Novell Home

My Favorites

Close

Please to see your favorites.

How to recreate DSfW LDAP Server and LDAP Group objects

This document (7010319) is provided subject to the disclaimer at the end of this document.

Environment

Novell Open Enterprise Server 11 SP1 (OES 11 SP1)
Novell Open Enterprise Server 2 SP3 (OES 2SP3)
Domain Services for Windows
DSfW

Situation

Kerberos fails to start on a DSfW server
LDAP Group object was deleted on a DSfW server
LDAP Server object was deleted on a DSfW server

Resolution

On the LDAP Server object add the following ldapInterfaces:
ldapInterfaces: ldaps://:1636
ldapInterfaces: ldap://:1389
ldapInterfaces: ldap://:389 ldaps://:636 ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi cldap:// ldap://:3268 ldaps://:3269

iManager or ldapconfig can be used to add the ldapInterfaces.
For iManager edit the DSfW LDAP Server object | connections | LDAP Interfaces | click the + sign and add each of these three lines:
ldaps://:1636
ldap://:1389
ldap://:389 ldaps://:636 ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi cldap:// ldap://:3268 ldaps://:3269

Click Apply
Click the Information tab
Click Refresh to refresh the ldap server.
The changes should now be applied and the DSfW services can be restarted (xadntrl reload)

For ldapconfig do the following.  At the "User FDN:" prompt enter an admin user in .x500 format, example admin.novell or use the -a switch
        ldapconfig -s "ldapinterfaces=ldaps://:1636" -a admin.novell
        ldapconfig -s "ldapinterfaces=ldap://:1389" -a admin.novell
        ldapconfig -s "ldapinterfaces=ldap://:389 ldaps://:636 ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi cldap:// ldap://:3268 ldaps://:3269" -a admin.novell

Now add the extensions to the LDAP Server object and the mappings to the LDAP Group object.   

For this there are two options, run the provision_config_slapi.pl task or manually edit the LDAP options either using the ldif files or using iManager.

Using /opt/novell/xad/share/dcinit/provision/provision_config_slapi.pl task
First export the  NDSEXISTINGADMINPASSWD and ADM_PASSWD with tree admin credentials

export ADM_PASSWD=current domain password, usually Administrator
export NDSEXISTINGADMINPASSWD=tree domain password, usually admin

Then run /opt/novell/xad/share/dcinit/provision/provision_config_slapi.pl


For the ldif option, the two ldif files that will be needed are located in /var/opt/novell/xad/ds/domain/
nldap-delete-classlist.ldif
nldap.ldif

The nldap-delete-classlist.ldif deletes two class mappings
Below is an example of what this file should look like.  Other than the server name and context the file should appear as this:

dn: CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
control: 1.2.840.113556.1.4.1413
changetype: modify
delete: ldapClassList
ldapClassList: NDSName=User$LDAPNames=inetOrgPerson
ldapClassList: NDSName=Group$LDAPNames=groupOfNames\24groupOfUniqueNames\24group


This nldap-delete-classlist.ldif is ready as is to modiy the ldap group object.
nldap.ldif needs to have just the ldap server and ldap group information copied and placed in new ldif file called ldapobjects.ldif.

Example of what should be copied to ldapobjects.ldif:

dn: CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
control: 1.2.840.113556.1.4.1413
changetype: modify
add: ldapClassList
ldapClassList: NDSName=User$LDAPNames=user\24inetOrgPerson
ldapClassList: NDSName=Group$LDAPNames=group\24groupOfNames\24groupOfUniqueNames
ldapClassList: NDSName=Computer$LDAPNames=ndsComputer
ldapClassList: NDSName=mSDS:Computer$LDAPNames=computer
ldapClassList: NDSName=dmd$LDAPNames=ndsDmd
ldapClassList: NDSName=mSDS:DMD$LDAPNames=dMD
ldapClassList: NDSName=server$LDAPNames=ndsServer
ldapClassList: NDSName=mSDS:Server$LDAPNames=server
ldapClassList: NDSName=volume$LDAPNames=ndsVolume
ldapClassList: NDSName=mSDS:Volume$LDAPNames=volume
ldapClassList: NDSName=rRASAdministrationConnectionPoin$LDAPNames=rRASAdministrationConnectionPoint
-
add: ldapAttributeList
ldapAttributeList: NDSName=homeDirectory$LDAPNames=unixHomeDirectory
ldapAttributeList: NDSName=mSDS:HomeDirectory$LDAPNames=homeDirectory
ldapAttributeList: NDSName=homePostalAddress$LDAPNames=ndshomePostalAddress
ldapAttributeList: NDSName=msds:homePostalAddress$LDAPNames=homePostalAddress
ldapAttributeList: NDSName=mS-SQL-AllowAnonymousSubscriptio$LDAPNames=mS-SQL-AllowAnonymousSubscription
ldapAttributeList: NDSName=mS-SQL-AllowImmediateUpdatingSub$LDAPNames=mS-SQL-AllowImmediateUpdatingSubscription
ldapAttributeList: NDSName=mS-SQL-AllowKnownPullSubscriptio$LDAPNames=mS-SQL-AllowKnownPullSubscription
ldapAttributeList: NDSName=mS-SQL-AllowQueuedUpdatingSubscr$LDAPNames=mS-SQL-AllowQueuedUpdatingSubscription
ldapAttributeList: NDSName=mS-SQL-AllowSnapshotFilesFTPDown$LDAPNames=mS-SQL-AllowSnapshotFilesFTPDownloading
ldapAttributeList: NDSName=msDS-Cached-Membership-Time-Stam$LDAPNames=msDS-Cached-Membership-Time-Stamp
ldapAttributeList: NDSName=msDS-Non-Security-Group-Extra-Cl$LDAPNames=msDS-Non-Security-Group-Extra-Classes
ldapAttributeList: NDSName=msDS-Replication-Notify-First-DS$LDAPNames=msDS-Replication-Notify-First-DSA-Delay
ldapAttributeList: NDSName=msDS-Replication-Notify-Subseque$LDAPNames=msDS-Replication-Notify-Subsequent-DSA-Delay
ldapAttributeList: NDSName=msDS-Security-Group-Extra-Classe$LDAPNames=msDS-Security-Group-Extra-Classes
ldapAttributeList: NDSName=msDS-User-Account-Control-Comput$LDAPNames=msDS-User-Account-Control-Computed
ldapAttributeList: NDSName=msPKI-Certificate-Application-Po$LDAPNames=msPKI-Certificate-Application-Policy
ldapAttributeList: NDSName=ms-net-ieee-80211-GP-PolicyReser$LDAPNames=ms-net-ieee-80211-GP-PolicyReserved
ldapAttributeList: NDSName=ms-net-ieee-8023-GP-PolicyReser$LDAPNames=ms-net-ieee-8023-GP-PolicyReserved
ldapAttributeList: NDSName=dNSHostName$LDAPNames=dNSHostName
ldapAttributeList: NDSName=name$LDAPNames=name

