Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
kab12312 Respected Contributor.
Respected Contributor.
143 views

ldap Trace -625 Errors

I am finding -625 errors in my ldap trace files.  I understand it could be LAN related.  The network trace group sees the -625 as well.  The -625 errors are very sporadic in occurrence.  No particular time of day etc.

LDAP binds are successful within the same millisecond.

Is there a better explanation for the -625 errors.

Thank you.

&nbsp;&nbsp;base: &#034;cn=xxxxx,ou=xxx,ou=xx,o=xxxx&#034;</font><br>
&nbsp;&nbsp;&nbsp;scope:0 dereference:0 sizelimit:0 timelimit:30 attrsonly:0</font><br>
&nbsp;&nbsp;&nbsp;filter: &#034;(objectclass=*)&#034;</font><br>
&nbsp;&nbsp;&nbsp;attribute: &#034;cn&#034;<br>
<tt (THREAD266536704) (CONN-1) >11:15:43 FE30700 -1 LDAP: </tt>(xxx.xx.xx.xxx:xxxxx)(0x3964f:0x63) Sending search result entry &#034;cn=xxxxx,ou=xxx,ou=xx,o=xxxx&#034; to connection 0x7ef93880<br>
<tt (THREAD266536704) (CONN-1) >11:15:43 FE30700 -1 LDAP: </tt>(xxx.xx.xx.xxx:xxxxx)(0x3964f:0x63) Sending operation result 0:&#034;&#034;:&#034;&#034; to connection 0x7ef93880<br>
<tt (THREAD592230144) (CONN-1) >11:15:43 234CB700 -1 LDAP: </tt>(xxx.xx.xx.xxx:xxxxx)(0x1c28:0x63) DoSearch on connection 0x7ec5e000<br>
<tt (THREAD592230144) (CONN-1) >11:15:43 234CB700 -1 LDAP: </tt>(xxx.xx.xx.xxx:xxxxx)(0x1c28:0x63) Search request:</font><br>
&nbsp;&nbsp;&nbsp;base: &#034;ou=xxx,ou=xx,o=xxxx&#034;</font><br>
&nbsp;&nbsp;&nbsp;scope:2 dereference:3 sizelimit:999 timelimit:0 attrsonly:0</font><br>
&nbsp;&nbsp;&nbsp;filter: &#034;(&(objectclass=inetOrgPerson)(cn=VPBY2))&#034;</font><br>
&nbsp;&nbsp;&nbsp;no attributes<br>
<tt (THREAD592230144) (CONN-1) >11:15:43 234CB700 -1 LDAP: </tt>Failed to duplicate context 0x4a50194 in DuplicateNDSContext, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD592230144) (CONN-1) >11:15:43 234CB700 -1 LDAP: </tt>Failed to duplicate context 0x4a50194 in DuplicateConnContext, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD592230144) (CONN-1) >11:15:43 234CB700 -1 LDAP: </tt>(xxx.xx.xx.xxx:xxxxx)(0x1c28:0x63) nds_back_search: DuplicateConnContext for search failed, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD592230144) (CONN-1) >11:15:43 234CB700 -1 LDAP: </tt>(xxx.xx.xx.xxx:xxxxx)(0x1c28:0x63) Sending operation result 80:&#034;&#034;:&#034;NDS error: transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a>&#034; to connection 0x7ec5e000<br>
<tt (THREAD298116864) (CONN-1) >11:15:43 11C4E700 -1 LDAP: </tt>(xxx.xx.xx.xxx:xxxxx)(0x0030:0x63) DoSearch on connection 0x7d87ca80<br>
<tt (THREAD298116864) (CONN-1) >11:15:43 11C4E700 -1 LDAP: </tt>(xxx.xx.xx.xxx:xxxxx)(0x0030:0x63) Search request:</font><br>

Labels (1)
0 Likes
8 Replies
fp_idmworks Honored Contributor.
Honored Contributor.

Re: ldap Trace -625 Errors

with the connection tag turned on, this may be normal behavior.

How is replica synchronization?
Are you seeing issues, or just the error itself?
Is SLP configured?

Usually with a trace, I am only looking at the tags: tags, ldap, time. All
others are turned off. (set ndstrace=nodebug, to turn them all off
initially)

Are LDAP client based connections seeing issues?
0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: ldap Trace -625 Errors

Replica synchronization is fine.  Not using SLP.

