This section includes information for troubleshooting eDirectory on Linux, Solaris, AIX, and HP-UX platforms.
Repeated eDirectory logins can use up the available memory. Disable the Login Update attribute using ndsimonitor to overcome this problem.
If PKI operations in ConsoleOne or iManager are not working, it could be because Novell PKI Services are not running on the Linux, Solaris, AIX, or HP-UX host. Start the PKI Services by entering npki -1.
If you cannot create certificates, you need to ensure that the NICI module has been properly installed. See Initializing the NICI Module on the Server. To verify if NICI is initialized, see Verifying Whether NICI Is Installed and Initialized on the Server.
If you are using an export version of the Netscape browser and a KMO key size larger than 512 bits associated with the LDAP Server object, the LDAP search from the Netscape Address Book might fail.
Use a domestic version of the Netscape browser in such cases.
To complete the operation, change the Key Server DN attribute in the W0 object under Security Container > KAP to another server in the tree that has downloaded the treekey from this server.
In Novell iManager, click the Roles and Tasks button .
Click eDirectory Administration > Modify Object.
Specify the name and context of the W0 object (usually W0.KAP.Security), then click OK.
In the Valued Attributes column, select NDSPKI:SD Key Server DN, then click Edit.
Specify the name and context of a different server in the Security Domain Key Server's DN field, then click OK.
Click Apply, then click OK.
You should re-create the CA and KMOs for the tree. See Creating an Organizational Certificate Authority Object and Creating a Server Certificate Object for more information.
We recommend that you do not uninstall the eDirectory server where the CA for the tree has been created.
This section identifies some common problems you might experience with LDAP Services for eDirectory and how to solve them.
Ensure that the LDAP server is up before issuing a request from an LDAP client. To do so, look for the following message in the /var/nds/ndsd.log:
LDAP v3 for Novell eDirectory 8.7.3 started
For more information, see Configuring LDAP Services for Novell eDirectory.
If an LDAP client cannot bind to LDAP Services for eDirectory, check the following:
Processing LDAP server configuration updates can be affected by currently bound LDAP clients.
Configuration changes are updated dynamically. The LDAP server checks for configuration changes periodically (every 30 minutes). When a change is detected, new clients cannot bind to the LDAP server during the reconfiguration process.
The LDAP server stops processing new LDAP requests for any clients currently bound and waits for any active LDAP requests to complete before updating the configuration.
LDAP operations fail when a tree is renamed using the ndsmerge utility. To work properly, the LDAP server must be refreshed or restarted after a tree is renamed.
Ensure the following:
For more information, see Ensuring Secure eDirectory Operations on Linux, Solaris, AIX, and HP-UX Systems.
If an LDAP server is refreshed or unloaded, while a Novell Import Conversion Export operation is running, the LBURP operation is timed out message is displayed on the Novell Import Conversion Export screen. The server recovers later, when the LBURP operation times out.
The PKI servers are not active after a merge operation. They must be restarted using the npki -l command.
Merge operations might not be successful on different versions of the product. If your server is running an older version of NDS or eDirectory, update to the latest version of eDirectory, then continue the merge operations.
The merging of two trees will not succeed if containers with similar names subordinate to a tree are present in both the source and target trees. Rename one of the containers, then continue with the merge operation.
During the graft operation, error message -611 Illegal Containment might appear. Modify the schema by running ndsrepair(1). Then run ndsrepair -S and select Optional Schema Enhancements.
When you turn on the ndstrace(1) screen, an error message might display indicating that a primary object is invalid for the reference link. You can ignore this message if eDirectory is functioning correctly.
While backing up eDirectory, NDS Error: Connect to NDS server failed might display. This might be caused by eDirectory listening on a port other than the default port 524. At the command line, enter the port number that eDirectory was configured on. For example, if eDirectory is configured on port number 1524, enter the following:
ndsbackup sR 164.99.148.82:1524
Unable to bind to SLP Multicast Address. Multicast route not added?
This message is displayed if the Linux or Solaris machine is not configured for a multicast route address.
Add the multicast route address and restart the slpuasa daemon.
Set the n4u.base.slp.max-wait parameter to a larger value, such as 50, in the /etc/nds.conf file, then restart the installation process.
For more information, see "Installing or Upgrading Novell eDirectory on NetWare" in the Novell eDirectory 8.7.3 Installation Guide.
