Environment
eDirectory 9.X
Identity Manager 4.7
Identity Manager 4.7
Situation
IDM 4.7 install.sh was run to install the IDM engine to an existing Identity vault.
Advanced was installed instead of standard.
uninstall.sh was run to remove the IDM engine choosing to leave the Identify vault installed and configured.
ndsmanage fails to start eDirectory instance with the following error:
Starting NetIQ eDirectory server...
Job for ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service failed because a configured resource limit was exceeded. See "systemctl status ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service" and "journalctl -xe" for details.
systemctl shows the following status:
[root@RH76srv novell]# systemctl status ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service
��� ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service - eDirectory service for /etc/opt/novell/eDirectory/conf/env
Loaded: loaded (/usr/lib/systemd/system/ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@.service; enabled; vendor preset: disabled)
Active: failed (Result: resources) since Tue 2019-06-11 13:25:40 EDT; 4min 57s ago
Process: 71935 ExecStopPost=//opt/novell/eDirectory/sbin/post_ndsd_stop_factory (code=exited, status=0/SUCCESS)
Process: 71932 ExecStopPost=//opt/novell/eDirectory/sbin/post_ndsd_stop_custom (code=exited, status=0/SUCCESS)
Process: 71587 ExecStartPost=//opt/novell/eDirectory/sbin/post_ndsd_start_factory (code=exited, status=0/SUCCESS)
Process: 71586 ExecStartPost=//opt/novell/eDirectory/sbin/post_ndsd_start_custom (code=exited, status=0/SUCCESS)
Process: 71582 ExecStart=/opt/novell/eDirectory/sbin/ndsdwrapper (code=exited, status=0/SUCCESS)
Process: 71578 ExecStartPre=//opt/novell/eDirectory/sbin/pre_ndsd_start_factory (code=exited, status=0/SUCCESS)
Process: 71576 ExecStartPre=//opt/novell/eDirectory/sbin/pre_ndsd_start_custom (code=exited, status=0/SUCCESS)
Jun 11 13:25:36 RH76srv.lab.novell.com post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71906 Aborted ...l 2>&1
Jun 11 13:25:37 RH76srv.lab.novell.com post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71911 Aborted ...l 2>&1
Jun 11 13:25:38 RH76srv.lab.novell.com post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71916 Aborted ...l 2>&1
Jun 11 13:25:39 RH76srv.lab.novell.com post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71921 Aborted ...l 2>&1
Jun 11 13:25:40 RH76srv.lab.novell.com post_ndsd_start_factory[71587]: /opt/novell/eDirectory/sbin/nldap_check: line 136: 71929 Aborted ...l 2>&1
Jun 11 13:25:40 RH76srv.lab.novell.com post_ndsd_start_factory[71587]: NetIQ eDirectory LDAP Server is not listening on the TLS port.
Jun 11 13:25:40 RH76srv.lab.novell.com systemd[1]: PID file /var/opt/novell/eDirectory/data/ndsd.pid not readable (yet?) after start-post.
Jun 11 13:25:40 RH76srv.lab.novell.com systemd[1]: Failed to start eDirectory service for /etc/opt/novell/eDirectory/conf/env.
Jun 11 13:25:40 RH76srv.lab.novell.com systemd[1]: Unit ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service e...d state.
Jun 11 13:25:40 RH76srv.lab.novell.com systemd[1]: ndsdtmpl-etc-opt-novell-eDirectory-conf-nds.conf@-etc-opt-novell-eDirectory-conf-env.service failed
/var/opt/novell/eDirectory/log/ndsd.log shows:
Jun 11 13:24:39 Path of NetIQ eDirectory configuration file /etc/opt/novell/eDirectory/conf/nds.conf
Jun 11 13:24:39 NICI Initialization failed: -1471, Exiting...
The nici64 package shows as installed:
[root@RH76srv log]# rpm -qa | grep nici
nici64-3.1.0-1.x86_64
The /var/opt/novell/nici directory is missing
Resolution
The NICI key that was used at the creation of the dib is required to unwrap the dib.
There are also several components that require the nici key that was used when the database was created in order to function.There are 2 options:
1. If a backup of the nici directory exists, the nici64 package can be reinstalled and the UID specific nici directory restored from the backup
- From the eDirectory setup directory run: rpm -ihv --force ./nici64<version>.rpm
- Change to the /var/opt/novell/nici directory which will now exist and rename the UID specific directory for the eDirectory instance. For a root owned instance, this will be 0.
- Copy the UID specific directory from the nici backup to the /var/opt/novell/nici directory maintaining permissions and subdirectories. EX: cp -Rp /backup/nici/0 /var/opt/novell/nici
- Run /var/opt/novell/nici/primenici64 to make sure nici initializes correctly
- Start eDirectory using ndsmanage
2. If no backup of the nici directory exists, the dib can be opened in restricted mode in order to allow the eDirectory instance to be deconfigured and readded to the tree
- Modify the /etc/opt/novell/eDirectory/conf/env file for systemd platforms (RH 7.X / SLES 12.X) or the /opt/novell/eDirectory/sbin/pre_ndsd_start file for initd platforms (RH 6.X / SLES 11.X) and add the following line for systemd platforms:
RESTRICTED_MODE=Y
or the following line for initd platforms:
export RESTRICTED_MODE=Y
- Start eDirectory instance using ndsmanage
- Use ndsmanage to deconfigure the eDirectory instance
- Delete any remaining server specific objects (typically certificates and SAS object) using iManager
- Reconfigure the eDirectory instance back into the tree
Cause
The uninstall removed all the IDM packages and also removed the /var/opt/novell/nici directory.
nici is used to wrap the eDirectory database and eDirectory can't initialize the dib if nici is missing