LDAP server not accepting bind requests in eDirectory 8.7.0

  • 3250225
  • 10-Jan-2007
  • 06-Jun-2012

Environment

Novell eDirectory 8.7 for All Platforms
eDirectory 8.7 - eDir8703.exe patch
Novell NetWare 6.0 Support Pack 2
Novell NetWare 5.1 Support Pack 5
Microsoft Windows 2000
Ldap Services

Situation

Applied the eDirectory 8.7.0.3 update to the server - eDir8703.exe.
Error: "2 (00000002 protocol error attempt)" seen from LDAP client attempting to bind to the LDAP server.
Error: " 81 ( 00000051 server down)" from ICE Wizard in Console One attempting to export to an LDIF file from a LDAP server.
NLDAP appears to be loading sucessfully.
Error: "LDAP Server attribute "ldapBindRestrictions" not found, installing new default" seen in DSTRACE.NLM.

Resolution

CLIENT\SERVER CHECK:

First, determine if the problem is with the client or the server. Do this using the Console One ICE Wizard to see if the problem is with the server or the client. In Console One select the Wizard Tab - NDS Import\Export Menu. Then select Export LDIF File, Next, enter the server's ip address in the IP Address field, Port 389 and leave Anonymous Login selected (provided anonymous login is available - it is by default). Select next. In the next section give the search a base of o=nameofyourorganization and select Base. Leave Filter and attribute tabs at the default. Select next. Now give ICE the name of the ldif file to create. Example c:\test.ldif. Select Next and then Finish. If the server is working correctly you should see 1 entry processed and 0 errors. If this is the case, then a LDAP trace should be performed to identify what is going wrong with the client.
The manual schema part of the LDAP server update from eDir8703.exe was not performed.

The new build of NLDAP (available with the eDirectory 8.7.0.3 Update) allows for the disabling of anonymous binds. If the schema update file included in the patch, LDAP.SCH, is not run then when the new NLDAP module loads clients will not be able to bind. To accomplish this a new LDAP server attribute, ldapBindRestrictions, needs to be added to eDirectory's schema and associated to the LDAP server object. If NLDAP loads and does not see this attribute either due to not running the new LDAP.SCH included in EDIR870FP1.EXE or schema not having synchcronized to the server then NLDAP will refuse all bind requests.

Make sure the EDIR8703.EXE or EDIR8703.TGZ files are installed on your platform, then use the proper platform specific schema extention utility to extend schema with the LDAP.SCH file and associate the attribute to the LDAP server object. Below are the NetWare, NT and UNIX procedures.

NETWARE:

This should first be run on a RW or Master of Root
a. From the NetWare Console type "LOAD NWCONFIG" - Select Directory Options - Extend Schema
b. Authenticate as admin or a user with admin rights to root. Change the path by pressing F3 - Specify the location of the LDAP.SCH file in the 8703 patch (\NW\SYS\SYSTEM\SCHEMA
c. Force the schema synch process by running the following commands on the console:

SET DSTRACE=ON
SET DSTRACE=+SCHEMA
SET DSTRACE=*SSD
SET DSTRACE=*SSA
Wait for an "All Processed = Yes" on the Directory Services Screen then continue to the ConsoleOne Section of this TID.

Note:

If this does not work, then on the server that is the Master of the ROOT partition; load DSREPAIR -A | Advanced Options | Global Schema Operations, login as ADMIN. The select the Post Netware 5 Schema Update option, and run that option twice. Then select the Optional Schema Enhancements option and run that twice (unless it does not make any updates the first time you run it). Then exit DSREPAIR, and go to the server's console prompt and type the following commands:

SET DSTRACE=ON
SET DSTRACE=+SCHEMA
SET DSTRACE=*SS
Wait for an "All Processed = Yes" on the Directory Services Screen then go back and follow the instructions above under theNETWAREheading.

NT:

This should first be run on a RW or Master of Root
a. Choose Start - Control Panel - Novell eDirectory Services - Highlight the INSTALL.DLM module - Click Start
b. Choose "Install additional schema files." - Click Next - Authenticate as Admin or a user with admin rights to root
c. Browse to the LDAP.SCH file contained in EDIR8703.EXE (IE., C:\8703\NT\NDS\LDAP.SCH ) - Click Finish
d. Force a Schema Synch Process from either Novell eDirectory Services - DSTRACE or from iManager DSTRACE.
e. Wait for an "All Processed = Yes" on the Directory Services Screen then continue to the ConsoleOne Section of this TID.

