Unable to communicate with LDAP server during install of OES on Linux

  • 3010235
  • 20-Oct-2006
  • 05-Nov-2013

Environment

Novell Open Enterprise Server (OES)
Novell eDirectory 8.7.3 for Linux

Situation

Unable to communicate with LDAP server during install of OES on Linux
Error: Unable to bind to eDirectory through LDAP
eDirectory is being install into an existing eDirectory TREE
Option to configure components during installation was chosen
New OES server is showing in the eDirectory Tree
CertificateDNS and/or CertificateIP for new OES server are either invalid or do not exist
eDirectory is a pre-requisite for several other components, so this failure causes a failure in the OES component installation.
This problem is typically due to some problem creating certificates for the new server.

Resolution

Troubleshooting the cause of the failure - Option 1

Choose to Fix and reconfigure, when prompted:
1. Fix and reconfigure
2. Start over
3. Abort

Check Server Certificates

Use ConsoleOne or iManager to check for the existance of the server specific certificates for the new server. The certificates will be called CertificateDNS and CertificateIP with the new server name and will be located in the same container as the server object.

If the certificates exist:
Verify the certificates are valid by choosing validate from the general tab in the certificate properties.

If the certificates do not exist or are invalid:
Attempt to manually create the server certificates. If they exist and are invalid, delete the invalid certificates prior to manually creating.

-ConsoleOne: Right click the container where the server is located and choose New | Object. Choose NDSPKI:Key Material. Name the certificate: Certificate - servername. Watch for any errors and check that the server certificate is valid.

-iManager: Under Novell Certificate Server, select Create Server Certificate. Browse to the new server object for "server" and type: Certificate - servername for the Certificate Nickname. Choose standard, then next and finish. Watch for any errors and check that the server certificate is valid.

Checking Errors Creating Certificates

-Are there any errors loading Nici in the ndsd log? /var/nds/ndsd.log

-Does the Nici Foundation Key exist? /var/novell/nici/nicifk

-Are there errors in the PKI process? Use ndstrace (Unix/Linux) and dstrace on (NW) with +PKII and +PKIA flags. Enable tracing to file so that trace logs can be sent to Technical Support, if necessary. Attempt the certificate creation while trace is active. The trace should be run on both the new server and the server that is the certificate authority.

EXAMPLE on Unix/Linux:
#ndstrace
>set ndstrace=nodebug
>set ndstrace=+PKII
>set ndstrace=+PKIA
>set ttf=on

EXAMPLE on NetWare
DSTRACE
DSTRACE -ALL
DSTRACE +PKI +PKIA
DSTRACE FILE ON

-Use SDIDIAG to check the health of the Certificate Authority - See KB 10086669 for details on running this utiity

Check eDirectory LDAP server

Use either ConsoleOne or iManager to look at the properties of the LDAP Server associated with the newly installed server.
-There should be a server certificate in the SSL section. If there is not, select a valid certificate created in the above Check Server Certificates section.

Does NLDAP bind to correct ports - both standard and TLS - when loaded? (default port are 389 for LDAP and 636 for LDAPS)
- Check listening ports
EXAMPLE
#netstat -na | grep LISTEN | grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 :::389 :::* LISTEN

#netstat -na | grep LISTEN | grep 636
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 :::636 :::* LISTEN

- Check if errors occur during nldap load
EXAMPLE
#ldapconfig set "LDAP Screen Level=all" -a adminFDN -w passwd
(This will set the screen options for the LDAP server)
#ndstrace
>set ndstrace=nodebug
>set ndstrace=+LDAP
>set ttf=on
>unload nldap
>load nldap

When nldap loads and bind to both the LDAP and LDAPS ports without errors, then continue with the OES Installation.

.
Troubleshooting the cause of the failure - Option 2

Choose to Start over, when prompted:
1. Fix and reconfigure
2. Start over
3. Abort

When prompted whether to configure during installation or after installation, choose to configure after the installation of OES.

After the installation is complete, configure desired components per the OES installation documentation -  This will give the opportunity to troubleshoot each component being configured separately. Novell eDirectory is required for several components. If you are going to be configuring a component that is dependant on a eDirectory running locally on the new OES server, it is recommended that this be the first component that is configured.

If eDirectory fails to install into an existing tree, attempt to install eDirectory into a new tree. This will test if the prompt configuring eDirectory is specific to the installation on the new OES server or if it associated with the communication and installation into the existing tree.

Additional Information

Formerly known as TID# 10100513

Feedback service temporarily unavailable. For content questions or problems, please contact Support.