There are a few clients (not many) who cannot authenticate through third party apps using eDir LDAP during the time of the -625 errors.  May be a coincidence as these logs (via iMonitor) are not easy to decipher.

I do not see any issues other than the occasional -625.  At the same time there are many successful authentications.  Within the same millisecond.

0 Likes
fp_idmworks Honored Contributor.
Honored Contributor.

Re: ldap Trace -625 Errors

Does the LDAP server hold a replica of where all users are? If not, it
needs to talk to other servers holding replicas. SLP would assist in
finding where these servers are located. Usually you would have a 626 error
though as it wouldn't resolve.

Rather than using iMonitor, you may want to use ndstrace from the linux
command prompt.
0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: ldap Trace -625 Errors

Yes, the server holds a replica where the users reside.

0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: ldap Trace -625 Errors

Additional information:

Our development team has been reporting authentication issues to one of our LDAP servers. (One of three in the Blue Coat Load balancer. Not having issues with the other two LDAP servers.) There are occasional -625 errors. Time is in sync on my servers. Replication is in sync. The LDAP server in question is the Master of root.

Any ideas about this.

Thank you!!

eDirectory 9.1.1 40102.29
SLES 12 sp3

Wire Shark Trace:

15 2019-11-13 14:35:37.145685000 xxx.xx.xx.xx (IP LDAP Server) LDAP xxx.xx.xxx.xx (IP BlueCoat Load Balancer) TCP 70 61562 → 389 [ACK] Seq=726 Ack=301 Win=4117 Len=0 TSval=3827993193 TSecr=379937637

16 2019-11-13 14:35:38.026335000 xxx.xx.xx.xx (IP LDAP Server) LDAP xxx.xx.xxx.xx (IP BlueCoat Load Balancer) LDAP 191 searchRequest(20060) "ou=xxx,ou=xx,o=xxxx" wholeSubtree

17 2019-11-13 14:35:38.027270000 xxx.xx.xxx.xx (IP BlueCoat Load Balancer) xxx.xx.xx.xx (IP LDAP Server) LDAP 120 searchResDone(20060) other (NDS error: transport failure (-625)) [0 results]

18 2019-11-13 14:35:38.035358000 xxx.xx.xx.xx (IP LDAP Server) xxx.xx.xxx.xx (IP BlueCoat Load Balancer) LDAP 190 searchRequest(20061) "ou=xx,ou=xx,o=xxxx" wholeSubtree

19 2019-11-13 14:35:38.036311000 xxx.xx.xxx.xx (IP BlueCoat Load Balancer) xxx.xx.xx.xx (IP LDAP Server) LDAP LDAP 120 searchResDone(20061) other (NDS error: transport failure (-625)) [0 results]

 

In my LDAP trace files I am seeing the following error around the same time frame:

