Persistent -649 or -632 errors during LDAP operations

  • 3018646
  • 26-Mar-2008
  • 26-Apr-2012

Environment

Novell Modular Authentication Service (NMAS) version 3.2.0.0
Novell eDirectory 8.8.2 for All Platforms
Novell eDirectory 8.7.3.9 for All Platforms

Situation

ERROR: LDAP: Failed to create context in CreateNDSContext, err = insufficient buffer (‑649)
ERROR: LDAP: Failed to authenticate local on connection 0x5d3ec40, err = insufficient buffer (‑649)
ERROR: LDAP:Unable to change or set password, err = system failure (-632)

Security Services Patch 2.0.5 was recently applied.

For eDirectory 8.8 (and greater) the NDSD_TRY_NMASLOGIN_FIRST environment variable is set to True.

An attempt was made to import an LDIF that changes the userPassword attribute of several users using Universal Password or NMAS.

eDirectory is handling a large number of logins using Universal Password or NMAS.

632 system failure errors while trying to create contexts.

Universal Password Policy is assigned to the Login Policy object in the Security Container

Resolution

For eDirectory 8.7.3 or eDirectory 8.8.2 apply Security Services 2.0.6

Additional Information

The issue occurs because the NMAS server is not freeing internal eDirectory context handles at the end of the NMAS login operation or at the end of the NMAS operation to change the userPassword attribute.

The context handles can be monitored using iMonitor  | Connections | (Outbound) Contexts page.

When the number of context handles exceed 32,000 eDirectory will start returning the -649 errors.

Following is an excerpt from an DSTRACE log showing the problem:

LDAP: [2008/03/05 16:11:45.458] DoModify on connection 0x8b2a6c0
LDAP: [2008/03/05 16:11:45.458] modify: dn (cn=anew4503,ou=users,o=novell)
NMAS: [2008/03/05 16:11:45.466] ERROR: -601 resolveFilteredReplica: Resolving .CN=anew4503.OU=users.O=novell.NTS50-TREE.1092672432
NMAS: [2008/03/05 16:11:45.466] ERROR: -601 dal_createUserContext: resolveFilteredReplica for CN=anew4503.OU=users.O=novell
NMAS: [2008/03/05 16:11:45.466] ERROR: -16049 createDALSession:createUserContext
AUTH: [2008/03/05 16:11:45.466] SPM Set Password for user [0001073e].anew4503.users.novell.NTS50-TREE. returned NMAS error = -16049, fallback to NDS = false
LDAP: [2008/03/05 16:11:45.466] Unable to change or set password, err = system failure (-632)
LDAP: [2008/03/05 16:11:45.466] Sending operation result 80:"":"NDS error: system failure (-632)" to connection 0x8b2a6c0