Environment
NetIQ eDirectory 8.8 SP8
Situation
When using iMonitor in direct mode (using the replica server's ip address in the URL) there is no problem viewing an object. However, if another server's replica is selected from the lower right pane, error -676 is returned.
Other errors are sometimes seen such as -625 and -626. However, as above, using iMonitor in direct mode to the other server works fine. There are also no problems if iMonitor is forced to accept unsecured connections.
Standalone: The servers in the replica ring are running different versions of eDirectory or different patch levels.
OES: This has been reported on fully patched OES as well.
Other errors are sometimes seen such as -625 and -626. However, as above, using iMonitor in direct mode to the other server works fine. There are also no problems if iMonitor is forced to accept unsecured connections.
Standalone: The servers in the replica ring are running different versions of eDirectory or different patch levels.
OES: This has been reported on fully patched OES as well.
Resolution
Standalone eDirectory
Cause: The secure NCP code in NCPengine relies on OpenSSL code supplied by eDirectory. Due to the number of vulnerabilities found and fixed in the last two years this code has changed frequently, even between patches.
Resolution: This issue is not seen if all the servers in a replica ring are updated to the latest eDirectory version and patch level.
OES
Cause: Unknown at this time though Engineering has been notified.
Workaround: The issue is not seen if iMonitor is used in direct mode to read from a particular replica's information.
Cause: The secure NCP code in NCPengine relies on OpenSSL code supplied by eDirectory. Due to the number of vulnerabilities found and fixed in the last two years this code has changed frequently, even between patches.
Resolution: This issue is not seen if all the servers in a replica ring are updated to the latest eDirectory version and patch level.
OES
Cause: Unknown at this time though Engineering has been notified.
Workaround: The issue is not seen if iMonitor is used in direct mode to read from a particular replica's information.