Hi all,
Trying to play with IDM 4.9 and containers and failed on my first attempt to setup the identity manager engine. I am running Docker 27.3.1 on Red Hat 9.2.
Below is the idmconfigure.log file.
tail -f /data/idm/log/idmconfigure.log 2024-11-21 10:40:01+00:00 : IDM 4.9 IDM 4.9 %%% Received command line parameters : -s -ssc -slc -f /config/silent.properties Verifying installed components... ############################################################### Identity Manager Configuration Thu Nov 21 10:40:01 UTC 2024 ############################################################### Refer log for more information at /var/opt/netiq/idm/log/idmconfigure.log ############################################################### Configuring : Identity Manager Engine Thu Nov 21 10:40:03 UTC 2024 ############################################################### %%% Received command line parameters : -s -f /config/silent.properties -log /var/opt/netiq/idm/log/idmconfigure.log -wci -typical -comp ENGINE -wci Verifying installed components... Silent mode detected... skipping config_mode. Configuring silent mode using silent property file: /config/silent.properties %%% Received command line parameters : -s -f /config/silent.properties -log /var/opt/netiq/idm/log/idmconfigure.log -wci -typical -comp ENGINE -wci Verifying installed components... Silent mode detected... skipping config_mode. Configuring silent mode using silent property file: /config/silent.properties Silent mode detected... skipping config_mode. /etc/opt/netiq/idm/conf/idmconf.properties is not available. Configuring Identity Store Configuring the NDAP interfaces... Done Configuring the HTTP interfaces... Done Configuring the LDAP interfaces... Done Configuring NetIQ eDirectory server with the following parameters, Please wait... Tree Name : dockertree Server DN : idv.servers.system Admin DN : admin.sa.system NCP Interface(s) : 192.168.40.132@524 HTTP Interface(s) : 192.168.40.132@8028 HTTPS Interface(s) : 192.168.40.132@8030 LDAP TCP Port : 389 LDAP TLS Port : 636 LDAP TLS Required : Yes Duplicate Tree Lookup : Yes Configuration File : /etc/opt/novell/eDirectory/conf/nds.conf Instance Location : /var/opt/novell/eDirectory/data DIB Location : /var/opt/novell/eDirectory/data/dib Starting the service 'ndsd'... Done. Checking if server is ready to service requests... Done Restarting the server instance as EBA was enabled. Stopping the service 'ndsd'... Done. Starting the service 'ndsd'... Done. Searching for Duplicate Tree Name in the network. Please wait... Configuring EBA... Done Basic configuration is successful. Proceeding with additional configuration... Extending schema... Done For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log Configuring HTTP service... Done Configuring LDAP service... Done Configuring SNMP service... Done Configuring SAS service... Failed to configure SAS service: unknown error -1266 (fffffb0e hex) err=-1266 An error has occured while configuring the NetIQ eDirectory Server. Please look /var/opt/novell/eDirectory/log/ndsd.log file for more information. The instance at /etc/opt/novell/eDirectory/conf/nds.conf is successfully configured. ERROR: /opt/novell/eDirectory/bin/ndsconfig return value = 74. Check /var/opt/netiq/idm/log/idmconfigure.log file for more information. Identity Vault configuration failed with the exit code 74 ############################################################### Aborted configuration of : Identity Manager Engine Thu Nov 21 10:41:15 UTC 2024 ############################################################### Exiting due to the failure in configuration of Identity Manager Engine.
