Troubleshooting iManager 1.2 issues on NetWare 6
(Last modified: 05Feb2003)
This document (10078877) is provided subject to the disclaimer at the end of this document.
Troubleshooting iManager 1.2 issues on NetWare 6.
Novell Apache on NetWare
Novell Tomcat on NetWare
Novell NetWare 6.0
Novell eDirectory 8.7 for All Platforms
Error: "Page not found" when attempting to load iManager URL
Can't login to iManager
After logging into iManager, no Roles or Tasks are displayed or there are Rights issues.
Not all iManager Roles are displayed when selecting configure roles.
With the release of NetWare 6, Novell included the 1.2 version of its Web based management console, iManager. This release of iManager works with eDirectory version 8.6, is only supported on the NetWare 6 OS, and has limited functionality. Through a Web browser you can manage DHCP, DNS, iPrint, Licenses, and simple objects.
With the release of eDirectory 8.7 Novell has released iManager 1.5. This version of iManager is supported to run on NetWare 6 (not supported on NW 5.1), Windows NT/2000 server, and various flavors of UNIX. In order to use all the features of iManager 1.5 you should have eDirectory 8.7 installed. This release of iManager is very full featured and allows you to do many of the administrative functions you can do in NWADMIN32, ConsoleOne, NDS Manager, and DS Repair.
The information contained in this document covers troubleshooting iManager version 1.2, although many of the same steps can be used to troubleshoot iManager 1.5.
The URL for logging into iManager on NetWare is: https://ipaddress:2200/eMframe/iManager.html This URL is case sensitive. You should also be able to access iManager by going to https://ipaddress:2200 and selecting eDirectory iManager. This URL displays the NetWare Web Manager home page with links to certain services.
You obtain iManager 1.2 by installing NetWare 6 and selecting NetWare Web Access as one of the optional items to install. There is not a separate install for iManager 1.2 that is available for download. Make sure you have done this. The files for iManager are stored on the server in the /webapps/eMFrame directory. It is a good idea to quickly verify the existence and integrity of these files. Remember that some of the directory names and files are case sensitive.
SSL is required for iManager to work.
To reach the iManager URL you must have SSL properly configured and running on the server you are connecting to. Verify the existence and configuration of the SSL and SAS NDS objects for the server you are attempting to connect to.
SAS Service Servername (verify the IP address configured on this object is correct)
SSL CertificateDNS Servername
SSL CertificateIP Servername
One way to verify if SSL is binding correctly on a server is to launch TCPCON, select Protocol Information, TCP, hit Enter, then look for ports 443 (default SSL port) and 636 (default SSL port for LDAP). If you do not see these, SSL is not working and the iManager page will not load.
Apache / Tomcat Web server information
The Web server and Web application server used by iManager is Apache / Tomcat. Port 2200 is the default port used. Port 2200 is actually the Apache web server port which is redirected to the Tomcat web apps servers. Because of the dependence on Tomcat and Apache, iManager is not currently supported on NetWare 5.1.
To access iManager directly you do not need PORTAL.NLM or HTTPSTK.NLM running on the server. However, to access iManager through the NetWare Remote Manager (NRM) page you must have PORTAL and HTTPSTK running. NRM uses HTTPSTK as its web server and does not require Apache / Tomcat to be running.
Steps to troubleshoot "Page not found" error when attempting to load iManager URL
In addition to making sure ports 443 and 636 are bound in TCPCON, you must also have port 2200 bound. If you do not see port 2200 in the list of bound TCP ports in TCPCON, the iManager page will never load. One reason port 2200 will not bind is because SSL is not configured or working properly on that server. Another reason port 2200 will not bind is because there is a problem in the Apache configuration.
Open and examine the following files and make sure the correct IP address is used and the correct port numbers are used for SSL (443) and LDAP (636). Also, if you change the servers IP address you will need to modify most of these files.
You can stop and start Apache on the server by executing NVXADMDN and NVXADMUP. When doing this look at the NW 6 logger screen for any errors.
Steps to troubleshoot iManager login problems
When you do get the iManager login screen you are asked to enter a username, password, context for the user, and tree name. If you are having problems logging in or authenticating use the IP address of the server you have iManager installed on in place of the tree name. Also make sure you have connectivity to this server from the client by pinging the IP address.
Details on why no iManager Roles or Tasks are displayed
One of the most common issues seen with iManager 1.2 is a user logs in and sees a message stating no Roles or Tasks are assigned to this user in the left most frame of the browser even though the configuration does show Roles assigned to this user. To fully understand what is occurring it is important to understand Role Based Service (RBS) objects in the directory. A discussion of RBS objects is provided at the end of this document.
When a user logs into iManager the Roles and Tasks displayed are a result of that user being configured for those Roles and Tasks. By default the Admin user should be assigned to all Roles and Tasks, however sometimes this does not occur properly. To check the Roles and Tasks assigned to Admin or to assign Roles and Tasks to another user select the Configure button at the top. This is the icon that looks like a person sitting behind a desk. Next select Role Management, then modify Role. You should see all available Roles and Tasks in the main frame. Select the Members icon and make sure Admin is a member of every Role and that a Scope is also set.
