ldap-rc="81"

Hi all.

Here is my environment:

Windows 2003sp1 (DC)
   MAD
   DNS
   DHCP
   Remote Loader
----------
Windows 2003sp1 (Member Server)
   ZENworks 7sp1
   eDIR 8.8.1
   iManager 2.6
   IDM 3.0.1

Goal: Synch user accounts/pwds between AD and eDIR, using the provided AD
driver.
Can ping the AD, DC by DNS name from both servers.
Using "NEGOTIATE" as the method of authentication.

The following appears on the remote loader in yellow.  No objects are
synching.


DirXML Log Event -------------------
    Driver  = \CHERRY\gstr\DirXML\Town\AD
    Thread  = Subscriber Channel
    Level   = retry
    Message = <message>unable to connect to Active Directory</message>
<ldap-err ldap-rc="81" ldap-rc-name="LDAP_SERVER_DOWN">
	<client-err ldap-rc="81" ldap-rc-name="LDAP_SERVER_DOWN">Server
Down</client-err>
</ldap-err>

I have followed TID: 10098447 but the error still appears.

I cannot find any other documentation relative to this error.  Anyone????

TIA.
0
Jeff
10/19/2006 6:48:39 PM
novell.id-manager.drivers 10360 articles. 2 followers. Follow

21 Replies
1561 Views

Similar Articles

[PageSpeed] 15
Get it on Google Play
Get it on Apple App Store

Found this on the Remote Loader Trace Screen:

DirXML: [10/19/06 15:11:29.87]: ADDriver: Connect using ldap_bind:
user=Administrator, domain=, password=***, method=negotiate,
server=w2k3ad.gstr.net, sign=no, seal=no ssl=yes

The domain is = to Nothing.  First I tried just "Administrator"  then I
tried "LAB/Administrator" and finally "lab.com/Administrator".

I have verified that port 636 is open on the remote loader.  (Using SSL)

same error, and the line shown above does not change even when changing
login methods.
0
Jeff
10/19/2006 7:15:42 PM
Jeff,
> The domain is = to Nothing.  First I tried just "Administrator"  then I
> tried "LAB/Administrator" and finally "lab.com/Administrator".

Neither will work, try a proper LDAP syntax, ie cn=homer,dc=springfield

- Anders Gustafsson, Engineer, CNE6, ASE
  NSC Volunteer Sysop
  Pedago, The Aaland Islands (N60 E20)

Novell does not monitor these forums officially.
Enhancement requests for all Novell products may be made at
http://support.novell.com/enhancement

Using VA 5.51 build 315 on Windows 2000 build 2195

0
Anders
10/19/2006 8:15:45 PM
Below is a smal VBS script that will tell you your LDAP name.
Logon to Windows box as the user you are trying to use and run this script.


-----------------------------------------------------------
'Option Explicit
Dim  oADsSysInfo

Set oADsSysInfo = CreateObject("ADSystemInfo")
WScript.Echo "Distinguished name of the current user: " & 
oADsSysInfo.UserName
----------------------------------------------------------------

Anders Gustafsson wrote:
> Jeff,
>> The domain is = to Nothing.  First I tried just "Administrator"  then I
>> tried "LAB/Administrator" and finally "lab.com/Administrator".
> 
> Neither will work, try a proper LDAP syntax, ie cn=homer,dc=springfield
> 
> - Anders Gustafsson, Engineer, CNE6, ASE
>   NSC Volunteer Sysop
>   Pedago, The Aaland Islands (N60 E20)
> 
> Novell does not monitor these forums officially.
> Enhancement requests for all Novell products may be made at
> http://support.novell.com/enhancement
> 
> Using VA 5.51 build 315 on Windows 2000 build 2195
> 
0
craig
10/19/2006 8:41:47 PM
Note:  This is your AD user not the E-Dir ID to just make sure all is clear.

