIME +TAGS", while I ran
"nldap -u" and then "nldap -l":

-INFO: LDAP Agent for Novell eDirectory 8.8 SP2 (20216.43) stopped
DEBUG: DCFreeContext context 616c0003 idHandle ffffffff, connHandle
00000000, //opt/novell/eDirectory/lib/nds-module
s/libgams.so
DEBUG: DCFreeContext context 616c0004 idHandle ffffffff, connHandle
ffffffff, unknown module
DEBUG: DCCreateContext context 616d0003 moduleHandle 00000106
//opt/novell/eDirectory/lib/nds-modules/libgams.so, id
Handle ffffffff
DEBUG: request DS Ping by context 616d0003 ,cFlags=00010584 ,
scflags=00000000 failed, system failure (-632)
DEBUG: request DSAResolveName by context 616d0003 ,cFlags=00010584 ,
scflags=00000000 failed, system failure (-632)
DEBUG: DCCreateContext context 616d0004 moduleHandle 00000106
//opt/novell/eDirectory/lib/nds-modules/libgams.so, id
Handle ffffffff
DEBUG: DCFreeContext context 616d0004 idHandle ffffffff, connHandle
ffffffff, //opt/novell/eDirectory/lib/nds-module
s/libgams.so
DEBUG: DCFreeContext context 616d0003 idHandle ffffffff, connHandle
00000000, //opt/novell/eDirectory/lib/nds-module
s/libgams.so
DEBUG: DCFreeContext context 616d0004 idHandle ffffffff, connHandle
ffffffff, unknown module
INFO: DS Local Agent is not open in GetAgentStateAndSlashTreeName
INFO: GetAgentStateAndSlashTreeName failed in ReadConfigFromDS, err =
ds locked (-663)
INFO: Could not update server configuration, err = ds locked (-663)
INFO: LDAP Agent for Novell eDirectory 8.8 SP2 (20216.43) stopped
INFO: DS Local Agent is not open in GetAgentStateAndSlashTreeName
INFO: GetAgentStateAndSlashTreeName failed in ReadConfigFromDS, err =
ds locked (-663)
INFO: Could not update server configuration, err = ds locked (-663)-

I am at the point now where it looks to me like something bad has
happened to the edir replica on this server and I am beginning to think
that perhaps the route I should follow is removing eDirectory, deleting
the relative objects from the tree and then reinstalling EDir on this
server and then re-adding it to the tree. A big concern is the fact that
this is the server that has the Novell IDM 3.6 edir-to-edir connector on
it and also has a replica of that set of objects on it, so I am
concerned that in removing eDirectory I will be creating a huge amount
of hassle in trying to get the connection with IDM back up.

Is there any thing else that I can try or some other solution that
would fix this issue...hopefully something that doesnt mean trashing
edir on this server. Many thanks to anybody willing to impart any
wisdom with regard to this issue.


--
calwynb
------------------------------------------------------------------------
calwynb's Profile: http://forums.novell.com/member.php?userid=34073
View this thread: http://forums.novell.com/showthread.php?t=447980

Labels (1)
0 Likes
12 Replies
Knowledge Partner
Knowledge Partner

Re: NDSD deand and no LDAP listening on TCP or TLS Ports

On Wed, 09 Nov 2011 13:06:02 +0000, calwynb wrote:

> INFO: DS Local Agent is not open in GetAgentStateAndSlashTreeName INFO:
> GetAgentStateAndSlashTreeName failed in ReadConfigFromDS, err = ds
> locked (-663)


That looks to be the key message. You might try a 'ndsrepair -E' to see
if that reports anything helpful. 'ndsrepair -R' to repair the database
may be effective. I'd certainly try that before removing and reinstalling.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NDSD deand and no LDAP listening on TCP or TLS Ports

Before you go as far as removing the server from the tree, you should be sure that you have a backup of your IDM driver(s). Hopefully you also have a second server assigned to that driverset so that you don't lose driver associations on your user / group objects.

DS is locked on the server, and a simple reboot of the server may clear things up.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NDSD deand and no LDAP listening on TCP or TLS Ports


The server has been rebooted a number of times and the DS remains
locked. Where would I check the servers assigned to a particular
driverset for IDM? And if there is only one...as in this server that is
a problem at the moment could I add another without losing all the
associations etc. so that I can remove this server and readd it without
affecting IDM too much.

