NMAS LDAP Transport Error when managing Universal Passwords and Policies in iManager 2.x

  • 3947462
  • 06-Feb-2007
  • 19-Nov-2012

Environment

Novell iManager 2.5
Novell iManager 2.6
Novell iManager 2.7
NMAS 2.3
NMAS 3.0
NMAS 3.1
Universal Password

Situation

LDAP Server object had been deleted and recreated after NMAS was installed

NMAS LDAP Transport Error when managing Universal Passwords and Policies in iManager 2.x

NMAS LDAP Transport Error when viewing policy assignment in iManager 2.x

javax.naming.CommunicationException: [LDAP: error code 2 - Unrecognized extended operation]; remaining name"

"Server Configuration Error: NMAS LDAP Transport Error" when setting a Universal Password in iManager 2.x

"Unable to find extension handler 2.16.840.1.113719.1.39.42.100.19 in extension list" in DSTRACE LDAP log

Resolution

When you try to set a Universal Password on a user object, you will get the following error in iManager:



If you try to View Policy Assignment you will get the following error in iManager:


There are two possible problems that have this same symptom. The first fix has to do with missing LDAP extensions.

Verify the LDAP Server object has all of the correct extensionInfo associated with it. The easiest way to verify extensionInfo is to NDS iMonitor. Log into NDS iMonitor and browse to the LDAP server object in question. Once selected, look for the extensionInfo attribute. If NMAS 2.3 or greater is installed on the server, you should see several extensions that look similar to the below (this is just one of the extensions):

5-30-06 8:48:02 am 1:1Present790000045 23 32 2E 31 36 2E 38 34 30 2E 31 2E 31 31 33E#2.16.840.1.113
0001037 31 39 2E 31 2E 33 39 2E 34 32 2E 31 30 30 2E719.1.39.42.100.
0002031 23 32 2E 31 36 2E 38 34 30 2E 31 2E 31 31 331#2.16.840.1.113
0003037 31 39 2E 31 2E 33 39 2E 34 32 2E 31 30 30 2E719.1.39.42.100.
0004032 23 6E 6D 61 73 6C 64 61 70 2E 6E 6C 6D 002#nmasldap.nlm.

There should be at least 13 extensions that mention "nmasldap" in some form or another.

If you are missing a subset of these extensions or if you are missing all of them, the easiest way to add them back is by using the NMASINST command line utility. In order to use NMASINST, please make sure that you are running at least the Security Services 2.0.3 patch or greater available from https://download.novell.com.

Once you have the latest Security Services patch installed, use the following NMASINST command:

Note: When specifying the Host IP address, the default port of 524 is assumed. If eDirectory is listening on a port other than 524, you will need specify the correct port.

NetWare
From the system console prompt enter:
(note that -h is not a valid option on NetWare)
NMASINST -i admin_user.context TREENAME
Enter the appropriate password when prompted.
Log file can be found in SYS:\ETC\NMAS\NMASINST.LOG

There is a known issue with NMASINST.NLM prior to version 3.1.3 (not yet released as of February 6, 2007) where running NMASINST on one server may actually update a different server instead of the server where you initiated the command. If using a version prior to 3.1.3, you can work around the issue by running the NMASINST command on all NetWare servers in the tree. Another workaround is to just reinstall NMAS on the problem server or use LDIF to export the extensions from a good LDAP Server object and import them on the LDAP Server object missing the extensions.

Windows
NMASINST.EXE is located in C:\Novell\NDS. Open a command prompt and enter:
NMASINST -i admin_user.context TREENAME -h server_ip_address
Enter the appropriate password when prompted.
Log file can be found in C:\Program Files\Common Files\NMAS\nmasinst.log

Linux
From a terminal window enter the following:
nmasinst -i admin_user.context TREENAME -h server_ip_address
Enter the appropriate password when prompted

The other possible problem that displays this same symptom is that the workstation ends up not communicating with the right server for the Universal Password tasks in iManager, even though it appears you are already running iManager properly. Many iManager tasks are not run using an SSL connection, so the Universal Password tasks create a new secure connection, using the saved login information. If there is any confusion about the tree name or server, this may end up trying to connect to a different server instead of the one you were expecting. One User had another server in his environment that was not part of the eDirectory Tree, but was named with the same name as the Tree itself. When iManager tried to make the secure connection, it kept getting directed to this incorrect server, but this was not obvious. All the customer saw was the Transport error, because the incorrect server obviously didn't have the appropriate LDAP extensions loaded (nor should it have). This issue was resolved by using the DNS name of the server (IP address would also have worked just as well) instead of putting the Tree name in the Tree name box on the initial iManager login screen.

Additional Information

Formerly known as TID# 10091939

Feedback service temporarily unavailable. For content questions or problems, please contact Support.