craig wilson wrote:
> Below is a smal VBS script that will tell you your LDAP name.
> Logon to Windows box as the user you are trying to use and run this script.
> 
> 
> -----------------------------------------------------------
> 'Option Explicit
> Dim  oADsSysInfo
> 
> Set oADsSysInfo = CreateObject("ADSystemInfo")
> WScript.Echo "Distinguished name of the current user: " & 
> oADsSysInfo.UserName
> ----------------------------------------------------------------
> 
> Anders Gustafsson wrote:
>> Jeff,
>>> The domain is = to Nothing.  First I tried just "Administrator"  then I
>>> tried "LAB/Administrator" and finally "lab.com/Administrator".
>>
>> Neither will work, try a proper LDAP syntax, ie cn=homer,dc=springfield
>>
>> - Anders Gustafsson, Engineer, CNE6, ASE
>>   NSC Volunteer Sysop
>>   Pedago, The Aaland Islands (N60 E20)
>>
>> Novell does not monitor these forums officially.
>> Enhancement requests for all Novell products may be made at
>> http://support.novell.com/enhancement
>>
>> Using VA 5.51 build 315 on Windows 2000 build 2195
>>
0
craig
10/19/2006 8:42:54 PM
I tried:  cn=administrator,dc=lab

Same result.

The reason I did not use LDAP syntax is because the driver is set to
"Negotiate", and my understanding was that "Negotiate" didn't require LDAP
syntax. Or am I just not getting it?
0
Jeff
10/20/2006 2:52:44 AM
logged in as the domain administrator.

cut/paste your script into a notepad and saved it to c:\ldap.vbs

opened a command prompt, changed to the root of c:\ and typed

ldap.vbs

An error box pops up with the title "Windows Script Host"

Script:  C:\ldap.vbs
Line:    1
Char:    1
Error:   Expected statement
Code:    800A0400
Source:  Microsoft VBScript compilation error

0
Jeff
10/20/2006 3:03:21 AM
Ran the script on the DC and the following was returned:

Windows Script Host

Distinguished name of the current user: 
CN=Administrator,CN=Users,DC=Lab,DC=com
0
Jeff
10/23/2006 12:23:44 AM
I am now trying to use LDAP to authenticate to AD with the account:
cn=administrator,cn=users,dc=lab,dc=com

While the error is no longer in yellow, it still appears in the trace and
not a single object is synchronizing in either direction.

???   :/
0
Jeff
10/25/2006 3:54:51 PM
Jeff wrote:

> I am now trying to use LDAP to authenticate to AD with the account:
> cn=administrator,cn=users,dc=lab,dc=com


I've had this work in the past and it can't hurt to try.  Try 
"administrator@lab.com".

John
0
John
10/25/2006 5:00:11 PM
Thanks.  I tried the Administrator@lab.com, but it didn't work either.

I did find this line in the Remote Loader and wonder where the DOMAIN should
be coming from because it is blank...

DirXML: [10/25/06 13:54:23.14]: ADDriver: Connect using ldap_bind:
user=Administrator@gstr.net, domain=, password=***, 
0
Jeff
10/25/2006 5:57:35 PM
Figured this part out...

The domain is used in conjunction with the user account at login.  In this
instance:

LAB/Administrator

(This was another effort at the "Negotiate" method)

Uuugh.  I have deleted the driver and recreated the driver and I cannot get
away from the doggone ldap 81 error!
0
Jeff
10/25/2006 6:12:50 PM
I didn't see Anything in the documentation that would suggest that I do the
following, but Googling suggests that LDAPS on Windows requires a
certificate be issued and stored on the AD server. 
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051  However, I
reach a dead end where MS suggests sending the "Request" to a third party
(Novell? eDIR?)

Lost...
0
Jeff
10/25/2006 9:14:45 PM
The link you are looking at only applies if you are using an external 
certificate authority.

See http://www.novell.com/documentation/idmdrivers/ad/data/bp8clek.html 
for what the IDM documentation says about the subject.