Tried running ndsrepair -E...output below:

>
> -lxrba7:~ # ndsrepair -E
>
> [1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:
> lxrba7.OU=SERVICES.OU=RB.O=COU.LA_TREE
> Repair utility for Novell eDirectory 8.8 - 8.8 SP2 v20213.03
> DS Version 20216.51 Tree name:
> Server name:
>
> Size of /var/opt/novell/eDirectory/log/ndsrepair.log = 88312250 bytes.
>
> The Directory Services Database is closed
> Try running the local database repair
>
> Finish: Thursday, November 10, 2011 07:16:40 AM Local Time
>
> Total errors: 0
> NDSRepair process completed.-


Also tried ndsrepair -R...output below:

> -lxrba7:~ # ndsrepair -R
>
> [1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:
> lxrba7.OU=SERVICES.OU=RB.O=COU.LA_TREE
> Repair utility for Novell eDirectory 8.8 - 8.8 SP2 v20213.03
> DS Version 20216.51 Tree name:
> Server name:
>
> Size of /var/opt/novell/eDirectory/log/ndsrepair.log = 88312312 bytes.
>
> Preparing Log File "/var/opt/novell/eDirectory/log/ndsrepair.log"
> Please Wait...
> Repairing Directory On Server lxrba7
> Start: Thursday, November 10, 2011 07:18:42 AM Local Time
> ERROR: Insufficient disk space or missing files, Error: -618
>
> NOTICE: Unable to update repair status. Error: -663
>
> Repair process aborted
> Unlocking local database files
> Please Wait...
> Could not open the Directory Services Database, the repair procedure
> was not successful. Try running the repair again, or uninstall this
> server from the Directory Services tree and re-install it.
> Total errors: 0-


I have removed the SSL certificates for this server from eDirectory and
then tried to generate a new set...output below:

> -lxrba7:~ # ndsconfig upgrade
>
> [1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:
> lxrba7.OU=SERVICES.OU=RB.O=COU.LA_TREE
> Enter admin name with context[admin.org]:admin.cou
> Enter the password for admin.cou:
>
> Upgrading Novell eDirectory server with the following parameters,
> Please wait...
> Tree Name : LA_TREE
> Server DN : lxrba7.OU=SERVICES.OU=RB.O=COU
> Admin DN : admin.cou
>
> Configuration File : /etc/opt/novell/eDirectory/conf/nds.conf
> DIB Location : /var/nds/dib
>
>
> Checking for sufficient free disk space in the DIB file system...
>
> Shutting down server for the DIB upgrade...
> Stopping the service 'ndsd'... Done.
> Checking if DIB upgrade is required, Please wait...
>
> DIB upgrade failed. Check the log file for more details.
>
> ERROR: DIB upgrade failed. Refer to
> "/var/opt/novell/eDirectory/log/ndsdibupg.log" for more details.-


The relevant entry in the log file mentioned above show the following:

> -#### Utility called with DIB directory: /var/nds/dib ####
> options
>
> Log File: /var/opt/novell/eDirectory/log/ndsdibupg.log
> Starting the DIB upgrade: Nov 10 07:20:50
>
> Opening the DIB to start upgrade process...
> ERROR: Flaim IO error; errno = 17
>
> Unable to determine the dibsize. Err: -618. Time and disk space
> required may not be estimated.
> Total DIB size: 0 MB
> ERROR: Flaim IO error; errno = 17
>
> Failed to open the DIB. Error: 0xFFFFFD96(-618)
>
> DIB upgrade process failed. Err: 0xfffffd96
>
> DIB upgrade process completed (Nov 10 07:20:51 ).
> Status: failed(-618)
> -


I am in the process of researching this info...again my thanks to any
body that is willing to offer some direction and advice!!


--
calwynb
------------------------------------------------------------------------
calwynb's Profile: http://forums.novell.com/member.php?userid=34073
View this thread: http://forums.novell.com/showthread.php?t=447980

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NDSD deand and no LDAP listening on TCP or TLS Ports

You can see which servers are assigned to the driverset using several different tools (Designer, iManager and dxcmd). Using iManager, you would use the Identity Manager plugin to view which server(s) are assigned.

Assigning and additional server to the driverset (where the driver(s) reside) will of course require that IDM is installed on the second server, and that the second server is not already assigned to another driverset, etc.

In your ndsrepair output, there is one message stating that the disk may be full (after the -618 error). Check to ensure that disk space is not contributing to your problem. If cleaning up disk space doesn't do it, then you may want to open a ticket with Novell to get help in resolving the problem.
0 Likes
Knowledge Partner
Knowledge Partner

Re: NDSD deand and no LDAP listening on TCP or TLS Ports

On Thu, 10 Nov 2011 05:36:01 +0000, calwynb wrote:

> The server has been rebooted a number of times and the DS remains
> locked. Where would I check the servers assigned to a particular
> driverset for IDM?


