Bi-Directional eDir driver throws "Protocol Error"

  • 7014458
  • 27-Jan-2014
  • 10-Jan-2019

Environment

NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Driver - Bidirectional eDirectory

Situation

Configured Bidirectional eDirectory driver, unable to connect on the Publisher Channel, which terminates the driver.  The Driver is shutdown and will not remain running.

A fatal Protocol Error is seen in the driver trace.

---------------Driver Trace--------------------
[01/27/14 09:23:26.327]:eDir 11to10 Bi-directional PT:eDir 11to10 Bi-directional: Host name: 100.100.100.1
[01/27/14 09:23:26.327]:eDir 11to10 Bi-directional PT:eDir 11to10 Bi-directional: Port: 389
[01/27/14 09:23:26.327]:eDir 11to10 Bi-directional PT:eDir 11to10 Bi-directional: DN: CN=admin,O=netiq
[01/27/14 09:23:26.327]:eDir 11to10 Bi-directional PT:eDir 11to10 Bi-directional: Protocol version=3
[01/27/14 09:23:26.328]:eDir 11to10 Bi-directional PT:eDir 11to10 Bi-directional: SDK version=4.6
[01/27/14 09:23:26.328]:eDir 11to10 Bi-directional PT:eDir 11to10 Bi-directional: LDAPInterface.registerDriverInstance() : Exception occured while registration - Protocol Error
[01/27/14 09:23:26.329]:eDir 11to10 Bi-directional PT:PublicationShim.start() returned:
[01/27/14 09:23:26.329]:eDir 11to10 Bi-directional PT:
<nds dtdversion="4.0">
  <source>
    <product instance="eDir 11to10 Bi-directional" version="4.0.1.0">Identity Manager Bi-directional Driver for eDirectory</product>
    <contact>Novell, Inc.</contact>
  </source>
  <output>
    <status level="fatal">Protocol Error</status>
  </output>
</nds>
------------------End Driver Trace----------------------