&nbsp;&nbsp;&nbsp;base: &#034;ou=xxx,ou=xx,o=xxxx&#034;</font><br>
&nbsp;&nbsp;&nbsp;scope:2 dereference:3 sizelimit:999 timelimit:0 attrsonly:0</font><br>
&nbsp;&nbsp;&nbsp;filter: &#034;(&(objectclass=inetOrgPerson)(cn=K3922))&#034;</font><br>
&nbsp;&nbsp;&nbsp;no attributes<br>
<tt (THREAD323471104) (CONN-1) >14:35:37 1347C700 -1 LDAP: </tt>Failed to duplicate context 0x4a50176 in DuplicateNDSContext, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD323471104) (CONN-1) >14:35:37 1347C700 -1 LDAP: </tt>Failed to duplicate context 0x4a50176 in DuplicateConnContext, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD323471104) (CONN-1) >14:35:37 1347C700 -1 LDAP: </tt>(172.16.254.83:61562)(0x4e5a:0x63) nds_back_search: DuplicateConnContext for search failed, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD323471104) (CONN-1) >14:35:37 1347C700 -1 LDAP: </tt>(172.16.254.83:61562)(0x4e5a:0x63) Sending operation result 80:&#034;&#034;:&#034;NDS error: transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a>&#034; to connection 0x7f518e00<br>
<tt (THREAD528914176) (CONN-1) >14:35:37 1F869700 -1 LDAP: </tt>(172.16.254.83:61562)(0x4e5b:0x63) DoSearch on connection 0x7f518e00<br>
<tt (THREAD528914176) (CONN-1) >14:35:37 1F869700 -1 LDAP: </tt>(172.16.254.83:61562)(0x4e5b:0x63) Search request:</font><br>
&nbsp;&nbsp;&nbsp;base: &#034;ou=xxx,ou=xx,o=xxxx&#034;</font><br>
&nbsp;&nbsp;&nbsp;scope:2 dereference:3 sizelimit:999 timelimit:0 attrsonly:0</font><br>
&nbsp;&nbsp;&nbsp;filter: &#034;(&(objectclass=inetOrgPerson)(cn=K3922))&#034;</font><br>
&nbsp;&nbsp;&nbsp;no attributes<br>
<tt (THREAD528914176) (CONN-1) >14:35:37 1F869700 -1 LDAP: </tt>Failed to duplicate context 0x4a50176 in DuplicateNDSContext, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD528914176) (CONN-1) >14:35:37 1F869700 -1 LDAP: </tt>Failed to duplicate context 0x4a50176 in DuplicateConnContext, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD528914176) (CONN-1) >14:35:37 1F869700 -1 LDAP: </tt>(172.16.254.83:61562)(0x4e5b:0x63) nds_back_search: DuplicateConnContext for search failed, err = transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a><br>
<tt (THREAD528914176) (CONN-1) >14:35:37 1F869700 -1 LDAP: </tt>(172.16.254.83:61562)(0x4e5b:0x63) Sending operation result 80:&#034;&#034;:&#034;NDS error: transport failure <a href="/nds/error?error=FFFFFD8F" style="color: #FF0000;" target=_parent>(-625)</a>&#034; to connection 0x7f518e00<br>
<tt (THREAD633407232) (CONN-1) >14:35:37 25C10700 -1 LDAP: </tt>(172.16.254.83:54007)(0x0001:0x60) Sending operation result 0:&#034;&#034;:&#034;&#034; to connection 0x81b85c00<br>
<tt (THREAD271800064) (CONN-1) >14:35:37 10335700 -1 LDAP: </tt>(172.16.254.83:54007)(0x0002:0x42) DoUnbind on connection 0x81b85c00<br>
<tt (THREAD271800064) (CONN-1) >14:35:37 10335700 -1 LDAP: </tt>Connection 0x81b85c00 closed<br>
<tt (THREAD611301120) (CONN-1) >14:35:37 246FB700 -1 LDAP: </tt>(172.16.18.177:62682)(0x1ee5:0x63) DoSearch on connection 0x7f22d880<br>
<tt (THREAD611301120) (CONN-1) >14:35:37 246FB700 -1 LDAP: </tt>(172.16.18.177:62682)(0x1ee5:0x63) Search request:</font><br>

 

 

0 Likes
fp_idmworks Honored Contributor.
Honored Contributor.

Re: ldap Trace -625 Errors

Try configuring SLP on all eDir servers with one or two DAs.


0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: ldap Trace -625 Errors

Everywhere we install eDirectory for LDAP we never use
SLP. Everything we use eDirectory for works just fine.
We don't use any other legacy Novell products. The -625 errors are recent to our environment.

0 Likes
fp_idmworks Honored Contributor.
Honored Contributor.

Re: ldap Trace -625 Errors

SLP may have been used with legacy Novell products, but it isn't about
legacy anything. You are using eDirectory and SLP is recommended.

See the 9.2 install documentation. (referring to 9.2 as it is the most up
to date documentation for the latest version and SLP is still recommended)

https://www.netiq.com/documentation/edirectory-92/pdfdoc/edir_install/edir_install.pdf

A small snippet:
*If you don't want to (or cannot) use SLP, you can use the flat file
hosts.nds to resolve tree names to server referrals. The hosts.nds file can
be used to avoid SLP multicast delays when SLP DA is not present in the
network.*

So if you are unwilling to use SLP, then make sure your hosts.nds file is
configured for each server. Any time you add a new server to the tree or
remove it, you will need to update each server's hosts.nds file.

Is it worth 30+ minutes to try it? I don't see why not, especially when the
documentation still references it.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.