DSfW: Cisco ISE integration "LW_ERROR_LDAP_UNDEFINED_TYPE"

  • Document ID:7016335
  • Creation Date:19-Mar-2015
  • Modified Date:03-Apr-2015
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server

Environment

Novell Open Enterprise Server 11SP2
eDirectory 8.8
Domain Services for Windows
DSFW

Situation

Cisco ISE integration
Cisco ISE returns: LW_ERROR_LDAP_UNDEFINED_TYPE
Cisco Error code 40313

When Cisco ISE  attempts to join the DSfW domain it makes a query for msDS-Supported EncryptionTypes, (this is 2008 schema), it returns as undefinedattribute type and the join process fails.
The same process on a Windows 2003 domain returns no such attribute and the domain join completes successfully.

Resolution

The mSDS-SupportedEncryptionTypes attribute needs to be added to the schema.

Confirm that mSDS-SupportedEncryptionTypes attribute is not defined by executing following command in dsfw server:
ldapsearch -b cn=schema -s base -x -LLL | grep -i mSDS-SupportedEncryptionTypes 

Create a ldif for this attribute, import, and the schema should be present so that the Cisco ISE join succeeds.
  1. Confirm that mSDS-SupportedEncryptionTypes attribute is not defined by executing following command in dsfw server:
    ldapsearch -b cn=schema -s base -x -LLL | grep -i mSDS-SupportedEncryptionTypes 

  2. Take backup of dsfw schema file - /etc/opt/novell/xad/msds.sch
  3. In the /etc/opt/novell/xad/msds.sch schema file (be sure there is a backup of this file before proceeding), add the following just after the "msDS:HomeDirectory" ATTRIBUTE section and before the "homeDrive" ATTRIBUTE section

    --Attribute definition for ISE integration
    "mSDS-SupportedEncryptionTypes" ATTRIBUTE ::=
    {
    Operation ADD,
    SyntaxID SYN_CI_STRING,
    Flags {DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
    ASN1ObjID {1 2 840 113556 1 4 1963}
    }

  4. Update the schema using the following ndssch command
    /opt/novell/eDirectory/bin/ndssch -h <dsfw-server-ip> -F ./<file name>  '<admin.context>'

    <dsfw-server-ip> is the PDC server and it should have a replica of root to do this.  It does not have to be the master of root.  A r/w will suffice.  If it does not use the ip address of the master of root.
    The <file name> will be /etc/opt/novell/xad/msds.sch
     '<admin.context>' will be a tree admin user.  admin.novell is an example.
  5. Confirm the schema is updated:
    ldapsearch -b cn=schema -s base -x -LLL | grep -i mSDS-SupportedEncryptionTypes 
  6. Should return:
    attributeTypes: ( 1.2.840.113556.1.4.1963 NAME 'mSDS-SupportedEncryptionTypes'