Unable to install LUM with YAST - Insufficient rights / LDAP not working error (-5875)

  • 3646068
  • 06-Dec-2006
  • 27-Apr-2012

Environment

Novell Open Enterprise Server (OES) Support Pack 2 Linux
Novell Linux User Management (LUM)

Situation

Trying to install Linux User Management (LUM) through YAST on a OESSP2 server generates a unable to contact LDAP server or the user has insufficient rights error.
 
If you capture a LDAP trace on the server you specified in the LUM install (either Local or Remote) you will see the below errors. To do this you need to go to the LDAP Server object, Screen Options / LDAP Trace Options tab, in the Display Options box, check all options except for "Packet Dump or Decoding". Then load dstrace, set dstrace =nodebug, set dtrace=+ldap, and "dstrace screen on" to see it. You can log it to a file with "dstrace file on", which writes it to sys:system\dstrace.log.
 
Example Trace:
modify: dn (cn=TEST3,ou=OU2,ou=OU1,o=Org1)
modifications:
add: indexDefinition
INDEX: [0$gidNumber$0$0$2$1$gidNumber] Changing Index type from '2' to '0' (User Defined) for ADD/REPLACE in ldap2NDSVal
INDEX: indexDefinition value is "0$gidNumber$0$0$0$1$gidNumber" (op=0) in ldap2NDSVal
INDEX: [0$uidNumber$0$0$2$1$uidNumber] Changing Index type from '2' to '0' (User Defined) for ADD/REPLACE in ldap2NDSVal
INDEX: indexDefinition value is "0$uidNumber$0$0$0$1$uidNumber" (op=0) in ldap2NDSVal
DDCModifyEntry failed, err = duplicate value (-614)
Sending operation result 20:"":"NDS error: duplicate value (-614)" to connection 0x8aafa1c0
TLS read failure 5 on connection 0x8aafa1c0, setting err = -5875. Error stack:
Monitor 0x1cd found connection 0x8aafa1c0 socket failure, err = -5875, 0 of 0 bytes read
Monitor 0x1cd initiating close for connection 0x8aafa1c0
Server closing connection 0x8aafa1c0, socket error = -5875
 
Note: The -614 error is not causing the issue only a normal error as the indexes already exist.
 
Search: LUM 5875 -5875 OES SP2

Resolution

Prerequisites: This problem can also be caused by the following:
 
ISSUE: The user installing Novell Linux User Management (LUM) does not have supervisor object rights to the tree. Try creating a new user and granting them supervisor object rights (entry rights) at the root of the tree and then try installing LUM with the new user.
 
ISSUE:  The LDAP server is not functioning properly. Test that you can login on an unsecure and secure connection to the LDAP server with a ldap browser such as ldapsearch or browser282. If that fails, then you must fix ldap first or the LUM install, which is installed over ldap, will fail as well.

ISSUE:  No real copy of a child partition.  tail -f /var/log/messages reports:
"Error [80] in LDAP search for user object unser the domain with context filter=(&(objectclass=posixAccount)(uid=*))"
Take a LDAP trace while doing a root dse ldapsearch.  Should see something like this:
scope:2 dereferemce:0 sizelimit:1 timelimit:0 attrsonly:0
Cannot resovle NDS name 'OU=Child.O=novell' in ResolveAndAuthNDSName, err = no referrals (-634).  In this case the OU=Child is a partition.  Viewing the replica ring shows there is not a master or read write of the partition.  Designate a server as a master of the partition and merge it to the parent partition.
 
ISSUE:  unknown..... This is an issue with the LUM install accessing the LDAP server with SSL. While SSL is verified working, LUM install still generates an error. Root cause at this point was still unknown.
 
ISSUE:  Incorrect Unix Config object context specified.   Verify that the Unix Config object context specified in the /etc/nam.conf (base context listed in nam.conf), is the same context you are specifying during the install (or with the -r).   If these are different, then change the corresponding entry to match where you want the Unix Config object installed to.   NOTE:  Novell recommends you only have ONE Unix Config object in your tree, as this traces UID's and GID's distributed to LUM enabled users and groups.  Having multiple Unix Config objects may result in duplicate ID's.
 
WORKAROUND: Install LUM from the command line using a port 389 (non-secure). Then you can configure it to use SSL through the NAM.CONF file.
 
1. Install nam with: namconfig add -a (Admin user login ex: cn=admin,o=context) -r (Base context for Liniux/Unix Config object ex: o=context) -w (Linux server/Linux workstation context ex ou=servers,o=context) -o -S (LDAP Server IP Address:Port Specify port as non-ssl ex 10.1.1.1:389)
 
You should see something like the following during the install
NAM Schema is already extended.
NAM Unique id schema is already extended.
uidNumber and gidNumber attribute indicies already exist in the LDAP server
Creating the Unix Config object...done.
Creating the Unix Workxtation object...done.
Deleting the Unix Workstation object...done.
Adding the workstation context...done.
Stopping the service 'namcd'...done.
Stopping the service 'nscd...done.
Starting the service 'namcd'...Done.
Starting the service 'nscd...Done.
Configur done successfully.
 
If the install fails for some reason, try deleting the /ETC/NAM.CONF file and run the namconfig install again.
2. After the install edit the /ETC/NAM.CONF file and modify/add the following entries.
type-of authentication=2 (this entry should already be there set to 1)
certificate-file-type=der
ldap-ssl-port=636 (or your ssl port for your ldap server)
ldap-port=389 (or your unsecure ldap port for your server)
 
3. Execute the following command to update the Certificates locally from the ldap server.
namconfig -k
Should generate a "Certicate file updated sucessfully" message. (I know that Certificate is spelled this wrong, but the programmers apparently don't)
 
4. Restart namcd and nscd
rcnamcd restart
rcnscd restart
 
5. LUM should be working. Try doing a ID ADMIN (your install user), it should return uid=600(admin) gid=600(admingroup) groups=600(admingroup)
Then try logging in as admin.
 
If the install worked and you see the Unix Config / Unix Workstation object in the tree and it still does not work. Check TID3280667 - Troubleshooting Linux User Managment or TID 7002981 Troubleshooting Linux User Management - Step by Step for additional assistance.