While using ndsbackup to backup a container that has many objects (like a million), it might take some time to get the list of the objects in the container and start their individual backup.
Repeated eDirectory logins can use up the available memory. Disable the Login Update attribute using iMonitor to overcome this problem.
Time related statistics are maintained for every event thrown and consumed in eDirectory. This information is useful for troubleshooting event consumer issues. These statistics are not required for normal functioning of directory; therefore, they are disabled for performance reasons. Event statistics can be enabled at runtime by using iMonitor advanced configuration parameters.
To view the event statistics, set the ENABLE_EVENT_STATISTICS parameter and restart the server. It is a permanent configuration parameter.
On Linux platforms, eDirectory uses Google malloc (libtcmalloc) as the default memory allocator.
To track memory corruption issues, set the MALLOC_CHECK_ environment variable in the ndsd startup script. The startup script checks for this variable. If set, the default system malloc is used, else libtcmalloc is loaded.
MALLOC_CHECK Settings in ndsd
When MALLOC_CHECK_ is set to 0, any detected heap corruption is silently ignored.
When MALLOC_CHECK_ is set to 2, abort is called immediately.
This helps to identify the real cause of the memory corruption at early stages, which might be difficult to track later.
Sometimes the OES Linux server fails to detect a client host that has gone down abruptly due to a workstation crashing or a power outage. However, the connection is active for the default timeout (about 12 to 15 minutes) before the connection is cleared. If you have set the concurrent connections to 1, it is recommended that you either terminate the connection manually, or wait for the estimated timeout before logging in again. This situation occurs when the watchdog process fails to close the connection cleanly. So, if the concurrent connections are set to 1 and the connection is not cleared by the watchdog, users cannot log in. Linux kernel provides three parameters to change the way keepalive probes work from the server side. Use these parameters to implement a workaround at the TCP level.
These parameters are available in /proc/sys/net/ipv4/ directory.
tcp_keepalive_time: Determines the frequency of sending the TCP keepalive packets to keep a connection alive if it is currently unused. This value is used only when keepalive is enabled.
The tcp_keepalive_time takes an integer value in seconds. The default value is 7200 seconds or 2 hours. This holds good for most of the hosts and does not require many network resources. If you set this value to low, it engages your network resources with unnecessary traffic.
tcp_keepalive_probes: Determines the frequency of sending TCP keepalive probes before deciding a broken connection.
The tcp_keepalive_probes takes an integer value, recommended less than 50 depending on your tcp_keepalive_time and the tcp_keepalive_interval values. The default is to set to 9 probes before informing the application of the broken connection.
tcp_keepalive_intvl: Determines the duration for a reply for each keepalive probe. This value is important to calculate the time before your connection has a keepalive death.
The tcp_keepalive_intvl takes an integer value, the default is 75 seconds. So, 9 probes with 75 seconds each will take approximately 11 minutes. The default values of the tcp_keepalive_probes and tcp_keepalive_intvl variables can be used to evaluate the default time before the connection is timed out because of keepalive.
Modify these three parameters in a way that the change does not generate a lot of extra network traffic and still solves the problem. A sample modification could be as follows (a 3-minute detection time):
tcp_keepalive_time set -120
tcp_keepalive_probes - 3
tcp_keepalive_intvl - 20
NOTE:Be careful with the parameter settings and avoid setting the already valid connections.
The settings take effect immediately after the files are modified. You need not restart any services. However, the settings are valid for the current session only. Once the server is re-booted, the settings revert to the default settings.
To make the setting permanent (even after a reboot), do the following:
Add the following entries in /etc/sysctl.conf.
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_keepalive_probes=3
net.ipv4.tcp_keepalive_intvl=20
We recommend these settings only if all the clients and servers are connected through LAN.
Import the user objects with simple password and then enable universal password for the container where the user objects are imported. Stop the DS server and set the environment as NDSD_TRY_NMASLOGIN_FIRST=true and then start DS Server. When you do an ldapsearch for the user objects, which were imported with simple password, you get the following error:
ldap_bind: Unknown error, additional info: NDS error: system failure (-632)
To resolve this issue, set the default login sequence as simple password for the container where user objects are imported before doing ldapsearch for those user objects.
When LDAP requests NMAS to log in a user, NMAS uses the default login sequence. If you do not specify a default login sequence for these users, then it will use the NDS sequence. If these users are not given an NDS password when you imported them, then the NDS sequence will not work. If you enable universal password, then the simple password will be synchronized with the NDS password and universal password when the user logs in with the simple password.