--

Father Ramon


Jeff wrote:
> I didn't see Anything in the documentation that would suggest that I do the
> following, but Googling suggests that LDAPS on Windows requires a
> certificate be issued and stored on the AD server. 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;321051  However, I
> reach a dead end where MS suggests sending the "Request" to a third party
> (Novell? eDIR?)
> 
> Lost...
0
Father
10/25/2006 9:26:44 PM
Thank you.  That is the document I was following to set this up.  It really
doesn't seem to be that complicated to setup.  But,  something here isn't
right, and I have scoured this document for clues.  I have reviewed all of
the settings, read and re-read the field descriptions/rules and the darned
Remote Loader is still showing ldap 81 errors.  I have taken this apart and
re-installed it countless times.  Is there any chance that something is
wrong with Windows that might be causing this?


0
Jeff
10/26/2006 11:30:51 AM
On Wed, 25 Oct 2006 21:14:45 GMT, Jeff <jeff@work.com> wrote:

>I didn't see Anything in the documentation that would suggest that I do the
>following, but Googling suggests that LDAPS on Windows requires a
>certificate be issued and stored on the AD server. 

To do passwords, yes, Windows will require a secure connection. Usually
setting the driver to "negotiate" is sufficient for this.

>http://support.microsoft.com/default.aspx?scid=kb;en-us;321051  However, I
>reach a dead end where MS suggests sending the "Request" to a third party
>(Novell? eDIR?)

To get an MS certificate, you have to install their Certificate
Authority.


---------------------------------------------------------------------------
 David Gersic                                            dgersic_@_niu.edu

 I'm tired of receiving rubbish in my mailbox, so the E-mail address is
 munged to foil the junkmail bots. Humans will figure it out on their own.
0
dgersic_
10/26/2006 1:36:35 PM
I've exhausted, (really... I'm exhausted!) reviewing the fields, and have
gone back to the beginning.  In doing so, I am now wondering if I have not
correctly exported the certificate used by the remote loader.


1.  I created a new KMO using the standard option (called it dirxml) using
the wizard.
2.  I exported from a public key certificate from the CA (Did not include
the private key) as dirxml.b64.
            (This is where I am confused by the instructions... 
Instructions shown below)
�---------------------------------------
Exporting a Self-Signed Certificate


   5.  Select to export the file in Base64 format (for example, akranes-tree
CA.b64), then click Next.

       Radio buttons to specify the output format

   6.  Click the link to Save the Exported Certificate to a File, specify a
filename, specify a location, then click Save.

      Rootfile names require .pem as an extension.

      In the Save As dialog box, copy this file to a local directory.
�---------------------------------------

     My question here is, should it be dirxml.b64 or dirxml.pem?  I've tried
both and the pem file seems to be more problematic.


3.   Why did I create the dirxml KMO for?  What refers to that?


Many thanks for all with the patience to tolerate this post!
0
Jeff
10/26/2006 3:47:42 PM
The cert and kmo used by the Remote Loader connection have nothing at 
all to do with the AD driver's connection to AD. If the engine can 
connect to the remote loader and get the driver started (which then 
results in your  "81" error when the driver trys to connect to AD), then 
you have the Remote Loader connection correctly configured.
--
Perin Blanchard, DevNet SysOp 43


Jeff wrote:
> I've exhausted, (really... I'm exhausted!) reviewing the fields, and have
> gone back to the beginning.  In doing so, I am now wondering if I have not
> correctly exported the certificate used by the remote loader.
> 
> 
> 1.  I created a new KMO using the standard option (called it dirxml) using
> the wizard.
> 2.  I exported from a public key certificate from the CA (Did not include
> the private key) as dirxml.b64.
>             (This is where I am confused by the instructions... 
> Instructions shown below)
> �---------------------------------------
> Exporting a Self-Signed Certificate
> 
> 
>    5.  Select to export the file in Base64 format (for example, akranes-tree
> CA.b64), then click Next.
> 
>        Radio buttons to specify the output format
> 
>    6.  Click the link to Save the Exported Certificate to a File, specify a
> filename, specify a location, then click Save.
> 
>       Rootfile names require .pem as an extension.
> 
>       In the Save As dialog box, copy this file to a local directory.
> �---------------------------------------
> 
>      My question here is, should it be dirxml.b64 or dirxml.pem?  I've tried
> both and the pem file seems to be more problematic.
> 
> 
> 3.   Why did I create the dirxml KMO for?  What refers to that?
> 
> 
> Many thanks for all with the patience to tolerate this post!
0
Perin
10/26/2006 4:01:23 PM
Spent too much time on this.  Calling Novell.

