LDAP Applications do not work and child domains are slow when the first DSFW server is down.

  • Document ID:7003552
  • Creation Date:16-Jun-2009
  • Modified Date:27-Apr-2012
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server

Environment

Novell eDirectory 8.8 for All Platforms
Novell Open Enterprise Server 2 (OES 2) Linux
OES2 SP1
Domain Services for Windows
DSFW
Novell iPrint for Linux Open Enterprise Server
Radius LDAP Authentication Server

Situation

Installed Domain Services for Windows in an existing tree. When the first DSFW server is down applications that utilize LDAP to authenticate to eDirectory no longer work.

After installing second DSFW server (additional domain controller or child domain controller, if the first DSFW server is down the second DSFW server is unresponsive.

In this example the domain is mapped to ou=MyDomain,o=DSFW in the eDirectory Tree.

LDAP trace show the following:

Search request:
base:"o=DSFW"
scope:2  dereference:0 sizelimit:1 timelimit:0 attrsonly:0
filter: "(uid=admin)"
no attributes
Empty attribute list implies all user attributes
Sending search result entry "cn=Admin,o=DSFW" to connection 0x5d7ea08
Cannot resolve NDS name 'CN=Configuration.OU=MyDomain.O=DSFW' in ResolveAndAuthNDSName, err = no referrals (-634)
LDAPSearchToCB: Cannot Resolve and Auth base DN, err = no referrals (-634)
LDAPSearchToCB failed, err = no referrals (-634)
Sending operation result 80:"":"NDS error: no referrals (-634)" to connection 0x5d7ea08
Monitor 0x49db5935 found connection 0x5d7ea08 ending TLS session
DoUnbind on connection 0x5d7ea08
Preempting operation 0x0:0x0 on connection 0x5d7ea08 before processing because connection is closing
Connection 0x5d7ea08 closed

Resolution

The application is doing a subtree search (scope:2) and is trying to search the CN=Configuration,OU=MyDomain,O=DSFW container. Since the DSFW server is the only server with a real copy (R/W or Master) of the Configuration partition and the server is down a 634 error is returned.

After DSFW is installed a configuration partition is created in side the domain and a partition called schema is created under the configuration container. Most likely the DSFW server is the only server with a real copy of both partitions. Add a replica of both the Configuration (CN=Configuration,OU=MyDomain,O=DSFW container) and Schema partitions CN=Schema,CN=Configuration,OU=MyDomain,O=DSFW container) to other servers, preferably LDAP servers and all DSFW servers the tree.

Additional Information

One customer observed that iPrint users were no longer able to print in this scenario.
Also, their Radius LDAP authentication server failed.