Scenarios

Typically, the LDAP server runs as soon as it is loaded. However, either of two scenarios can prevent the server from running properly.

Scenario: The Server Is in a Zombie State. The LDAP server loads as long as the NetWare or DHost Loaders can resolve external dependencies. However, the LDAP server doesn't run properly until it can get a valid configuration from the two configuration objects (the LDAP Server and LDAP Group objects).

While the LDAP server is in a loaded-but-not-running (zombie) state, it periodically tries to find and read the configuration objects. If the objects are misconfigured or corrupted, the LDAP server stays in the zombie state until the server (nldap.nlm, nldap.dlm, libnldap.so, or libnldap.sl) is unloaded or taken down.

The Loaders show that the LDAP server is loaded, but no LDAP ports (389, 636) are opened by nldap.nlm (or nldap.dlm, libnldap.so, or libnldap.sl). Also, no LDAP client requests are serviced.

DSTrace messages will show the periodic attempts and the reason why the server cannot come up to the running state.

Scenario: Denial of Service. At Digital Airlines, the server is processing a very long (20 minutes or more) search operation. The search is, in effect, looking for a needle in a haystack.

During this search, Henri does one of the following:

• Changes a configuration parameter and updates a configuration object.
• Clicks Refresh Server Now.
• Unloads the LDAP server (nldap.nlm, nldap.dlm, libnldap.so, or libnldap.sl).
• Tries to take the entire server down.

The LDAP server waits until all current operations complete before applying any new update. The server also postpones new operations from running until the update is complete. This delay can cause the server to appear to stop responding to new requests until the search is done and the server can refresh itself. Or the server appears to hang during the unload.

If the search request is long but has many hits, and Henri unloads the LDAP server, it aborts the search and quickly unloads when the next hit is returned to the client. However, if the search request has only one or no hits in 20 minutes, the LDAP server isn't able to abandon the NDS^® or eDirectory request in progress.

For a refresh or update, the search will not be aborted even if it has many hits to return to the client.

Verifying That The LDAP Server Is Running

To verify that the LDAP service is running, use the Novell Import Conversion Export Utility (ICE). At a workstation, run ice.exe from the command line or use Novell iManager or ConsoleOne^®.

At the Command Line

1. Go to the directory that contains ice.exe (for example, c:\novell\consoleone\1.2\bin).

2. Run ice.exe.

   Search the rootDSE. Include parameters that identify the source handler and the export handler. For example enter

   ice -S LDAP -s 10.128.45.0 -p 389 -c base -a vendorname -D LDIF -f testoutput

   Parameter and Value	Description
   -S LDAP	Specifies LDAP as the source handler.
   -s 10.128.45.0	Specifies the server's DNS name or IP address.
   -p 389	Specifies the port number of the LDAP server that the LDAP source handler parameter identified. The default port is 389. If 389 is not the installed port, specify the clear-text port number.
   -c base	Specifies that the scope of the search request is only the base object entry itself.
   -a vendorname	Specifies that the search is to retrieve the vendorname attribute.
   -D LDIF	Specifies LDIF as the destination handler.
   -f testoutput	Specifies the filename where LDIF records can be written.

   This example sends output to a testoutput file.

   For more information on using ICE, see Novell Import Conversion Export Utility. For information specific to LDAP source handlers, see LDAP Source Handler Options. For information specific to LDIF destination handlers, see LDIF Destination Handler Options.

3. View results of the ICE command.

   
   

   The example (Steps 2 and 3) limits the output from the rootDSE entry to the Vendor Name attribute. Because the example reads information from a Novell eDirectory server, the vendor information displays as Novell, Inc.

Using Novell iManager

To verify that the LDAP server is functional by using Novell iManager, follow steps in Exporting Data to a File.

If you enter an IP address and a port number and then get a connection, the server is functional. Otherwise, you receive an error message. Download (view) either the log file or the export file.

Using ConsoleOne

To verify that the LDAP server is functional by using ConsoleOne, see Performing an LDIF Export.

Specify a path and filename for the Select Destination LDIF File field (for example, c:\ldap\textoutput.txt). If you enter only a filename, the LDAP snap-in for ConsoleOne writes the file to the default directory (typically, c:\novell\consoleone\1.2\bin).

Verifying That A Device Is Listening

Verify that a device is listening on port 389.

For NetWare:

1. At the server console, enter

   tcpcon

2. Select Protocol Information > TCP > TCP Connections.

3. Select 389 in the Port column.

   If the State column displays Listen, a device is listening on that port.

   If a device is not listening, the port will be missing altogether.

For Windows 2000/NT and UNIX

1. At the command line, enter

   netstat -a

2. Find a line where the local address is servername:389 and the state is LISTENING.

If one of the following situations occurs, run Novell iMonitor:

• You are unable to get information from the ICE utility
• You are uncertain that the LDAP server is handling LDAP requests

For information on Novell iMonitor, see Configuration Files and Configuring Trace Settings.

For information on LDAP requests, see "Communicating with eDirectory through LDAP" in the Novell eDirectory 8.7.3 Installation Guide.