An eDirectory administrator can disable SecretStore on Linux using the following processes:
Go to the nds-modules directory and rename or move the following SecretStore modules:
Restart the server.
An eDirectory administrator can disable SecretStore on Windows using the following processes:
Go to the novell\nds directory and rename or move the following SecretStore modules:
Restart the server.
The dsbk.conf file is located in /etc instead of the location relative to the specific instance of eDirectory.
ldif2dib fails to open the default log file, ldif2dib.log when the dib directory is relocated to a custom location.
To work around this issue, explicitly provide the log file location by using the -b switch.
In some situations, eDirectory services (ndsd) doesn't start after a system crash or a power failure. To start the eDirectory again, do the following:
Delete /var/opt/novell/eDirectory/data/ndsd.pid file.
Enter /etc/init.d/ndsd start command.
With all tags enabled, ensure you do not run DSTrace on the following:
A loaded system in Journal mode: It tends to build up ndsd memory.
Servers in inline mode: It crashes ndsd.
If a client performs an unauthenticated search operation when anonymous binds are disabled, the LDAP server responds with the bind result of inappropriate authentication instead of the search result, operationsError.
In eDirectory 9.0, if you configure a new instance in a custom location when the default instance server is down, it takes the default instance ports. The default instance does not come up, because the ports of the default instance are allotted to the custom location instance.
Follow the procedure in Troubleshooting Ports with Custom eDirectory 8.8 Instances
before rebooting the host.
Only the default instance created through using the default instance binaries is started after reboot.
You can set the paths and use ndsmanage to start the other instances.
When you have more than one eDirectory instance, the second instance and subsequent instances try to listen at the default 524 port instead of the NCP port on the loopback address.
To work around this issue, set the n4u.server.tcp-port parameter of the second instance to the port that it is supposed to listen on. The n4u.server.tcp-port parameter is located in the nds.conf file.
IMPORTANT:All eDirectory instances must be up before upgrading to eDirectory 9.0.
In LDAP transaction support, the supportedGroupingTypes and transactionGroupingType OIDs are the same (2.16.840.1.113719.1.27.103.7).
The -5871 and -5875 errors in LDAP trace are usually caused when LDAP client closes forcibly without doing an unbind. So, these errors need not be of concern and can be ignored. For more information on these errors, refer to the NetIQ Error Codes Web site.
If you rename the tree on the primary server and shutdown the DHost on the secondary server, the NDSCons utility gives transport failure error message -625 on the secondary server while DHost keeps running on both primary and secondary servers. The error occurs because NDSCons was running on secondary server when the tree was renamed on the primary server. NDSCons works fine if you close it and then restart it.
NOTE:Tree rename is not a supported operation if you have EBA enabled servers in the tree.
To work around this issue,
Disable the NICs in the configuration file that slow down the ldapsearch performance.
or
Enable Advanced Referral Costing (ARC) by using the set NDSTRACE =!ARC1 command in DSTrace.
You cannot limit the number of concurrent connections on Linux platforms. To resort to the old behavior (strict port-based checking), set following parameter in the nds.conf file.
n4u.server.mask-port-number=0
If you do not have an SLP Directory Agent (DA) configured on your network, finding services that use SLP may take a longer time. During eDirectory shutdown, ndsd tries to perform operations using SLP that may take a long time than the init script normally allows, thus causing a forced shutdown.
To workaround this issue:
Create an empty file with the name hosts.nds in the config directory. The config directory of a server can be obtained by running the following command ndsconfig get n4u.server.confdir
Set an environment variable NDS_USESLP to 0 by specifying export NDS_USESLP=0 in /opt/novell/eDirectory/sbin/pre_ndsd_start
Restart eDirectory.
After NLDAP is stopped, you need to restart the server to load NLDAP.
The NetIQ SecretStore functionality does not work over LDAP. To resolve this, you need to refresh LDAP through iManager.
SecretStore locks if you try to retrieve a forgotten password by logging in with user credentials and a wrong passphrase. You can unlock SecretStore with administrator rights, and the NetIQ SecureLogin client allows you to log in without a passphrase. If you try changing the passphrase, the login fails and returns an error.
When you try saving new credentials in SecretStore by using the iManager plug-in, a blank credential column displays because iManager fails to save the changes.