Delete the /var/nds/.n4s_upgrade file and try the installation again.
When you are installing eDirectory into an existing tree and the installation takes a long time to complete, look at the DSTrace screen on the server. If the -625 Transport failure message is displayed, you need to reset the address cache.
To reset the address cache, enter the following command at the system console:
set dstrace = *A
You need a NetWare 5 or later server to install eDirectory on a Linux or Solaris system over the WAN.
Enter the following command at the server console to run the Directory Agent (DA) on the NetWare server:
slpda
On the server containing the master replica, edit the DA_ADDR parameter in slpuasa.conf:
DA_ADDR = IP_address_of_the_NetWare_server_where_the_DA_is_ running
Restart the slpuasa daemon.
Install eDirectory over the WAN on the Linux or Solaris system.
Run nds-install to add the product packages.
Do not configure the product. See "Linux, Solaris, and AIX Packages for Novell eDirectory " in the Novell eDirectory 8.7.3 Installation Guide for more information.
Edit the/etc/nds.conf and add the following parameters:
n4u.uam.ncp-retries = 5
n4u.base.slp.max-wait = 20
Edit the /etc/slpuasa.conf to add the following parameter:
DA_ADDR = IP_address_of_the_NetWare_server_where_the_DA_is_running
Run ndsconfig to configure eDirectory.
This section consists of the following:
Use the ndsrepair utility at the server console to do the following:
To run ndsrepair, use the following syntax:
ndsrepair {-U| -P| -S| -C| -E| -N| -T| -J entry_id}
[-A yes|no] [-O yes|no] [-F filename] [-Ad]
or
ndsrepair -R [-l yes|no [-u yes|no] [-m yes|no] [-i yes|no] [-f yes|no] [-d yes|no] [-t yes|no] [-o yes|no] [-r yes|no] [-v yes|no] [-c yes|no] [-A yes|no] [-O yes|no] [-F filename]
IMPORTANT: The -Ad option should not be used without prior direction from Novell Support personnel.
Option | Description |
---|---|
-U |
Unattended Full Repair option. Instructs ndsrepair to run and exit without further user intervention. This is the suggested means of repair unless you are told by Novell Support to perform certain operations manually. You can view the log file after the repair has completed to determine what changes ndsrepair has made. |
-P |
Replica and Partition Operations option. Lists the partitions that have replicas stored in the current server's eDirectory database files. The Replica options menu provides options to repair replicas, cancel a partition operation, schedule synchronization, and designate the local replica as the master replica. For more information, see Replica and Partition Operations Option. |
-S |
Global Schema Operations option. This option contains several schema operations that might be necessary to bring the server's schema into compliance with the master of the Tree object. However, these operations should be used only when necessary. The local and unattended repair operations already verify the schema. |
-C |
Check External Reference Object option. Checks each external reference object to determine if a replica containing the object can be located. If all servers that contain a replica of the partition with the object are inaccessible, the object will not be found. If the object cannot be found, a warning is posted. |
-E |
Report Replica Synchronization option. Reports replica synchronization status for every partition that has a replica on the current server. This operation reads the synchronization status attribute from the replica's Tree object on each server that holds replicas of the partitions. It displays the time of the last successful synchronization to all servers and any errors that have occurred since the last synchronization. A warning message is displayed if synchronization has not completed within 12 hours. |
-N |
Servers Known to This Database option. Lists all servers known to the local eDirectory database. If your current server contains a replica of the Tree partition, this server displays a list of all servers in the eDirectory tree. Select one server to cause the server options to be executed. |
-J |
Repairs a single object on the local server. You will need to provide the Entry ID (in hexadecimal format) of the object you want to repair. You can use this option instead of using the Unattended Repair (-U) option to repair one particular object that is corrupted. The Unattended Repair option can take many hours depending on the size of database. This option will help you save time. |
-T |
Time Synchronization option. Contacts every server known to the local eDirectory database and requests information about each server's time synchronization status. If this server contains a replica of the Tree partition, then every server in the eDirectory tree will be polled. The version of eDirectory that is running on each server is also reported. |
-A |
Append to the existing log file. The information is added to the existing log file. By default, this option is enabled. |
-O |
Logs the output in a file. By default, this option is enabled. |
-F filename |
Logs the output in the specified file. |
-R |
Repair the Local Database option. Repairs the local eDirectory database. Use the repair operation to resolve inconsistencies in the local database so that it can be opened and accessed by eDirectory. This option has suboptions that facilitate repair operations on the database. It has function modifiers which are explained in Function Modifiers Used with the -R Option. |
You can use the ndsrepair -S ([-Ad] advanced switch) option to display a list showing all the schema operations that you can perform. The following table shows the available options.
