Hello,

We have some Zenworks 7 and LDAP errors on a SLES 9 server to resolve. We could use some help figuring out what to do next, and we're also wondering if our errors are separate or linked.

Background: In our environment, we have three servers configured as follows:

- Server 1 = Novell Netware 6.5, primary eDirectory and File server (IP 10.10.10.1)
- Server 2 = Novell SLES 9, primary Groupwise and Zenworks, secondary DNS, eDirectory replica (IP 10.10.10.2)
- Server 3 = Novell SLES 9, primary DNS and DHCP, eDirectory replica (IP 10.10.10.3)

I noticed a pair of errors in Server2's /var/log/messages recently. They appear every 60 seconds:

Date Time Server2 /usr/sbin/namcd[6432]: ldap_initconn: LDAP bind failed, trying to connect to alternative LDAP server
Date Time Server2 /usr/sbin/namcd[6432]: ldap_initconn: Unable to bind to alternative LDAP servers either.

I also noticed that the Zenworks inventory service now fails to load:

server2:~ # /etc/init.d/novell-zdm-inv status
Novell ZENworks Inventory server daemon dead

server2:~ # /etc/init.d/novell-zdm-inv start
Starting Novell ZENworks Inventory server daemon failed

I checked the Zenworks Automatic Workstation Inventory log (/var/opt/novell/log/zenworks/awsi.log) and found this entry repeated:

Feb 6, 2008 2:35:46 PM OS = <linux>
Feb 6, 2008 2:35:46 PM ENTER getDirContext - localhost389
Feb 6, 2008 2:35:46 PM javax.naming.CommunicationException: anonymous bind failed: localhost:636 [Root exception is javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateExpiredException: NotAfter: Sat Oct 27 11:03:18 PDT 2007]
Feb 6, 2008 2:35:46 PM No import policy found.

I also checked the Zenworks Inventory service log (/var/opt/novell/log/zenworks/inv/novell-zdm-inv.log) and found this entry repeated:

pid: 6075
Starting Inventory services. Please wait...
Corrupted or missing exceptions properties file. Using defaults.
Inventory Service Error Code 610
610: The Database Location policy is not configured.

So I started checking the logs for the LDAP error ....

- I verified that eDirectory was installed, running, and current:

server2:~ # ndsstat
Tree Name: OUR_TREE
Server Name: .CN=server2.O=OUR.T=OUR_TREE.
Binary Version: 10552.79
Root Most Entry Depth: 0
Product Version: eDirectory for Linux v8.7.3.7 [DS]

- I checked the namcd service:

server2:~ # rcnamcd status
Checking for LUM NAMCD daemon NAMCD is running

- I checked the nam.conf file configuration:

/etc/nam.conf file
==================
base-name=ou=lum,o=OUR
admin-fdn=cn=admin,o=OUR
preferred-server=10.10.10.2
num-threads=5
schema=rfc2307
enable-persistent-cache=YES
user-hash-size=211
group-hash-size=211
persistent-cache-refresh-period=28800
persistent-cache-refresh-flag=all
create-home=yes
type-of-authentication=2
certificate-file-type=der
ldap-ssl-port=636
ldap-port=389
support-alias-name=no
support-outside-base-context=yes
=====================

- I checked to see that Server2 speaks LDAP:

banks2:~ # ldapconfig get -a cn=admin.o=our -w password | grep "TCP Port"
LDAP TCP Port: 389

==========================

At this point, I'm not sure how to create a plan to find and fix these problems. Are they related?

I have a hunch that I might have a certificate and/or authentication problem outside any eDirectory errors or Zenworks problems, but I don't have a lot of practical experience with "trace" and "dstrace" to find the problems. I inherited the current setup (so I don't have first-hand experience with the existing system design and configuration, just the administration and maintenance). Any thoughts or pointers would be greatly appreciated.

Thanks,

Mike O'Reilly
mikeo@banks.k12.or.us