Environment
Novell SecureLogin
Novell eDirectory
Novell SecretStore
Novell eDirectory
Novell SecretStore
Situation
SecretStore iManager Plugin does not work
Error: -1 [LDAP: error code 2 - Unrecognized extended operation]
Installed SecretStore on a NetWare server, which extends schema, LDAP object Extensions, created SecretStore objects, etc.
Ran ssscfg on OES2 Linux box, Schema stated it was extended and LDAP extensions were created.
Made sure schema was synchronized and that the eDirectory tree was healthy.
Checked that the LDAP extensions were correct for SecretStore by enabling all trace screen options for LDAP trace and refreshing the LDAP server.
Error: -1 [LDAP: error code 2 - Unrecognized extended operation]
Installed SecretStore on a NetWare server, which extends schema, LDAP object Extensions, created SecretStore objects, etc.
Ran ssscfg on OES2 Linux box, Schema stated it was extended and LDAP extensions were created.
Made sure schema was synchronized and that the eDirectory tree was healthy.
Checked that the LDAP extensions were correct for SecretStore by enabling all trace screen options for LDAP trace and refreshing the LDAP server.
Resolution
1) The DS_HIDDEN_ATTR flag was missing on the following attributes:
SAS:SecretStore:Data
SAS:SecretStore:Key
2) Each partition root object will have a sssactiveserverlist attribute showing what SecretStore servers are active. This error may be displayed due to old or invalid servers in the list.
Current known fix is to call Novell Technical Support to have the flags added to the schema. Root cause is currently unknown. Please document all processes performed regarding the SecretStore schema extensions with Novell Technical Support.
SAS:SecretStore:Data
SAS:SecretStore:Key
2) Each partition root object will have a sssactiveserverlist attribute showing what SecretStore servers are active. This error may be displayed due to old or invalid servers in the list.
- i.e. when a server has or had SecretStore installed, but was later deconfigured so it would not use SecretStore.
- Use iMontior to search for all objects with the sssactiveserverlist attribute. When looking at the attribute through iMonitor, it will display hex code. It will also show a collumn with somewhat readable data. It will give the server name, IP address, etc. Write down the first few data fields for the hex value of the server that should not be in the list.
- Then go into iManager or ConsoleOne and find the sssactiveserverlist attribute on the other / general tab and delete the value with the hex data entry you found in iMonitor.
- You will not be able to do this with the Root partition of the tree, the Tree object. If the Tree object or Root partition needs to be modified, Novell Technical Support will need to assist in this process.
Current known fix is to call Novell Technical Support to have the flags added to the schema. Root cause is currently unknown. Please document all processes performed regarding the SecretStore schema extensions with Novell Technical Support.
Additional Information
An enhancement request has been made for a utility to clean up the sssactiveserverlist attribute. Make sure to use the latest plugin for SecreStore and attempt to clean up the list through the Novell utilities, prior to contacting Novell.
All SecretStore LDAP extensions were present.
Took an LDAP trace and found the following error:
*************************
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) DoExtended on connection 0x92dae1c0
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.148.100.13
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Unable to find extension handler 2.16.840.1.113719.1.148.100.13 in extension list
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Sending operation result 2:"":"Unrecognized extended operation" to connection 0x92dae1c0
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Operation 0x10:0x77 on connection 0x92dae1c0 completed in 0 seconds
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) DoExtended on connection 0x92dae1c0
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.148.100.1
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Unable to find extension handler 2.16.840.1.113719.1.148.100.1 in extension list
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Sending operation result 2:"":"Unrecognized extended operation" to connection 0x92dae1c0
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Operation 0x11:0x77 on connection 0x92dae1c0 completed in 0 seconds
*************************
Used schcmp to get the schema out to a log. Compared it to schema in a good tree, that was working, and found that the DS_HIDDEN_ATTR flag was missing.
*************************
SAS:SecretStore:Data
Flags
DS_SYNC_IMMEDIATE
Syntax
SYN_OCTET_STRING
SAS:SecretStore:Key
Flags
DS_SINGLE_VALUED_ATTR
DS_SYNC_IMMEDIATE
Syntax
SYN_OCTET_STRING
*************************
All SecretStore LDAP extensions were present.
Took an LDAP trace and found the following error:
*************************
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) DoExtended on connection 0x92dae1c0
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.148.100.13
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Unable to find extension handler 2.16.840.1.113719.1.148.100.13 in extension list
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Sending operation result 2:"":"Unrecognized extended operation" to connection 0x92dae1c0
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Operation 0x10:0x77 on connection 0x92dae1c0 completed in 0 seconds
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) DoExtended on connection 0x92dae1c0
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.148.100.1
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Unable to find extension handler 2.16.840.1.113719.1.148.100.1 in extension list
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Sending operation result 2:"":"Unrecognized extended operation" to connection 0x92dae1c0
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Operation 0x11:0x77 on connection 0x92dae1c0 completed in 0 seconds
*************************
Used schcmp to get the schema out to a log. Compared it to schema in a good tree, that was working, and found that the DS_HIDDEN_ATTR flag was missing.
*************************
SAS:SecretStore:Data
Flags
DS_SYNC_IMMEDIATE
Syntax
SYN_OCTET_STRING
SAS:SecretStore:Key
Flags
DS_SINGLE_VALUED_ATTR
DS_SYNC_IMMEDIATE
Syntax
SYN_OCTET_STRING
*************************