dn: CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
changetype: modify
add: extensionInfo
extensionInfo: 0#object#nad_object_init#nad-plugin
extensionInfo: 1#object#subschema_object_init#subschema-plugin
extensionInfo: 2#preoperation#crossref_preop_init#crossref-plugin
extensionInfo: 3#object#anr_object_init#anr-plugin
extensionInfo: 4#object#tokengroups_object_init#tokengroups-plugin
extensionInfo: 5#extendedop#netlogon_extop_init#netlogon-plugin
extensionInfo: 6#object#ntacl_object_init#ntacl-plugin
extensionInfo: 7#extendedop#whoami_extop_init#whoami-plugin
extensionInfo: 8#object#dsearch_object_init#dsearch-plugin

If needed take the example from above and change the name of the server and context to reflect that of your server.  Example of what to replace is in bold:
CN=LDAP Group - OES11-DSFW1,ou=OESSystemObjects,o=novell
CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell


Now that we have the two ldif files, use ldapmodify to import them.
Once the ldapInterfaces are set, kerberos should start.  Validate that the services are running (xadcntrl validate).  If not restart all DSfW services (xadcntrl reload) and verify all DSfW services are running.
Once all services are running you can use the EXTERNAL method for importing the ldifs.
  1. export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
  2. ldapmodify -Y EXTERNAL -Q -f /var/opt/novell/xad/ds/domain/nldap-delete-classlist.ldif
    or  ldapmodify -x -H ldaps:// -D cn=admin,o=context -W -Q -f /var/opt/novell/xad/ds/domain/nldap-delete-classlist.ldif
    for user user (-D) enter the appropriate username and context
  3. ldapmodify -Y EXTERNAL -f /var/opt/novell/xad/ds/domain/ldapobjects.ldif
    or  ldapmodify -x -H ldaps:// -D cn=admin,o=context -W -Q -f /var/opt/novell/xad/ds/domain/ldapobjects.ldif
    for user user (-D) enter the appropriate username and context

Stop and restart nldap by either using the refresh option in iManager on the LDAP server object or restart all DSfW services or at the command line do

nldap -u
nldap -l

Both the LDAP Server and LDAP Group Object should be properly configured.

Cause

If the LDAP Server object is deleted the ldap interfaces specific for DSfW in order to function as a Domain Controller will be lost thus causing kerberos to fail to start since part of the start up process is doing a base search on the root DSE
"ldapsearch -Y EXTERNAL -b "" -s base"
The ldap interfaces have to be specified, specifically for ldapi (ldapi://%2fvar%2fopt%2fnovell%2fxad%2frun%2fldapi)

The Class and Attribute mappings on a DSfW server are also modified to reflect the configuration in AD along with the proper LDAP extentions on the LDAP Server object.  If the LDAP Group object is deleted and recreated the mappings are lost have must be re-applied.  Same with the LDAP extensions on the LDAP Server object.

Additional Information

If only the LDAP Server object is deleted apply the nldap-delete-classlist.ldif and only copy the LDAP Server section to the ldapobjects.ldif

Example of the ldapobjects.ldif:
dn: CN=LDAP Server - OES11-DSFW1,ou=OESSystemObjects,o=novell
control: 1.2.840.113556.1.4.1339
changetype: modify
add: extensionInfo
extensionInfo: 0#object#nad_object_init#nad-plugin
extensionInfo: 1#object#subschema_object_init#subschema-plugin
extensionInfo: 2#preoperation#crossref_preop_init#crossref-plugin
extensionInfo: 3#object#anr_object_init#anr-plugin
extensionInfo: 4#object#tokengroups_object_init#tokengroups-plugin
extensionInfo: 5#extendedop#netlogon_extop_init#netlogon-plugin
extensionInfo: 6#object#ntacl_object_init#ntacl-plugin
extensionInfo: 7#extendedop#whoami_extop_init#whoami-plugin
extensionInfo: 8#object#dsearch_object_init#dsearch-plugin

Another option is to download and run fix_ldap_objects script to fix this issue.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7010319
  • Creation Date:25-JUN-12
  • Modified Date:31-JUL-13
    • NovellOpen Enterprise Server
    • SUSESUSE Linux Enterprise Server
    • NetIQeDirectory

Did this document solve your problem? Provide Feedback