Do you have other servers in this tree already? If it's a single server
tree, there's no point in looking further. It's not sounding like you're
very familiar with eDirectory or IDM, so tread carefully from here
forward. What's your backup status of this server? Have you been backing
up eDirectory with dsbk or eMBox? Is your IDM work done offline in
Designer, or on-line via iManager? Did you build this, or was it built
for you by somebody else?


> Also tried ndsrepair -R...output below:
>
>> -lxrba7:~ # ndsrepair -R
>>
>> [1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:
>> lxrba7.OU=SERVICES.OU=RB.O=COU.LA_TREE Repair utility for Novell
>> eDirectory 8.8 - 8.8 SP2 v20213.03 DS Version 20216.51 Tree name:
>> Server name:
>>
>> Size of /var/opt/novell/eDirectory/log/ndsrepair.log = 88312312 bytes.
>>
>> Preparing Log File "/var/opt/novell/eDirectory/log/ndsrepair.log"
>> Please Wait...
>> Repairing Directory On Server lxrba7
>> Start: Thursday, November 10, 2011 07:18:42 AM Local Time ERROR:
>> Insufficient disk space or missing files, Error: -618


This could be simple, if you're out of free space ('df -h' would show you
what the file systems think is free), then free up some space and you
should be back in business.

Or, this could be very bad. -618 is essentially a fatal error for the
directory. You may be entering disaster recovery / restore from backups /
start over mode here. So, be very careful what you do next.


> I have removed the SSL certificates for this server from eDirectory and
> then tried to generate a new set...output below:
>
>> -lxrba7:~ # ndsconfig upgrade
>>
>> [1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:
>> lxrba7.OU=SERVICES.OU=RB.O=COU.LA_TREE Enter admin name with
>> context[admin.org]:admin.cou Enter the password for admin.cou:
>>
>> Upgrading Novell eDirectory server with the following parameters,
>> Please wait...
>> Tree Name : LA_TREE
>> Server DN : lxrba7.OU=SERVICES.OU=RB.O=COU Admin DN
>> : admin.cou
>>
>> Configuration File : /etc/opt/novell/eDirectory/conf/nds.conf DIB
>> Location : /var/nds/dib


You don't have a certificates problem. But this does seem to imply that
you have another server in this tree? Or is this on the same (dead)
server? Either way, you don't have a certs problem, so don't bother
messing around with certificates stuff. At best, you're wasting time.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: NDSD deand and no LDAP listening on TCP or TLS Ports

On Thu, 10 Nov 2011 03:37:40 +0000, Mike Bristow wrote:

> Before you go as far as removing the server from the tree, you should be
> sure that you have a backup of your IDM driver(s).


It may already be too late for that. It sounds to me like this may be a
single server tree.


> Hopefully you also
> have a second server assigned to that driverset so that you don't lose
> driver associations on your user / group objects.


He may have lost the entire DIB. But he won't lose associations by
removing the server from the driver set. He'd lose the associations if he
removes the driver object. Removing the server from the driver set will
only (worst case) lose the non-replicating attributes, which can be
recreated if absolutely necessary.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NDSD deand and no LDAP listening on TCP or TLS Ports


dgersic;2152969 Wrote:
> On Thu, 10 Nov 2011 03:37:40 +0000, Mike Bristow wrote:
>
> > Before you go as far as removing the server from the tree, you should

> be
> > sure that you have a backup of your IDM driver(s).

>
> It may already be too late for that. It sounds to me like this may be a
> single server tree.
>
>
> > Hopefully you also
> > have a second server assigned to that driverset so that you don't

> lose
> > driver associations on your user / group objects.

>
> He may have lost the entire DIB. But he won't lose associations by
> removing the server from the driver set. He'd lose the associations if
> he
> removes the driver object. Removing the server from the driver set will
> only (worst case) lose the non-replicating attributes, which can be
> recreated if absolutely necessary.
>
>
> --
> ---------------------------------------------------------------------------
> David Gersic
> dgersic_@_niu.edu
> Novell Knowledge Partner
> http://forums.novell.com
>
> Please post questions in the newsgroups. No support provided via
> email.


I have checked disk space and all is OK on that front. As for how many
servers in the tree...this is one of 7 in the production tree with 2
more on the IDM vault side. This server has the IDM components
installed on it but does not even hold the master replica of the Vault
objects, just a read/write. All provisioning between the IDM vault and
our production tree, as well as provisioning into groupwise with the
groupwise driver is processed on this server. At this oint it seesm the
only thing to do is to remove this server from the tree, remove edir
from it, reinstall edir and then add it back to the production tree with
the same name etc. This I have done before...but what I have no past
reference for is whether I will have to completely redo the IDM
compnonents on this server so that all these driver links start working
again or if, because all the information is still in edir, it willl all
just replicate to this server and start working again. I dont know how
user and group object associations will be affected or if they will all
have to be created over again. The entire IDM 3.6 setup was done by
some consultants two or so years ago btw.