Will report the solution when completed.
0
Jeff
10/26/2006 5:52:57 PM
Jeff,

had the same problem as you, found that the certificateIP and
certificateDNS were expired.  As our eDirectory runs only on Windows
2000/2003 and there's no equivalent to pkidiag for Windows (why Novell,
edirectory and certificate server are multiplatform why can't you make
a windows/linux version of such a cool tool) and the eDirectory/IDM2
server is a member of the AD domain, I have changed the driver
configuration to use Sealing instead of SSL and hey presto! it's all
working again.
Mark


-- 
ratclma
0
ratclma
10/27/2006 10:59:25 AM
Novell recommended reviewing TID 10098447.

While this TID was reviewed earlier in this process, reviewing and
reapplying seemed to help.  However, it should be noted that SSL was
disabled at this stage of testing.

The driver setting "Authenticaiton Context" was set to the IP address of the
Remote Loader.  That didn't work.  So I changed the value back to what it
was in the first place.  After retyping the entry, the containers designated
for synchronization immediately synchronized.

Now to get it to work with SSL (SSL is required for Password Synchronization
on W2k3).  

The driver field "Remote Loader connection Parameters" contained the values:
hostname=w2k3ad port=8090 and kmo=dirxml
dirxml is a certificat in .b64 format that was generated with eDir and saved
to the Remote Loader server and configured in the remote loader to read for
SSL.

Another field in the driver settings under Authentication Options is a
field:
Use SSL for encryption. was set to YES. but, despite the description of how
this value is used in the online help, it should be set to NO. Failing to
set this value to NO (Rather counter intuitive) will result in synch
failures.  As soon as the value was set to NO,  objects were synchronized
using SSL. 
0
Jeff
11/4/2006 4:16:19 AM
Documentation mentions that "Use SSL" does not refer to the SSL between 
the Engine and RL.  It is only for SSL between the AD shim (wherever it 
is) and a DC which is another box.  The only time you should ever use 
the Use SSL/Signing/Sealing options is if you have the engine or RL on a 
Member Server and no RL (in the engine case) on a DC.  This setup is not 
the best to start with and that is where SSL is required.  It sounds 
like you probably have the RL on a DC which is great.  In this case 
there is no call to another box so there is no need for SSL between the 
shim (on box a) and AD (also on box a).

Docs also state that if the RL is on a DC your Authentication Context 
(IP address for Simple authentication type, DNS name for Negotiate) 
should be empty.  This is, again, because the shim doesn't need to leave 
the local box in order to do stuff against AD because it is on a DC already.

Good luck.





Jeff wrote:
> Novell recommended reviewing TID 10098447.
> 
> While this TID was reviewed earlier in this process, reviewing and
> reapplying seemed to help.  However, it should be noted that SSL was
> disabled at this stage of testing.
> 
> The driver setting "Authenticaiton Context" was set to the IP address of the
> Remote Loader.  That didn't work.  So I changed the value back to what it
> was in the first place.  After retyping the entry, the containers designated
> for synchronization immediately synchronized.
> 
> Now to get it to work with SSL (SSL is required for Password Synchronization
> on W2k3).  
> 
> The driver field "Remote Loader connection Parameters" contained the values:
> hostname=w2k3ad port=8090 and kmo=dirxml
> dirxml is a certificat in .b64 format that was generated with eDir and saved
> to the Remote Loader server and configured in the remote loader to read for
> SSL.
> 
> Another field in the driver settings under Authentication Options is a
> field:
> Use SSL for encryption. was set to YES. but, despite the description of how
> this value is used in the online help, it should be set to NO. Failing to
> set this value to NO (Rather counter intuitive) will result in synch
> failures.  As soon as the value was set to NO,  objects were synchronized
> using SSL. 
0
ab
11/7/2006 7:34:15 AM
Reply:

Similar Artilces:

<ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
Hi, i've create, from two virutal machines of Utopia SIM, two phisical machine. The provisioning to Active directory don't work (SAP emulator, Telco, Lotus Notes work fine). When i create the users (with Enhanced provisioning Workflow") or when i try to syncronize eDir with AD i receve this error (for the new user): <ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS"> I've already seen TID 10091618. I think that the problem is in the AD. I've created it manually (without ntbackup) but with the same structure: OU=Utopia __...

<ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFO
I am having a problem with eDir to AD Exch problem with syncing phone numbers. I have attached a full trace file from the driver side. I have the remote loader trace but apparently I am limited to one attachment. The snippet below is from the remote loader file. For a test I took my own account and change the phone number on it. It went just fine, so this is a newer user who was created in this system not migrated to it. DirXML: [03/11/10 12:33:38.01]: ADDriver: parse command className user destDN eventId AHNAPPININD004#20100311173337#2#1 association 6aa49551d...

Precedence of "where" ("of", "is", "will")?
Nobody on #perl6 today could answer this one. Is: Str | Int where { $_ } the same as: (Str | Int) where { $_ } or: Str | (Int where { $_ }) ? Followup questions, Mr. President: What kind of operators are "where", "of", "is", and "will"? Is there a reason that S03 doesn't list them? What are their precedence(s)? -- Chip Salzenberg - a.k.a. - <chip@pobox.com> Open Source is not an excuse to write fun code then leave the actual work to others. Chip Salzenberg writes: &...

.ALLCOL("%COLUMN%", " ", ", ", ", ")
Do you know anyway for me to exclude a subset of columns returned by this function. We have two columns (rec_user and rec_datetime) which are in all of our tables, but when generating triggers I want automatically generate a script which does not include those two columns but does include all other columns in that table. Bruce I should add that I am using PD 9.0.0.580. Bruce "Bruce Lamb" <lamb.bruce@mayo.edu> wrote in message news:6HgI315nCHA.155@forums.sybase.com... > Do you know anyway for me to exclude a subset of columns returned by this > function. ...

quotes, quotes, quotes...
I am getting this error and I know what is causing it, but I have no idea how to fix it, any help would be great. The script steps through the /var/log/messages file on a linux server and puts The entries into a mysql database. However when it gets to the 'hlt' line in the messages file it just barfs. The single quotes are freaking it out. I know about quotes but not how to use in this situation. Thanks, Paul Error: May 27 17:53:00 localhost kernel: Checking 'hlt' instruction... OK. <----- doesn't like this in the messages file DBD::mysql::st exec...

"Assign To", "QA Contact", "CC" how manage users ?
Hi My bugzilla have many projects, when user is adding bug, he got weird-long list "Assign To", "QA Contact", "CC". Only when user is not in any group, he is not in lists. How can i limit that ? projects 1 2 users q w e r t y When user q is adding bug in project 1, he got list ("Assign To", "QA Contact", "CC") like that: q, w, ...

firefox "bookmarks manager" "bookmarks toolbar" "same order"
I did a web and groups search for the subject line to try to find an answer, but came up dry. I'm running Firefox2 on an XP machine. The problem is this: For some reason, Bookmarks Manager does not list the bookmarks in the same order as the bookmarks toolbar. It used to. How can I make it do it again? "Restore natural order" does nothing. I want the order in Bookmarks Manager to change to reflect the order on the bookmarks toolbar. I used to be able to make a change in Bookmarks Manager and it would immediately be reflected in the bookmarks toolbar and would li...