The receiving server sees the following errors in a LDAP trace on the server
-------------------LDAP Trace--------------------
1091606848 LDAP: [2014/01/27  9:51:02.649] New cleartext connection 0xd4f5180 from 100.100.100.5:40235, monitor = 0x0, index = 1
1096870208 LDAP: [2014/01/27  9:51:02.649] Monitor 0x4160e940 started
1107396928 LDAP: [2014/01/27  9:51:02.654] DoBind on connection 0xd4f5180
1107396928 LDAP: [2014/01/27  9:51:02.654] Treating simple bind with empty DN and no password as anonymous
1107396928 LDAP: [2014/01/27  9:51:02.654] Bind name:NULL, version:3, authentication:simple
1107396928 LDAP: [2014/01/27  9:51:02.654] Sending operation result 0:"":"" to connection 0xd4f5180
1101080896 LDAP: [2014/01/27  9:51:02.656] DoSearch on connection 0xd4f5180
1101080896 LDAP: [2014/01/27  9:51:02.656] Search request:
    base: ""
    scope:0  dereference:0  sizelimit:0  timelimit:0  attrsonly:0
    filter: "(objectclass=*)"
    attribute: "subschemasubentry"
    attribute: "2.5.18.10"
1101080896 LDAP: [2014/01/27  9:51:02.657] Unsupported or duplicate attribute: "2.5.18.10"
1101080896 LDAP: [2014/01/27  9:51:02.657] Sending search result entry "" to connection 0xd4f5180
1101080896 LDAP: [2014/01/27  9:51:02.657] Sending operation result 0:"":"" to connection 0xd4f5180
1104238912 LDAP: [2014/01/27  9:51:02.657] DoSearch on connection 0xd4f5180
1104238912 LDAP: [2014/01/27  9:51:02.657] Search request:
    base: "cn=schema"
    scope:0  dereference:0  sizelimit:0  timelimit:0  attrsonly:0
    filter: "(objectclass=*)"
    attribute: "objectclasses"
    attribute: "2.5.21.6"
    attribute: "attributetypes"
    attribute: "2.5.21.5"
1104238912 LDAP: [2014/01/27  9:51:02.672] Unsupported or duplicate attribute: "2.5.21.6"
1104238912 LDAP: [2014/01/27  9:51:02.685] Unsupported or duplicate attribute: "2.5.21.5"
1104238912 LDAP: [2014/01/27  9:51:02.685] Sending search result entry "cn=schema" to connection 0xd4f5180
1104238912 LDAP: [2014/01/27  9:51:02.690] Sending operation result 0:"":"" to connection 0xd4f5180
1085290816 LDAP: [2014/01/27  9:51:03.267] DoSearch on connection 0xd4f5180
1085290816 LDAP: [2014/01/27  9:51:03.267] Search request:
    base: ""
    scope:0  dereference:0  sizelimit:0  timelimit:0  attrsonly:0
    filter: "(objectclass=*)"
    attribute: "namingContexts"
    attribute: "subschemasubentry"
    attribute: "supportedExtension"
1085290816 LDAP: [2014/01/27  9:51:03.269] Sending search result entry "" to connection 0xd4f5180
1085290816 LDAP: [2014/01/27  9:51:03.269] Sending operation result 0:"":"" to connection 0xd4f5180
1091606848 LDAP: [2014/01/27  9:51:03.811] New cleartext connection 0xd4f4e00 from 100.100.100.5:40236, monitor = 0x4160e940, index = 2
1101080896 LDAP: [2014/01/27  9:51:03.818] DoBind on connection 0xd4f4e00
1101080896 LDAP: [2014/01/27  9:51:03.818] Bind name:CN=admin,O=mountain, version:3, authentication:simple
1101080896 LDAP: [2014/01/27  9:51:03.825] Sending operation result 0:"":"" to connection 0xd4f4e00
1107396928 LDAP: [2014/01/27  9:51:03.827] DoExtended on connection 0xd4f4e00
1107396928 LDAP: [2014/01/27  9:51:03.827] DoExtended: Extension Request OID: 2.16.840.1.113719.1.14.100.200
1107396928 LDAP: [2014/01/27  9:51:03.827] Unable to find extension handler 2.16.840.1.113719.1.14.100.200 in extension list
1107396928 LDAP: [2014/01/27  9:51:03.827] Sending operation result 2:"":"Unrecognized extended operation" to connection 0xd4f4e00
1103186240 LDAP: [2014/01/27  9:51:04.399] DoExtended on connection 0xd4f4e00
1103186240 LDAP: [2014/01/27  9:51:04.399] DoExtended: Extension Request OID: 2.16.840.1.113719.1.14.100.200
1103186240 LDAP: [2014/01/27  9:51:04.399] Unable to find extension handler 2.16.840.1.113719.1.14.100.200 in extension list
1103186240 LDAP: [2014/01/27  9:51:04.399] Sending operation result 2:"":"Unrecognized extended operation" to connection 0xd4f4e00
1096870208 LDAP: [2014/01/27  9:51:04.402] Monitor 0x4160e940 found connection 0xd4f5180 socket closed, err = -5871, 0 of 0 bytes read
1096870208 LDAP: [2014/01/27  9:51:04.402] Monitor 0x4160e940 initiating close for connection 0xd4f5180
1104238912 LDAP: [2014/01/27  9:51:04.402] Server closing connection 0xd4f5180, socket error = -5871
1104238912 LDAP: [2014/01/27  9:51:04.402] Connection 0xd4f5180 closed
-------------------End LDAP Trace--------------------

Resolution

The LDAP server in the receiving tree has to have the Change-Log Module installed and working on it.

See Bidirectional eDirectory driver, Section 3.0 Preparing the Connected System.
Specifically Section 3.1 Installing Change-Log module on a connected eDirectory server
www.netiq.com/documentation

Additionally, make sure the LDAP server you are connecting to holds a replica of the partition where the server's LDAP Server object resides in the tree.  This should be the same partition where the server object resides in the tree.    If you add the replica after you install the Change-Log module, then you need to restart eDirectory after the replica goes to an on state.

Cause

The NMAS extensions are not available for the Change-Log module on the LDAP Server object for the server to perform a query for changes..

Either due to the Change-Log module not being installed and loaded or the LDAP server does not hold a replica of the partition where its LDAP Server object resides.

Additional Information

To verify if the Change-Log module is loaded on the server you can execute the following command.
ndstrace -c modules | grep xclldap

It should report back "xclldap       Running"

If it reports back Not loaded, then you can execute the following command to try and load it.
ndstrace -c "load xclldap"

If it fails to load, the troubleshooting the resulting error it returns would be the next step.