Environment
Novell Open Enterprise Server 11SP2
Novell Open Enterprise Server 11SP1
Novell Open Enterprise Server 11
Novell Open Enterprise Server 2SP3
Novell Open Enterprise Server 2SP3
eDirectory 8.8
Domain Services for Windows
DSFW
Domain Services for Windows
DSFW
Situation
Install of eDirectory fails
ERROR: /opt/novell/eDirectory/bin/ndsconfig return value = 74
ERROR: /opt/novell/eDirectory/bin/ndsconfig return value = 78
ERROR: ndsconfig failed to install and configure eDirectory
y2log shows:
Extending schema... Done
For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log
Configuring HTTP service... Done
Configuring LDAP service... Done
Configuring SNMP service... Done
Configuring SAS service... Failed to configure SAS service: no such attribute err=-603
The ndsd.log shows:
SecurityInstall: Error from pkiInstallCreatePKIObjects (ccode = -603)
An error occurred while configuring product SAS. Error description no such attribute. -603
NDSIInstallDSProduct: Returning -603
Resolution
Since the error is reported while creating the SAS/Certificate objects the issue points to the CA.
- Verify the CA server is up, ndsd is up, ncp (port 524) is not blocked by a file wall and that ndsd is communicating with other server.
- Check the CA object and verify a hostServer is listed for the CA. If no hostServer is listed this means there is not a CA for the tree and there for certificates can not be created. The cause of a missing hostServer is usually the CA server was decommissioned or removed from the tree.
To resolve a missing CA or missing hostServer from the CA follow TID 3618399, option II to recreate the CA. If the CA object exists and a backup of the CA was made, follow option I to restore the previously backed up CA.
After resolving the CA issue, attempt the install of eDirectory again.
NOTE: After deleting the CA delete the CRL object in the CRL Container (delete the object One and the container One - Configuration). Deleting the Organizational CA object will not invalidate any certificates that have been signed by the Organizational CA, such as the Certificates (Key Material Objects) created for each of your servers. They will continue to function until they expire. You will need to recreate/repair the certificates on the Certificate Authority server. Servers will not be able to install new servers into the tree or issue new certificates until you fix the Certificate Authority and recreate or repair the CA servers certificates.
To create/repair the certificates log into iManager | click on the Certificate Server Role | Repair Default Certificates | Select the server object | click next | click "Yes All Default Certificates will be overwritten"| verify the SSL CertificateIP and SSL CertificateDNS are correct | click next | click Finish.
If the install of eDirectory is on an OES server and the Abort eDirectory configuration was select, it is a good idea to follow TID 7002414 to verify the failed eDirectory install was cleaned before continuing the install.
If the install of eDirectory is on an OES server with DSfW being installed and the Abort eDirectory configuration was select, the server will need to be rebuilt.
If the eDirectory install failure occurred on an OES/DSfW server and the install halted (did not abort), restore communications with the CA server or fix (create new or restore from backup) the CA and continue the install of eDirectory selecting option 2. Select option 1 if the configuration information for eDirectory needs to be modified.
Cause
The CA is either missing, the hostServer for the CA is missing, or the install server is unable to communicate to the server hosting the CA.
Additional Information
A successful install of eDirectory will look something like this in the y2log:
Extending schema... Done
For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log
Configuring HTTP service... Done
Configuring LDAP service... Done
Configuring SNMP service... Done
Configuring SAS service... Done
Associating certificate with the NCP server object... Done
Configuring NMAS service... Done
Configuring LDAP Server with default SSL CertificateDNS certificate... Done
Triggering the 'External Reference Check' process... Done
The instance at /etc/opt/novell/eDirectory/conf/nds.conf is successfully configured.
The ndsd.log will look something like this with a successful install of eDirectory:
Jan 14 15:10:27 LDAP Agent for Novell eDirectory 8.8 SP7 (20702.00) started
Configuring Distribution Points for Certificate Revocation List:
Jan 14 15:10:27 NMAS Server Version:3.3.4.1 Build:20120710 started
Jan 14 15:10:27 SASL Version:3.3.4.1 Build:20120710 started
Jan 14 15:10:31 SecurityInstall: Successfuly created the Security Container, CA, SAS, and KMO objects.
Jan 14 15:10:31 NDSIInstallDSProduct: Successfully Configured SAS service
Jan 14 15:10:31 CfgNCPServerCertificate: Associating certificate with the NCP server object...
Jan 14 15:10:31 CfgNCPServerCertificate: Returning 0.
Jan 14 15:10:31 NDSIInstallDSProduct: Returning 0.
Jan 14 15:10:31 NDSIInstallDSProduct: Installing product ID = 9.
Jan 14 15:10:31 NDSIInstallDSProduct: loading libnmasinst
Jan 14 15:10:31 NDSIInstallDSProduct: Configuring NMAS service ...
Jan 14 15:10:31 NDSIInstallDSProduct: Successfully Configured NMAS service
Jan 14 15:10:31 NDSIInstallDSProduct: Unloading libnmasinst
Jan 14 15:10:31 NDSIInstallDSProduct: Done
Jan 14 15:10:31 NDSIInstallDSProduct: Returning 0.
Jan 14 15:10:31 DHModuleInit_dsi: Returning 0.
Jan 14 15:10:37 SPM DClient already started (2)
Jan 14 15:10:41 DHModuleExit_dsi: libdsi module.
Jan 14 15:12:05 DHLog: Insert Setting log file path ACS
Jan 14 15:12:05 DHLog: Error in opening logFile /var/opt/novell/xad/log/ndsd.log., Err: 2. Messages will be logged to ndsd.log
Jan 14 15:12:05 Trace Utility for Novell eDirectory 8.8 SP7 v20702.02 started
A youtube video titled ndsconfig error 74 can be viewed for more information on this issue.