SecretStore plugin is not working, Error: -1 [LDAP: error code 2 - Unrecognized extended operation]

  • 7002423
  • 22-Jan-2009
  • 26-Apr-2012

Environment

Novell SecureLogin
Novell eDirectory
Novell SecretStore

Situation

SecretStore iManager Plugin does not work

Error: -1 [LDAP: error code 2 - Unrecognized extended operation]

Installed SecretStore on a NetWare server, which extends schema, LDAP object Extensions, created SecretStore objects, etc.

Ran ssscfg on OES2 Linux box, Schema stated it was extended and LDAP extensions were created.

Made sure schema was synchronized and that the eDirectory tree was healthy.

Checked that the LDAP extensions were correct for SecretStore by enabling all trace screen options for LDAP trace and refreshing the LDAP server.




Resolution

1) The DS_HIDDEN_ATTR flag was missing on the following attributes:
SAS:SecretStore:Data
SAS:SecretStore:Key

2) Each partition root object will have a sssactiveserverlist attribute showing what SecretStore servers are active. This error may be displayed due to old or invalid servers in the list.

  • i.e. when a server has or had SecretStore installed, but was later deconfigured so it would not use SecretStore.
  1. Use iMontior to search for all objects with the sssactiveserverlist attribute. When looking at the attribute through iMonitor, it will display hex code. It will also show a collumn with somewhat readable data. It will give the server name, IP address, etc. Write down the first few data fields for the hex value of the server that should not be in the list.
  2. Then go into iManager or ConsoleOne and find the sssactiveserverlist attribute on the other / general tab and delete the value with the hex data entry you found in iMonitor.
  3. You will not be able to do this with the Root partition of the tree, the Tree object. If the Tree object or Root partition needs to be modified, Novell Technical Support will need to assist in this process.

Current known fix is to call Novell Technical Support to have the flags added to the schema. Root cause is currently unknown. Please document all processes performed regarding the SecretStore schema extensions with Novell Technical Support.

Additional Information

An enhancement request has been made for a utility to clean up the sssactiveserverlist attribute. Make sure to use the latest plugin for SecreStore and attempt to clean up the list through the Novell utilities, prior to contacting Novell.


All SecretStore LDAP extensions were present.

Took an LDAP trace and found the following error:
*************************
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) DoExtended on connection 0x92dae1c0
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.148.100.13
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Unable to find extension handler 2.16.840.1.113719.1.148.100.13 in extension list
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Sending operation result 2:"":"Unrecognized extended operation" to connection 0x92dae1c0
4964BB3C:492:8b5cb120:179 (10.10.2.81:58336)(0x0010:0x77) Operation 0x10:0x77 on connection 0x92dae1c0 completed in 0 seconds
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) DoExtended on connection 0x92dae1c0
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.148.100.1
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Unable to find extension handler 2.16.840.1.113719.1.148.100.1 in extension list
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Sending operation result 2:"":"Unrecognized extended operation" to connection 0x92dae1c0
4964BB3C:493:8b5cb120:179 (10.10.2.81:58336)(0x0011:0x77) Operation 0x11:0x77 on connection 0x92dae1c0 completed in 0 seconds
*************************

Used schcmp to get the schema out to a log. Compared it to schema in a good tree, that was working, and found that the DS_HIDDEN_ATTR flag was missing.
*************************
SAS:SecretStore:Data
    Flags
        DS_SYNC_IMMEDIATE
    Syntax
        SYN_OCTET_STRING
SAS:SecretStore:Key
    Flags
        DS_SINGLE_VALUED_ATTR
        DS_SYNC_IMMEDIATE
    Syntax
        SYN_OCTET_STRING
*************************






Feedback service temporarily unavailable. For content questions or problems, please contact Support.