UNIX:

This should be run on a RW or Master of Root then
a. Type the following command:
ndssch /usr/lib/nds-schema/ldap.sch
b. Authenticate as admin or a user with admin rights to root, and type the admin password when prompted.
c. Force the schema synch process by running the following commands on the console:

ndstrace
set dstrace=nodebug
dstrace +scma +scmd
set dstrace=*ssd
set dstrace=*ssa
Wait for an "All Processed = Yes" on the Directory Services Screen then continue with the ConsoleOne section

CONSOLEONE:

Now a new attribute, ldapBindRestrictions, has been added to schema and associated with the LDAP server class. Now we can associate it to our LDAP server and then populate it with a value.
1. Load ConsoleOne
2. Browse to your LDAP server object
3. Right click - Properties - Other Tab
4. Click on the Attribute Add button - Scroll to the ldapBindRestrictions attribute - OK
5. To disable anonymous binds put a value of 1 in the attribute value field. To allow such connections put in a value of 0.
6. Select Apply - OK

.
The eDir8703.exe update did not update all files.

Please download a new copy of eDir8703.exe and re-install.
The LDAP server object and LDAP group object were not properly upgraded during the eDirectory 8.7.0 migration.

Using at least Version 1.3.4 of Console One check the version of the LDAP server object and LDAP group object.
- Locate the LDAP server object for this server, highlight the object and right-click properties to see its details. Select the Other tab then open the Version attribute. It should say 8.7.0. Do the same for the LdapConfigVersion. It should report a version of 6.
- Locate the LDAP group object for this LDAP server. This can be found under the General Tab for the LDAP server. Highlight, right-click properties and again select the Other tab. Open the ldapConfigVersion attribute. It should report Version 6.

If this is not the case the you can use the following methods to delete and re-create these objects. This will delete customer setup information. Therefore while you are in Console One copy down all setttings for these objects. It would also be a good idea the use either DSREPAIR -RC or eMbox utiltities to make a backup of the database from a RW or Master replica holder of these objects.

ConsoleOne:
- Delete the Group Object. Delete the LDAP server object.
- Re-create the Group object by right-clicking on the Container that holds the NCP server object, select new object and select LDAP Group Object. You can ignore for now the message about obsolete syntax mappings. Accept the message about the need to have a LDAP server object in the group. Give the server group a descriptive name such as LDAP Group - Servername. Click on OK about the need to have a LDAP server in the group.
- Re-create the LDAP server object by right-clicking on the NCP server objects container as above, new object and select LDAP Server object. Again a descriptive name is helpful such as LDAP Group - Servername. Also select Define Additonal Properties so we do not have to open the object after creation to do the following. On the General Tab use the selector to associate the Host Server (NCP Server object) to this newly created LDAP Group. Do the same on the next line to associate the LDAP group you created before to this LDAP server object. Click apply and ok.
- Now unload (or stop) LDAP services on the server and re-load (or start) LDAP services. Now perform the Client\Server check documented above.

iManager:
If you have installed the eDirectory 8.7.0 Webapps connect to iManager via the following URL: https:\\IP Address\eMFrame\iManager.html. Now select the LDAP Management Link. From there you can delete both the LDAP server and LDAP group objects. Afterward first re-create the LDAP Server object correctly associating it to the NCP Server object. Then re-create the LDAP group object correctly associating this object to the previously created LDAP server object. When finished unload and reload LDAP services on the server and perform the Client\Server check.


Additional Information

The server's schema does not contain the attribute LdapBindRestrictions and\or it was not added to the LDAP server object.
Complete error message in DSTRACE.NLM:
LDAP Server config version 5 does not match executable config version 6
Starting dynamic upgrade
LDAP Server attribute "ldapBindRestrictions" not found, installing new default
Failed to modify entry in UpgradeLDAPServerObject, err = no such attribute (-603)
Could not complete dynamic upgrade, err = no such attribute (-603)
Could not validate Group in ReadConfigFromDS, err = no such attribute (-603)
Could not update server configuration, err = no such attribute (-603)

Formerly known as TID# 10082626
Formerly known as TID# NOVL88947