Enter the following command to display information about each replica stored on the server:
ndsrepair -P
Select the required replica. The following options are displayed:
Repairs all replicas displayed in the replica table.
Repairs only the selected replica listed in the replica table.
IMPORTANT: Repairing a replica consists of checking each object in the replica for consistency with the schema and data according to the syntax of the attribute. Other internal data structures associated with the replica are also checked. If you have not repaired the local eDirectory database in the last 30 minutes, you should do so before repairing any replicas.
Schedules the immediate synchronization of all the replicas. This is useful if you are viewing the ndstrace screen and want to view eDirectory information for the synchronization process without having to wait for it to run as normally scheduled.
Cancels a partition operation on the selected partition. This option might be necessary if an operation appears to be incomplete or is not completing due to problems in the eDirectory tree, such as a missing server or bad communication links. Some operations might not be cancelled if they have progressed too far.
Designates the local replica of the selected partition as the new master replica. Use this option to designate a new master replica if the original master replica is lost.
Reports replica synchronization status of all partitions on the current server. It displays the time of the last successful synchronization to all servers and any errors that have occurred since the last synchronization.
Determines the complete synchronization status on every server that has a replica of the selected partition. This helps you determine the health of a partition. If all of the servers with a replica of the partition are synchronizing properly, then the partition is considered healthy. Each server performs an immediate synchronization to every other server in the replica ring. Servers do not synchronize to themselves. Therefore, the status for the current server's own replicas is displayed as Host.
Repairs the replica ring of all the replicas displayed in the replica table.
Repairs the replica ring of selected replica listed in the replica table.
IMPORTANT: Repairing a replica ring consists of checking the replica ring information on each server that contains a replica of a given partition and validating remote ID information. If you have not repaired the local eDirectory database in the last 30 minutes, you should do so before repairing all or selected rings. You can repair the local database using the -R option. For more information, see .
Displays a list of all servers that contain a replica of the selected partition. This set of servers is called the replica ring. The replica ring list shows information about the type of replica and current status for each server in the ring. Select a server after viewing the replica ring to view server options.
Reports replica synchronization status for a selected partition that has a replica on a selected server. This operation reads the synchronization status attribute from the replica root object on each server that holds replicas of the partitions. It displays the time of the last successful synchronization to all servers and any errors that have occurred since the last synchronization. This option displays a warning message if synchronization has not completed within 12 hours.
Determines the complete synchronization status on the selected server that has a replica of the selected partition. This helps you determine the health of a partition. If the server with a replica on the partition is synchronizing properly, the partition is considered healthy. The server is immediately synchronized to every other server in the replica ring. The server does not synchronize with itself. Therefore, the status for the current server's own replica is displayed as Host.
Sends all objects from the selected server in the replica ring to all other servers that contain a replica of the partition. This operation can generate a lot of network traffic. Use this option to ensure that the selected partition's replica on the selected server in the replica ring is synchronized with all other servers in the replica ring. This operation cannot be performed on a server that contains only a subordinate reference replica of the partition.
Receives all objects from the master replica to the replica on the selected servers. This operation can generate a lot of network traffic. Use this option to ensure that the selected partition's replica on the selected server in the replica ring is synchronized with the master replica. This operation cannot be performed on a server that contains only a master replica.
Used to view the complete server name when the width of the server name is too long to view from within the server table.
(Advanced switch option.) Removes a selected server from the selected replica stored on the current server. If a server appears in the replica ring but it is no longer part of the eDirectory tree or no longer contains a replica of the partition, delete the Server object using iManager. When the Server object has been deleted, the object should eventually be excluded from the replica ring.
WARNING: Misuse of this operation can cause irrevocable damage to the eDirectory database. You should not use this option unless directed by Novell Support personnel.
Determines the complete distinguished partition name when the width of the partition is too great to view from within the replica table.
