Environment
Novell Open Enterprise Server 11SP2
eDirectory 8.8
Domain Services for Windows
DSFW
Domain Services for Windows
DSFW
Situation
Cisco ISE integration
Cisco ISE returns: LW_ERROR_LDAP_UNDEFINED_TYPE
Cisco Error code 40313
When Cisco ISE attempts to join the DSfW domain it makes a query for msDS-Supported EncryptionTypes, (this is 2008 schema), it returns as undefinedattribute type and the join process fails.
The same process on a Windows 2003 domain returns no such attribute and the domain join completes successfully.
Resolution
The mSDS-SupportedEncryptionTypes attribute needs to be added to the schema.
Confirm that mSDS-SupportedEncryptionTypes attribute is not defined by executing following command in dsfw server:
ldapsearch -b cn=schema -s base -x -LLL | grep -i mSDS-SupportedEncryptionTypes
Create a ldif for this attribute, import, and the schema should be present so that the Cisco ISE join succeeds.
- Confirm that mSDS-SupportedEncryptionTypes attribute is not defined by executing following command in dsfw server:
ldapsearch -b cn=schema -s base -x -LLL | grep -i mSDS-SupportedEncryptionTypes - Take backup of dsfw schema file - /etc/opt/novell/xad/msds.sch
- In the /etc/opt/novell/xad/msds.sch schema file (be sure there is a backup of this file before proceeding), add the following just after the "msDS:HomeDirectory" ATTRIBUTE section and before the "homeDrive" ATTRIBUTE section--Attribute definition for ISE integration"mSDS-SupportedEncryptionTypes" ATTRIBUTE ::={Operation ADD,SyntaxID SYN_CI_STRING,Flags {DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},ASN1ObjID {1 2 840 113556 1 4 1963}}
- Update the schema using the following ndssch command
/opt/novell/eDirectory/bin/ndssch -h <dsfw-server-ip> -F ./<file name> '<admin.context>'
<dsfw-server-ip> is the PDC server and it should have a replica of root to do this. It does not have to be the master of root. A r/w will suffice. If it does not use the ip address of the master of root.
The <file name> will be /etc/opt/novell/xad/msds.sch
'<admin.context>' will be a tree admin user. admin.novell is an example. - Confirm the schema is updated:
ldapsearch -b cn=schema -s base -x -LLL | grep -i mSDS-SupportedEncryptionTypes - Should return:
attributeTypes: ( 1.2.840.113556.1.4.1963 NAME 'mSDS-SupportedEncryptionTypes'