IDM 4.7 uninstall deletes nici directory causing eDirectory to no longer start

  • 7023926
  • 11-Jun-2019
  • 11-Jun-2019


eDirectory 9.X
Identity Manager 4.7


IDM 4.7 was run to install the IDM engine to an existing Identity vault.  
Advanced was installed instead of standard. was run to remove the IDM engine choosing to leave the Identify vault installed and configured.

ndsmanage fails to start eDirectory instance with the following error:

Starting NetIQ eDirectory server...
Job for ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service failed because a configured resource limit was exceeded. See "systemctl status ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service" and "journalctl -xe" for details.

systemctl shows the following status:
[root@RH76srv novell]# systemctl status ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service 
��� ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service - eDirectory service for /etc/opt/novell/eDirectory/conf/env
   Loaded: loaded (/usr/lib/systemd/system/ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@.service; enabled; vendor preset: disabled)
   Active: failed (Result: resources) since Tue 2019-06-11 13:25:40 EDT; 4min 57s ago
  Process: 71935 ExecStopPost=//opt/novell/eDirectory/sbin/post_ndsd_stop_factory (code=exited, status=0/SUCCESS)
  Process: 71932 ExecStopPost=//opt/novell/eDirectory/sbin/post_ndsd_stop_custom (code=exited, status=0/SUCCESS)
  Process: 71587 ExecStartPost=//opt/novell/eDirectory/sbin/post_ndsd_start_factory (code=exited, status=0/SUCCESS)
  Process: 71586 ExecStartPost=//opt/novell/eDirectory/sbin/post_ndsd_start_custom (code=exited, status=0/SUCCESS)
  Process: 71582 ExecStart=/opt/novell/eDirectory/sbin/ndsdwrapper (code=exited, status=0/SUCCESS)
  Process: 71578 ExecStartPre=//opt/novell/eDirectory/sbin/pre_ndsd_start_factory (code=exited, status=0/SUCCESS)
  Process: 71576 ExecStartPre=//opt/novell/eDirectory/sbin/pre_ndsd_start_custom (code=exited, status=0/SUCCESS)

Jun 11 13:25:36 post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71906 Aborted                 ...l 2>&1
Jun 11 13:25:37 post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71911 Aborted                 ...l 2>&1
Jun 11 13:25:38 post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71916 Aborted                 ...l 2>&1
Jun 11 13:25:39 post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71921 Aborted                 ...l 2>&1
Jun 11 13:25:40 post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71929 Aborted                 ...l 2>&1
Jun 11 13:25:40 post_ndsd_start_factory[71587]: NetIQ eDirectory LDAP Server is not listening on the TLS port.
Jun 11 13:25:40 systemd[1]: PID file /var/opt/novell/eDirectory/data/ not readable (yet?) after start-post.
Jun 11 13:25:40 systemd[1]: Failed to start eDirectory service for /etc/opt/novell/eDirectory/conf/env.
Jun 11 13:25:40 systemd[1]: Unit ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service e...d state.
Jun 11 13:25:40 systemd[1]: ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service failed

/var/opt/novell/eDirectory/log/ndsd.log shows:
Jun 11 13:24:39  Path of NetIQ eDirectory configuration file /etc/opt/novell/eDirectory/conf/nds.conf
Jun 11 13:24:39  NICI Initialization failed: -1471, Exiting...

The nici64 package shows as installed:
[root@RH76srv log]# rpm -qa | grep nici

The /var/opt/novell/nici directory is missing


The NICI key that was used at the creation of the dib is required to unwrap the dib.
There are also several components that require the nici key that was used when the database was created in order to function.

There are 2 options:
1.  If a backup of the nici directory exists, the nici64 package can be reinstalled and the UID specific nici directory restored from the backup
     -   From the eDirectory setup directory run:  rpm -ihv --force ./nici64<version>.rpm
     -   Change to the /var/opt/novell/nici directory which will now exist and rename the UID specific directory for the eDirectory instance.  For a root owned instance, this will be 0.  
     -   Copy the UID specific directory from the nici backup to the /var/opt/novell/nici directory maintaining permissions and subdirectories.  EX:  cp -Rp /backup/nici/0 /var/opt/novell/nici
     -   Run /var/opt/novell/nici/primenici64 to make sure nici initializes correctly
     -   Start eDirectory using ndsmanage

2.   If no backup of the nici directory exists, the dib can be opened in restricted mode in order to allow the eDirectory instance to be deconfigured and readded to the tree
    -  Modify the /etc/opt/novell/eDirectory/conf/env file for systemd platforms (RH 7.X / SLES 12.X) or the /opt/novell/eDirectory/sbin/pre_ndsd_start file for initd platforms (RH 6.X / SLES 11.X) and add the following line for systemd platforms:  
or the following line for initd platforms:
    -  Start eDirectory instance using ndsmanage
    -  Use ndsmanage to deconfigure the eDirectory instance
    -  Delete any remaining server specific objects (typically certificates and SAS object) using iManager
    -  Reconfigure the eDirectory instance back into the tree


The uninstall removed all the IDM packages and also removed the /var/opt/novell/nici directory.

nici is used to wrap the eDirectory database and eDirectory can't initialize the dib if nici is missing


Reported to Engineering