16.3 Verifying That the LDAP Server Is Running

After the LDAP server is loaded, verify that it is running. Then verify that a device is listening.

16.3.1 Scenarios

Typically, the LDAP server runs as soon as it is loaded. However, either of two scenarios can prevent the server from running properly.

Scenario: The Server Is in a Zombie State. The LDAP server loads as long as the DHost Loaders can resolve external dependencies. However, the LDAP server doesn’t run properly until it can get a valid configuration from the two configuration objects (the LDAP Server and LDAP Group objects).

While the LDAP server is in a loaded-but-not-running (zombie) state, it periodically tries to find and read the configuration objects. If the objects are misconfigured or corrupted, the LDAP server stays in the zombie state until the server (nldap.nlm, nldap.dlm, libnldap.so, or libnldap.sl) is unloaded or taken down.

The Loaders show that the LDAP server is loaded, but no LDAP ports (389, 636) are opened by nldap.nlm (or nldap.dlm, libnldap.so, or libnldap.sl). Also, no LDAP client requests are serviced.

DSTrace messages will show the periodic attempts and the reason why the server cannot come up to the running state.

Scenario: Denial of Service . At Digital Airlines, the server is processing a very long (20 minutes or more) search operation. The search is, in effect, looking for a needle in a haystack.

During this search, Henri does one of the following:

  • Changes a configuration parameter and updates a configuration object.

  • Clicks Refresh Server Now.

  • Unloads the LDAP server (nldap.nlm, nldap.dlm, libnldap.so, or libnldap.sl).

  • Tries to take the entire server down.

The LDAP server waits until all current operations complete before applying any new update. The server also postpones new operations from running until the update is complete. This delay can cause the server to appear to stop responding to new requests until the search is done and the server can refresh itself. Or the server appears to hang during the unload.

If the search request is long but has many hits, and Henri unloads the LDAP server, it aborts the search and quickly unloads when the next hit is returned to the client. However, if the search request has only one or no hits in 20 minutes, the LDAP server isn't able to abandon the NDS® or eDirectory request in progress.

For a refresh or update, the search will not be aborted even if it has many hits to return to the client.

16.3.2 Verifying That The LDAP Server Is Running

To verify that the LDAP service is running, use the NetIQ Import Conversion Export Utility (ICE). At a workstation, run ice.exe or use NetIQ iManager.

Using NetIQ iManager

To verify that the LDAP server is functional by using NetIQ iManager, follow steps in Exporting Data to a File.

If you enter an IP address and a port number and then get a connection, the server is functional. Otherwise, you receive an error message. Download (view) either the log file or the export file.

16.3.3 Verifying That A Device Is Listening

Verify that a device is listening on port 389.

  1. At the command line, enter

    netstat -a

  2. Find a line where the local address is servername:389 and the state is LISTENING.

If one of the following situations occurs, run NetIQ iMonitor:

  • You are unable to get information from the ICE utility

  • You are uncertain that the LDAP server is handling LDAP requests

For information on NetIQ iMonitor, see Configuration Files and Configuring Trace Settings.

For information on LDAP requests, see Communicating with eDirectory through LDAP in the NetIQ eDirectory 8.8 SP8 Installation Guide.