(Advanced switch option.) Provides a new point of reference to the master replica so that all updates to replicas of the selected partition are current. This operation is always performed on the master replica of a partition. The master replica does not need to be in the local replica on this server. Time stamps are placed on objects when they are created or modified and they must be unique. All time stamps in a master replica are examined. If any time stamps are post-dated to the current network time, they are replaced with a new time stamp.
(Advanced switch option.) Removes the selected replica on this server. Using this option is not recommended. Use this option only when all other utilities are unable to delete the replica.
(Advanced switch option.) Deletes all objects in the local eDirectory database that have the unknown object class and maintain no subordinate objects. This option marks Unknown objects for deletion. The deletion will later be synchronized to other replicas in the eDirectory tree.
WARNING: Use this option only when the objects cannot be modified or deleted using ConsoleOne or iManager.
The following repair options are available for servers:
Checks the network address for every server in the local eDirectory database. This option searches the SLP directory agent, depending on the transport protocol available, for each server's name. Each address is then compared to the Server object's network address property and the address record of each replica property of every partition Tree object. If the addresses are different, they are updated to be the same.
Checks the network address for a specific server in the local eDirectory database files. This option searches the SLP directory agent, depending on the transport protocols currently bound for the server's name.
Displays the complete name of the server when the width of the server name is too great to view from within the server's table. This option is the same as the -P option. For more information, see .
To perform an unattended repair and log events in the /root/ndsrepair.log file, or to append events to the log file if it already exists, enter the following command:
ndsrepair -U -A no -F /root/ndsrepair.log
To display a list of all global schema operations along with the advanced options, enter the following command:
ndsrepair -S -Ad
To repair the local database by forcing a database lock, enter the following command:
ndsrepair -R -l yes
NOTE: The input for the ndsrepair command can be redirected from an option file. The option file is a text file that can contain replica and partition operation-related options and suboptions that do not require authentication to the server. Each option or suboption is separated by a new line. Make sure that the contents of the file are in the proper sequence. If the contents are not in the proper sequence, the results will be unpredictable.
The ndstrace utility has three main parts:
The basic functions of ndstrace are used to
To start the ndstrace screen, enter the following command at the server prompt:
/usr/bin/ndstrace
To initiate the basic ndstrace functions, enter commands at the server prompt using the following syntax:
set ndstrace= command_option
The following table lists the command options that you can enter.
When the ndstrace screen is enabled, the information displayed is based on a default set of filters. If you want to view more or less than the default, you can manipulate the filters using the debugging message flags. The debugging messages help you determine the status of eDirectory and verify that everything is working well.
Each eDirectory process has a set of debugging messages. To view the debugging messages on a particular process, use a plus sign (+) and the process name or option. To disable the display of a process, use a minus sign (-) and the process name or option. The following are some examples:
Message | Description |
---|---|
set ndstrace = +SYNC |
Enables the synchronization messages. |
set ndstrace = -SYNC |
Disables the synchronization messages. |
set ndstrace = +SCHEMA |
Enables the schema messages. |
You can also combine the debugging message flags by using the Boolean operators & (which means AND) and | (which means OR). The syntax for controlling the debugging messages at the server console is as follows:
set ndstrace = +trace_flag [trace_flag]
or
set ndstrace = +trace_flag> [&trace_flag]
The following table describes the trace flags for the debugging messages. You can enter abbreviations for each of the trace flags.
As you use the debugging messages in ndstrace, you will find that some of the trace flags are more useful than others. One of the favorite ndstrace settings of Novell Support is actually a shortcut:
set ndstrace = A81164B91
This setting enables a group of debugging messages.
In addition to the debugging messages, which help you check the status of eDirectory, there is a set of commands that force the eDirectory background processes to run. To force the background process to run, place an asterisk (*) before the command. For example:
set ndstrace = *H
You can also change the status, timing, and control for a few of the background processes. To change these values, place an exclamation point (!) before the command and enter a new parameter or value. For example:
set ndstrace = !H 15 (parameter_value_in_minutes)
The following is the syntax for each statement controlling the background processes of eDirectory:
set ndstrace = *trace_flag [parameter]
or
set ndstrace = !trace_flag [parameter]
The following table lists the trace flags for the background processes, any required parameters, and the process the trace flags will display.