A note about scopes: A scope is simply a realm of administration you set for a particular user. This defines where in the tree a user can perform this management function. In iManager 1.2 the default scope for Admin is the tree root. It is suggested that you change this to be the top Organization in the tree. If you have multiple Os at the top of your tree, configure multiple scopes.
Another reason no Roles or Tasks are displayed is that a failure has occurred in resolving one or more of the RBS configuration settings for that user. When a user is configured for a particular Role, attributes are added to the user object which give that user rights to perform that administrative function. Two important attributes that are added to the user object are Group Membership and Security Equals. When this user logs into iManager, iManager performs a name resolution for the value of these attributes. If any of this name resolution fails, no Roles or Tasks will be displayed after logging in.
For example: The Admin user is configured for the Role DHCP Management with a scope of O=Novell. The following attributes are added to the Admin user object.
rbsAssignedRoles Value of CN=DHCP Management
Group Membership Value of CN=Novell
Security Equals Value of CN=Novell
Reference Values of "DHCP Management and CN=Novel"l
Upon login iManager does an NDS name resolution for CN=Novell. If this fails, or if the Admin user object is missing the Group Membership or Security Equals attribute CN=Novell, then no Roles or Tasks will be displayed for user Admin.
A current known issue is when you have a tree with servers in it that where upgraded from NetWare 4.x to NetWare 6. NetWare 4 used UNICON and placed certain UNICON Group Membership attributes onto the Admin user. One of these is membership in the group Unicon User/Group Manager. When iManager logs in and authenticates, it does a name resolution for every Group Membership attribute on that particular user, even those attributes that may have nothing to do with RBS and iManager. There is an issue with iManager and its attempt to resolve the Unicon User/Group Manager Group Membership. It fails to do this because of the / in the group name. The work around to this issue is to rename this group so it does not have a / or remove the user from the group. This issue is resolved and no longer a problem in iManager 1.5.
Steps to Troubleshooting no Roles or Tasks displayed
-Make sure the user, such as Admin, is configured for all roles and tasks desired and that a scope is defined on each role.
-Enable DSTRACE on the server to view NDS name resolution. This will help in determining if there is an issue with the users attributes. You can use NDS iMonitor to configure and view DSTRACE activity. Select to trace Name Resolution, start the trace, login to iManager, then view the log. To view DSTRACE activity at the server console perform the following.
Login to iManager so that the error occurs.
Now view the file sys:\system\dstrace.dbg and search for any errors.
-Use DSBROWSE or NDS iMonitor and make sure the proper attributes exist on the user you are authenticating into iManager with. If they do not, then remove that user from all Roles and then reassign that user to all roles desired. This should recreate the proper RBS attributes for that user.
Details on Role Based Services and NDS rights.
To grant rights to perform NDS management functions, RBS or iManager does not rely upon the ACLs assigned to a user. Instead the scope setting and values of the Security Equals and Group Membership attributes determine the rights a user has in RBS.
A Scope in iManager defines the context in the tree where a particular role / task can be executed. For example a tree has an OU=West and OU=East under the top O of the tree. A user is configured as a member of the DNS Management role with a scope of OU=East. This user will only be able to administer DNS in the context OU=East. Rights granted a user in iManager do carry over to the rights a user would have using ConsoleOne.
Steps to troubleshoot not all roles are displayed when selecting configure roles
If you do not see all the roles you think you should under Role Management / Modify Role, select Role Based Services Setup and then Install plug-in. All available iManager plug-ins that reside on that server will be displayed. Select those plug-ins that are missing from the Modify Role list and install them.
Role Based Services eDirectory objects
The NDS schema must be extended to support iManager. Role Based Services defines certain schema class and attribute definitions which all start with rbs. When role based services are configured the following objects and attributes can be found in NDS. You can view these using DSBROWSE or NDS iMonitor.
Object class rbsCollection: Has a default of value of cn=Role Based Service and contains normal NDS attributes for an object. Parent container for rbsRole and rbsModule objects.
Object class rbsModule: Child object of rbsCollection. Parent container for specific tasks in an area of administration such as cn=dnsdhcp or cn=iPrint.
Object class rbsTask: Child object of rbsModule. Defines specific tasks for a module. For example the rbsModule dnsdhcp will contain rbsTask objects such as Address Range Management, DHCP Server Management, and DNS Server Management.
Object class rbsRole: Child object of rbsCollection. Defines roles available and that can be assigned to specific users. The cn= of these objects are what is displayed on the left side panel when logging into iManager. Parent container for rbsScope objects.
Object class rbsScope: Child object of rbsRole objects. Each time a different scope is defined for use with a rbsRole, a rbsScope object is created. The scope simply defines an area of administration in the tree where a Role can be used by a particular user.
When a user is assigned to specific roles, that user object will have the following rbs related attributes
-rbsOwnedCollections (Only present of user is made a collection owner)
-rbsAssignedRoles (Multivalued attribute)
-Group Membership (multivalued attribute with names of scopes assigned)
-Security Equals (holds the name of scopes)
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.