DSfW: ADC install enters wrong context for server

  • Document ID:7012509
  • Creation Date:29-May-2013
  • Modified Date:25-Jul-2014
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW

Situation

Non-named mapped install
PDC is OES11SPx
2nd server in the tree, ADC install 

The install attempts to put the server in the cn=users container and is grayed out so it can not be changed.
Attempted to change the context in the nds.conf file and see if the configuration would pick it up after the first fail and re-entering the configuration info.

Resolution

The root issue is with the SSL certificate that DSfW installation receives. 

The certificate will be will be copied in the /etc/opt/novell/certs/SSCert.der in the previous step.  

The tool to retrieve the certificate is /opt/novell/oes-install/util/getSSCert

Example of how getSSCert tool is used:
/opt/novell/oes-install/util/getSSCert -t 'DSFW_TREE' -u 'cn=admin.dc=dsfw.dc=lan' -a 192.168.0.52

The /var/log/YaST2/y2log show the command successfully completed with "Step #11 SSCert extraction complete"

Testing the /etc/opt/novell/certs/SSCert.der with ldapsearch or any other tool reveals the certificate is not valid on both the PDC and the ADC server being installed.

To resolve this issue:

  1. Check the CA object to validate if there is a hostserver for the CA.  Many times the CA server will be removed from the tree and the hostserver listed for the CA will be missing, making the CA invalid.
    The CA could also be expired.  Check the expiration date
    1. Using iManager go to the Certificate Server role | Configure Certificate Authority | Check the Host Server for a valid server name.  If present click on Certificates tab | the Orgianizational CA certs | validate the Expiration date.  
    2. If the certificate expiration date is older than todays date, the CA is expired and needs to be recreated.
  2. Follow TID 3618399, option II to recreate the CA if the CA needs to be recreated.  If a backup of the CA was made, follow option I to restore the previously backed up CA.  
    1. Example: mv /etc/opt/novell/certs/SSCert.der /etc/opt/novell/certs/SSCert.der.old
    2. Once the CA is re-created or validated, rename the /etc/opt/novell/certs/SSCert.der and /etc/opt/novell/certs/SSCert.pem
  3. Restart eDirectory and check that the SSCert.der and SSCert.pem files are recreated. 
    Rename the certs and restart eDirectory on both the CA server and the DSfW PDC server to ensure they both have correctly keyed certificates.
    1. Using the ndsconfig option requires the certifiates to be deleted first.
    2. Using iManager go to the Certificate Server role | Repair Default Certificates | browse the the NCP Server obejct for the PDC server | Click Next | Select "Yes All Default Certificates will be overwritten" | be sure the IP address and DNS name are correct | Click Next | Click Finish
  4. Test secure ldap with the eDirectory ldapsearch (/opt/novell/eDirectory/bin/ldapsearch) both anonymous and authenticated.
    Examples of using the eDirectory ldapsearch and the -e option to specify the SSCert.der.  1 - anonymous 2 - authenticated bind example.
    1. /opt/novell/eDirectory/bin/ldapsearch -x -h 127.0.0.1 -p 636 -e /etc/opt/novell/certs/SSCert.der -b "" -s base
    2. /opt/novell/eDirectory/bin/ldapsearch -x -h 127.0.0.1 -p 636 -e /etc/opt/novell/certs/SSCert.der -b "" -s base -D cn=admin,o=novell -W

Cause

The root cause is the CA is invalid.  There is not a hostserver listed for the CA.