--
calwynb
------------------------------------------------------------------------
calwynb's Profile: http://forums.novell.com/member.php?userid=34073
View this thread: http://forums.novell.com/showthread.php?t=447980

0 Likes
Knowledge Partner
Knowledge Partner

Re: NDSD deand and no LDAP listening on TCP or TLS Ports

On Fri, 11 Nov 2011 09:56:02 +0000, calwynb wrote:

> I have checked disk space and all is OK on that front.


In that case, I think you're stuck. -618 is a fatal error, in my
experience. I have never successfully recovered a server reporting a
-618. You could open an SR with Novell, but I doubt that they'll have any
more success.


> As for how many
> servers in the tree...this is one of 7 in the production tree with 2
> more on the IDM vault side. This server has the IDM components
> installed on it but does not even hold the master replica of the Vault
> objects, just a read/write.


Ok, that's good. It means you won't lose the tree or the information in
it. You just have a rebuilding task ahead.


> All provisioning between the IDM vault and
> our production tree, as well as provisioning into groupwise with the
> groupwise driver is processed on this server. At this oint it seesm the
> only thing to do is to remove this server from the tree, remove edir
> from it, reinstall edir and then add it back to the production tree with
> the same name etc. This I have done before...but what I have no past
> reference for is whether I will have to completely redo the IDM
> compnonents on this server so that all these driver links start working
> again or if, because all the information is still in edir, it willl all
> just replicate to this server and start working again.


Both yes and no. Yes, I think your next move is to nuke and rebuild this
server, reinstall eDir and the IDM engine, patches, etc.. If you do not
touch the driver set or driver objects, your driver configuration will be
*mostly* still there, and your associations will be maintained.

There are several IDM driver attributes that are server specific, non
replicating, so you're going to lose those. You'll have to recreate them
after recovering the server.


> have to be created over again. The entire IDM 3.6 setup was done by
> some consultants two or so years ago btw.


Did they leave you with a Designer project, by any chance? That would
make recovery of the non-replicating attributes easy. If not, asking them
for that might still be a good idea.

If no Designer project available, you'll have to do a bit more work.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NDSD deand and no LDAP listening on TCP or TLS Ports

To clarify at little. -618 errors are not always fatal. They indicate that the database is not consistent with the rest of the tree. These errors can typically be resolved by fixing synchronization, and by using ndsrepair. One way of resolving them can be to remove the replicas from the server (Through xk2 / xk3), but that's not always the easiest / best course of action.
0 Likes
Knowledge Partner
Knowledge Partner

Re: NDSD deand and no LDAP listening on TCP or TLS Ports

On Fri, 11 Nov 2011 16:12:06 +0000, Mike wrote:

> To clarify at little. -618 errors are not always fatal. They indicate
> that the database is not consistent with the rest of the tree.


That's a different -618 error. When the DIB will not open, and reports
the reason as being -618, in my experience with eDirectory, the DIB is
irretrievably corrupt and you're going to be testing your disaster
recovery plan. I have never seen (n)dsrepair fix a -618 on a DIB that
won't open. If you have, you're having far better luck than I have.


> These
> errors can typically be resolved by fixing synchronization, and by using
> ndsrepair. One way of resolving them can be to remove the replicas from
> the server (Through xk2 / xk3), but that's not always the easiest / best
> course of action.


On a DIB that will open, dsrepair works fine for resolving -618 errors,
yes. On a DIB that won't open, -xk2 and -xk3 aren't going to help you.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NDSD deand and no LDAP listening on TCP or TLS Ports


I learn on the hard way how to troubleshoot problems with nici, so if
you this problem and your dib is blocked you can use /etc/init.d/ndsd
start -rdb (thanks to George Puga) to start the dib. The do backup and
make a clean restore. Gretings GG


--
german_garcia_g
------------------------------------------------------------------------
german_garcia_g's Profile: https://forums.netiq.com/member.php?userid=4060
View this thread: https://forums.netiq.com/showthread.php?t=174

0 Likes
ataubman Absent Member.
Absent Member.

Re: NDSD deand and no LDAP listening on TCP or TLS Ports


> eDir = Novell eDirectory 8.8 SP2

BTW you really really really need to update this, that's way old.
Current version is 8.8.6 FTF3


--
Andrew C Taubman
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
------------------------------------------------------------------------
ataubman's Profile: http://forums.novell.com/member.php?userid=34
View this thread: http://forums.novell.com/showthread.php?t=447980


Andrew C Taubman (Sorry, support is not provided via e-mail) Opinions expressed above are not necessarily those of Micro Focus.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.