You can change the credentials from the SecretStore iManager plug-in only by logging in as a user instead of an administrator.
When you save an alternate credential set, SecretStore fails to retain the first set and only the latest credential set is visible.
You can change the credentials from the SecretStore iManager plug-in only by logging in as a user instead of an administrator.
If you upgrade to eDirectory 9.0 from a lower version, the HTTP server continues to use the SSL CertificateIP even after the certificate has expired. This is because eDirectory 8.8 SP8 does not maintain SSL CertificateIP and does not reissue one even if the SSL CertificateIP expires or is deleted.
Hence, if the SSL CertificateIP expires or is deleted, you must manually create it by using the iManager plug-in or by using SSL CertificateDNS instead of SSL CertificateIP.
Two sets of LDAP tools (ldapadd, ldapconfig, ldapdelete, ldapmodify, ldapmodrdn, and ldapsearch) exist on a SLES system (along with openldap2-client rpm) that has eDirectory installed: one in /usr/bin, installed by the SLES operating system and the other in /opt/novell/eDirectory/bin, installed by eDirectory.
Though the basic functionality of both sets of LDAP tools are the same, each set adds its own features on top of the basic functionality. Depending on the path settings in the PATH environment variable, the set of tools being used can differ and hence the features available can also differ.
ldapsearch does not return any result when the bind user doesn’t have the read rights for all the attributes that are part of the search filter.
To workaround this issue, ensure that the bind user has read rights for all the attributes that are part of the search filter.
Virtual list View (VLV) displays an error message with eDirectory 9.1 when all the partition replicas are not present within the eDirectory server where VLV is run.
Ensure that all the partition replicas are present within the eDirectory server where VLV is run.
In case you move the datadir to a new location after configuring eDirectory on SLES 12 and above, ensure to perform the following steps:
Update the new location of the ndsd.pid file in the service file found in the /usr/lib/systemd/system/ location.
For example, when the nds.conf file is originally located at the /etc/opt/novell/eDirectory, a sample service file will be created as shown below:
/usr/lib/systemd/system/ndsdtmpl-etc-opt-novell-eDirectory-conf-ds.conf@.service.
Re-load the daemon by using systemctl daemon-reload command.
Restart the eDirectory server.
eDirectory installation fails when the Windows execution policy is set to restricted for Powershell.
To workaround this issue, set the Windows execution policy to RemoteSigned for Powershell.
While performing LDAP bind operation for the same user across multiple servers at the same time, the operation might be successful in one server and the synchronization happens to the next replica server immediately. But due to the mismatch in time stamp for the operation in different servers, login might fail displaying -659 error code.
To fix this issue, set NDSD_CC_SKULK_DELAY environment variable to 5 or greater value. For more information, see Synchronization Method. If you still get the same error, set NDSD_CC_SKULK_DELAY to 5 or greater along with the newly introduced environment variable NDSD_RETRY_MODIFY to true.
NOTE:
Setting the above environment variable might impact eDirectory performance as the server will retry the same operation with a delay of 100ms up to a maximum of 2 seconds.
eDirectory server should be stopped before setting the NDSD_RETRY_MODIFY environment variable. Restart the server once the environment variable is set.
If you set the NDSD_CC_SKULK_DELAY environment variable to a value lesser than 5, NDSD_RETRY_MODIFY environment variable will not be effective.
From eDirectory 9.2.5 onward, when any of the high-valued attributes, namely DirXML-EntitlementResult and oidpInstanceData, exceed a default threshold value, eDirectory generates a DSE_HIGH_VALUED_ATTR event. This information is logged into the hvAttr-alert.log file located at:
Linux: /var/opt/novell/eDirectory/log
Windows: C:\NetIQ\eDirectory
The base threshold value for DirXML-EntitlementResult attribute is set to 5000. For every subsequent 500th value, the event is generated. In case of oidpInstanceData attribute, the base threshold value is 16KB. These values are set by default.
If you want to disable the alert on Linux platform, add the NDSD_DISABLE_HIGHVALUED_ATTRIBUTES_ALERT environment variable in the env file located at /etc/opt/novell/eDirectory/conf directory and set the value to true. On Windows platform, go to Control Panel > System > Advanced System Settings > Environment Variables > System Variables > New and add the new variable NDSD_DISABLE_HIGHVALUED_ATTRIBUTES_ALERT with the value as true and restart the system.