I.13 Troubleshooting NMAS

NMAS Error Codes

A complete list of NMAS error codes can be found in the NMAS NDK.

Login Method and Sequence Issues

  • For products to use NMAS login methods properly, at least one NMAS server in the eDirectory partition needs to hold a R/W replica of the User objects that will be using NMAS.

  • Not all login or post-login methods use the initial password field when they are activated. If you are prompted to enter a password, you can ignore the password field and close it.

  • Two password methods, such as Simple and NDS, cannot be used in an AND sequence if the Novell Client is set to display the password field, which is the default.

Administration Issues

  • You must give explicit rights to users with graded authentication. Inherited rights do not work. For example, an administrator’s Supervisor right is defined at the [Root] container. Rights for the administrator are not defined in the Volume object. If the administrator changes the volume’s security label from Logged In to any other security label, the administrator cannot get the appropriate rights. The administrator must assign explicit rights to the volume, directories, or files in the volume.

  • If Universal Password is enabled and you attempt to set the simple password, a -1697 error message is returned.

  • eDirectory utilities like DSBackup (ndsbackup), DSRepair (ndsrepair), and DSMerge (ndsmerge) work with NDS passwords alone but do not work with NMAS Simple password. eDirectory 9.0 uses Universal Password.

    For information on Universal Password, see the NetIQ Password Management 3.3.2 Administration Guide.

  • Clicking OK or switching between tabs when creating or renaming a label always creates or renames the label even if you respond No to the Save Changes made for Labels? prompt. You must click the Cancel button to cancel any changes. After a label is created, it cannot be deleted. However, you can rename it to an unused name, such as Unused_x.

  • When you use XDAS auditing for NMAS, the DN format of the following events is not generated in the LDAP notation.

    • 00290035 SASL Mechanism Result

    • 00290061 Set Login Configuration

    • 00290062 Get Login Configuration

    • 00290064 Set Login Secret

    NOTE:The ID (for example, 00290035 or 00290061) specifies the NMAS event ID as mentioned in the lsc file. The NMAS event ID is part of the subEvent field in the XDAS format.

Unable to Log In Using Any Method on Linux

After installing and configuring NMAS, restart the eDirectory server.

After reinstalling a method after you have uninstalled a previous instance of that method, restart the eDirectory server.

The User Added Using the ICE Utility Is Unable to Log In Using Simple Password on Linux

While adding users with simple passwords through the NetIQ Import Conversion Export utility, use the -l option.

SLP_NETWORK_ERROR(-23) Occurs in Windows Machines

The Service Location Protocol (SLP) query returns -23 SLP_NETWORK_ERROR on a virtual machine having a DHCP address or on a physical or a virtual machine in which SLP is not broadcasted.

You can avoid the SLP error by configuring the Directory Agent in your network in one of these ways:

  1. Copy the C:\Windows\System32\Novell\eDir\OpenSLP\slp.conf file to the c:\Windows\ directory.

  2. Open the slp.conf file by using a text editor and change the following line:

    ;net.slp.DAAddresses = myDay1,myDa2,myDa3

    to

    net.slp.DAAddresses = <Give your DA Address>

  3. Save the changes, then close the file.

OR

  1. Copy the C:\Windows\System32\Novell\eDir\OpenSLP\slp.conf file to the c:\Windows\ directory.

  2. Open the slp.conf file by using a text editor and change the following line:

     ;net.slp.isDA = true

    to

    net.slp.isDA = true

  3. Save the changes, then close the file.

Incorrect Installation Path Appears in the Installation Path Field During eDirectory Installation on Windows

While installing eDirectory, instead of accepting the default location for installing, if you click the Browse icon to select another location, and then close the Browse dialog without selecting any folder, incorrect installation path is displayed in the Installation Path field. This issue is found while installing eDirectory on Windows Server 2012 Standard Edition (64-bit) and Windows Server 2012 R2 (64-bit) only.

To workaround this issue, manually change the path to the desired location.

Adding a Server Fails if SLP is Not Configured Properly on Windows

Installing eDirectory fails while adding a server to a tree (where you have to browse your current tree), if SLPD is already installed and running. Windows displays a message, launch.exe died.

To successfully install eDirectory, perform the following steps without rebooting the system:

  1. Stop Service Location Protocol Service.

  2. Delete the C:\Windows\slp.conf file.

  3. Delete the C:\Windows\System32\Novell\eDir\OpenSLP folder.

  4. Delete the RegKeys for the SLPD service from Registry HKLM\SYSTEM\CurrentControlSet\Services\slpd.

  5. Run the setup again with the Administrator role.