Ldap-err ldap-rc="53"
We are testing ID3 with a one way Vault to AD sync of users, groups and OU's After a couple of test runs and a tweak or two to the policies, the sync went great. I deleted the parent OU from the AD domain and wanted to do the sync again. This time to show the staff how it is supposed to work. On every OU, group and user, I get the following error DirXML: [05/15/06 08:09:07.56]: Loader: Calling subscriptionShim->execute() DirXML: [05/15/06 08:09:07.56]: DirXML Log Event ------------------- Driver = \CCN\CCN\ID3\EDIR2AD\Active Directory Thread = Subscriber Ch...

replace the "." with a ","
Oi.... I need to build a small programm in ASP.NET and chose to use C# for it.Now i got everything working but there's one little problem.the first textbox is a double. I need to make it so that when someone enters a "." then it gets replaced by a ","any ideas?Ghan  string blah = "4.2.2.2";blah = blah.Replace(".", ",");Ryan Ryan OlshanASPInsider | Microsoft MVP, ASP.NEThttp://ryanolshan.comHow to ask a question...

"Using" or "With"
Hi all Please can someone enlighten to me as regards the difference with the "Using" and "With" statement when accessing data - which is better, what are the limitations and/or any pointers. Many thanks. Regards DaveDavid WinchesterPlease mark as answer if this is the solution.  using gives you the ability to use the connection and it closes the connection directlly after you finish using it. and there is no need to try- cach - finaly. there is no limitation on using USING keywordMuhanad YOUNISMCSD.NETMy Blog || My Photos || LinkedIn I have a dataobject the re...

"Manage Styles" and "CSS Properties"?
Hi, I have just installed VS.NET 2008 Pro. According to Scott Blog at http://weblogs.asp.net/scottgu/archive/2007/07/25/vs-2008-web-designer-and-css-support.aspx I can't find how to add the "Manage Styles" and "CSS Properties" to Solution Explorer. * Also I have VS.NET 2005 already installed period the installation VS.NET 2008. How do I solve this please? Kind Regards, Asaf Switch to Design view, then go to View menu and locate CSS properties and Manage styles. Then drag windows to the Solution Explorer and dock then according to IDE visual hints.Thanks------------...

"Me" is better than "You"
Yes I know, strings are frozen. But let me talk about it, I really can't get through the idea of a PC talkin to me. I consider my PC as an extension of myself, not a dumb companion who addresses Me as You. Yes there are times when I get angry with Him while I work and get wrong calculations etc.., but it really is my fault, Me using wrong istructions and eventually wanting to find someone else to blame, but it's Me. And yes, I consider Thunderbird my mail program, reading my mail on my PC as Me. So I personally like to have Me in the header bar as a compact address ...

Using "+" or "||"
Using SQLAnywhere 5.5.04, I've gotten into the habit of using "||" in ISQL to indicate a string concatenation. I needed to paste my SQL statement into the PowerBuilder script painter for some embedded SQL, and PB didn't like the "||" very much at all. I changed it to "+" and it seems to be ok. Do these two operators indicate ~exactly~ the same thing? moin, afaik these two's are not the same! if you're using "||" and any term is NULL then in the resultstring the term will be ignored if you use "+" then the resu...

Why you do "dsrepair -rc" OR "my brush with death"
About 7 hours ago someone in advertantly pulled BOTH redundant power sources from an entire rack of servers. In this rack where 3 of our servers that hold replica for our students---about 72k of them now. There are only 3 replicas now due to replica's #4 and #5 had to be yanked due to the memory frag/ds leaks which are only now fixed. Those servers were in different racks--doh! Unfortuneately as I am watching server1 come up--the dib will not open--inconsistent. No biggie. Server2 comes up and the same thing---oh crap. Server3 comes up and the same thing--oh f#$@. At this point stud...

Web resources about - ldap-rc="81" - novell.id-manager.drivers

Resources last updated: 11/29/2015 10:34:43 AM