[an error occurred while processing this directive]


Ask the Experts
eDirectory Cool Solutions Q&A Collection
View a Printer Friendly Version of this Page Send this page to a friend
·Problems inporting VeriSign certificates 12/21/2004
·Minimun rights to set user space restrictions 12/21/2004
·Problems with in-place upgrade 12/21/2004
·Adding the class to all user accounts 12/21/2004
·LDIF filtering in ConsoleOne 12/21/2004
·Need for contextless login 12/21/2004
·CheckPoint and eDirLdap 12/21/2004
·Seeing other servers in a tree 12/21/2004

 

Problems inporting VeriSign certificates

Question: I am trying to import a VeriSign cert using the steps in TID 10089761. When I paste in the cert and click I get the following error:
"Failed to store the public key certificate into the object VeriSignCert - FS1.Seattle Return error code is -1,227. A link within the certificate chain in a Server Certificate Object (AKA KMO) is missing is missing or is invalid."

It seems like a battle between "Trusted root" and VeriSigns "Intermediate CA" - anybody have any thoughts?

Answer: Did you look at TID10055757.and follow the steps there? That TID seems to describe your problem exactly, so I think it'd be worth a shot.


Minimun rights to set user space restrictions

Question: What are the minimum eDirectory rights (on Server and Volume objects) to change user space restrictions on a volume?

Answer: TFS - Supervisor to the volume; NSS, Supervisor to the server


Problems with in-place upgrade

Question: I'm trying to do in-place upgrade from eDirectory 8.71 to 8.73 on NW 5.1 (SP7) via NWCONFIG (install product not listed). I begin the file copy and everything is normal so far. I have 2.82 GB free on SYS, so it's not like I'm running out of disk space. The file copy stops with: "an error occurred: Select an action:" I get 4 options, which are: 1) Retry copy 2) Force reconnect and try copy again 3) Skip file and copy next file 4) Abort copying. The only option that works is to abort, and then I'm back to square one. I've remmed out everything in autoexec except bare essentials, before starting the upgrade. I've run DSRepair and DS Health looks fine. I'm using JVM 1.31, which is current enough. What could be wrong? I did this same in-place upgrade on my two NW 6.5 servers, no problem.

Answer: Maybe the install files are corrupted, or the CD is scratched. If this suggestion doesn't work, downlaod purge_nw.exe and run that against the server. Also Go into Monitor - server parameters - NCP and Set Client File Caching = Off, and Set Level 2 OpLocks Enabled = Off.


Adding the class to all user accounts

Question: How do you add the class to all your existing user accounts? We are adding classes for MacOSX Home Directory attributes to all our users, and I am trying to find the best way to update all the current user accounts (about 30,000). We have an SQL Database that has all the User info in it, and we are currently using JRBUtils to create/modify user objects via scripts. However, I now need to extend all the user objects that are currently there and extend any new accounts we create and push through the new fields and values to each user. How are other people doing this?

Answer: Export all users via LDAP. You just need the DN attribute. Search and replace, or use your favorite text hacking tool(s) to add these lines to the file:

add: objectclass
objectclass: MyAuxClass (or whatever your name is)


so that you have blocks like this:

DN: cn=user1,ou=something,ou=home,o=blah
add: objectclass
objectclass: MyAuxClass

DN: cn=user2,ou=something,ou=home,o=blah
add: objectclass
objectclass: MyAuxClass

Then import the resulting LDIF file.


LDIF filtering in ConsoleOne

Question: I need a way to export user information from a database. All I need is the first name, last name and e-mail address. I am trying to do an LDIF export through ConsoleOne but I am clueless. I can do an all-user-attributes export, but that is just a mess. I don't know how to filter it so that I just get the needed information. Can anyone help?

Answer: Go to the screen "Set Search Criteria" in COnsoleOne. At the "filter" tab you fill in "objectclass = user". At the Attribute List you add attributes such as givenname,fullname, mail and sn.


Need for contextless login

Question: We have three divisions, connected via VPN, in the same Tree but different containers. Bill's user object is in CITY-1. When he logs in (in City 1) he logs in in the CITY-1 context, and executes the system login script. But he also needs, from time to time, to connect to a Terminal Server in City 3 and log in through its Novell client and execute City 3's system login script. (in the CITY-3 context for the Terminal Server session). I don't want to create duplicate user objects in both containers, because unexpected results occur when user objects are not unique. Is there a relatively simply way I can achieve this, without creating two different user objects for the same user?

Answer: Google for "contextless login" and you'll find lots of possibilities. You can also install the Novell Client 4.9. and configure LDAP-based contextless login.


CheckPoint and eDirLdap

Question: Anyone know where to find a good writeup or book on setting up CheckPoint to authenticate users with eDir/Ldap?

Answer: If you do a search in the Knowledgebase for "checkpoint ldap" you can find these TIDs ...
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080213.htm
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10085544.htm
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2956074.htm



Seeing other servers in a tree

Question: In a tree, must all servers be able to see or have full access to all other servers in that tree?

Answer: No, but all servers in the same partition must. Or even more precisely, with current eDirectory versions, at the very least the master of one partition must be able to communicate with all servers having a replica of that partition and vice versa.

CORRECTION from NTS: - "All servers in the tree must be able to communicate with each other. The entire external reference/backlink process relies on it. For example, eDirectory still needs to be able to handle the situation where a file system trustee is created on a server without a replica of the trustee being assigned. In this case, an external reference is added to that server, and the backlink list for the trustee is updated on replicas of the "real" object.

Without all servers being able to communicate, you can get stuck obituaries (moves, renames, deletes), as all references to an object must be notified of this process (listed in the backlink list). If the server holding the external reference cannot contact a given server holding replicas, the obituary process will wait (forever) for this server to acknowledge and process the obituary."