How do I access these files (sorry new to docker):
In /var/opt/novell/eDirectory/log/ndsd.log I see a bit more, but still no idea what the cause is:
Nov 21 10:40:32 Successfully started NetIQ PKI Services Nov 21 10:40:32 SecurityInstall: Calling pkiInstallSetIdentity . . . Nov 21 10:40:32 SecurityInstall: Returned from pkiInstallSetIdentity. Nov 21 10:40:32 SecurityInstall: Calling pkiInstallSetRSAKeySize(4096) . . . Nov 21 10:40:32 SecurityInstall: Calling pkiInstallSetECCurve(P384) . . . Nov 21 10:40:32 SecurityInstall: Calling pkiInstallSetCertLife(10) . . . Nov 21 10:40:32 SecurityInstall: Calling pkiInstallsetCRLfile . . . Nov 21 10:40:32 SecurityInstall: Returned from pkiInstallsetCRLfile. Nov 21 10:40:32 SecurityInstall: Calling pkiInstallsetCRLfile . . . Nov 21 10:40:32 SecurityInstall: Returned from pkiInstallsetCRLfile. Nov 21 10:40:32 SecurityInstall: Calling pkiInstallSetIPAddress . . . Nov 21 10:40:32 SecurityInstall: Returned from pkiInstallSetIPAddress. Nov 21 10:40:32 SecurityInstall: Calling pkiInstallSetPorts . . . Nov 21 10:40:32 ldaptcpport [389] Nov 21 10:40:32 ldapsslport [636] Nov 21 10:40:32 http_port [8028] Nov 21 10:40:32 https_port [8030] Nov 21 10:40:32 SecurityInstall: Returned from pkiInstallSetPorts. Nov 21 10:40:33 SecurityInstall: Error from pkiInstallCreatePKIObjects (ccode = -1266; retval = -4). Nov 21 10:40:33 An error occurred while configuring product SAS. Error description unknown error -1266 (fffffb0e hex).-1266 Nov 21 10:40:33 NDSIInstallDSProduct: Returning -1266. Nov 21 10:40:33 DHModuleInit_dsi: Returning -1266. Nov 21 10:40:33 Module dsi is not loaded Nov 21 10:40:33 About to stop NetIQ eDirectory server on host: localhost.localdomain
The silent file looks like this:
### # Indicates whether you want to configure the silent properties file for Docker containers. ### DOCKER_CONTAINER="y" ### # Azure Cloud ### AZURE_CLOUD="n" ### # Indicates whether the existing Identity Manager components need to be upgraded. ### UPGRADE_IDM="n" ### # Indicates whether we need to prompt eDir API prompts ### EDIRAPI_PROMPT_NEEDED="n" ### # Indicates if Advanced Edition was selected ### IS_ADVANCED_EDITION="true" ### # Indicates if user wants to set a common password. ### IS_COMMON_PASSWORD="y" ### # Common Password ### COMMON_PASSWORD="secret" ### # Indicates Identity Manager engine to be installed. ### INSTALL_ENGINE="true" ### # Indicates Identity Vault to be installed. ### INSTALL_IDVAULT="true" ### # NDS var folder location ### ID_VAULT_VARDIR="/var/opt/novell/eDirectory" ### # NDS data location ### ID_VAULT_DIB="/var/opt/novell/eDirectory/data/dib" ### # NDS configuration file with path ### ID_VAULT_CONF="/etc/opt/novell/eDirectory/conf/nds.conf" ### # Identity Vault host address ### ID_VAULT_HOST="192.168.40.132" ### # Indicates whether it is for a new tree or an existing tree. ### TREE_CONFIG="newtree" ### # Identity Vault Administrator password ### ID_VAULT_PASSWORD="secret" ### # Server Context ### ID_VAULT_SERVER_CONTEXT="servers.system" ### # ID Vault Tree name ### ID_VAULT_TREENAME="dockertree" ### # ID Vault Server name ### ID_VAULT_SERVERNAME="idv" ### # Identity Vault Administrator in cn format ex: cn=admin,ou=sa,o=system ### ID_VAULT_ADMIN_LDAP="cn=admin,ou=sa,o=system" ### # ID Vault Administrator ex: admin.sa.system ### ID_VAULT_ADMIN="admin.sa.system" ### # RSA key size ### ID_VAULT_RSA_KEYSIZE="4096" ### # EC curve ### ID_VAULT_EC_CURVE="P384" ### # Certificate lifetime ### ID_VAULT_CA_LIFE="10" ### # NCP port ### ID_VAULT_NCP_PORT="524" ### # LDAP non SSL port ### ID_VAULT_LDAP_PORT="389" ### # LDAP SSL port ### ID_VAULT_LDAPS_PORT="636" ### # Identity Vault HTTP port ### ID_VAULT_HTTP_PORT="8028" ### # Identity Vault HTTPS port ### ID_VAULT_HTTPS_PORT="8030" ### # Identity Vault driver set name. Ex: driverset1 ### ID_VAULT_DRIVER_SET="driverset1" ### # Identity Vault driver set deploy context. Ex: o=system ### ID_VAULT_DEPLOY_CTX="o=system"
I loaded with: docker load --input IDM_490_identityengine.tar.gz
and started with: docker run --restart unless-stopped -d --network=host --name=engine-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties --stop-timeout 100 identityengine:idm-4.9.0-580
These are copy paste from the documentation. https://www.netiq.com/documentation/identity-manager-49/setup_linux/data/t4bk3ao21qbm.html
After punching holes to the host firewall, I can connect to eDirectory as anonomous, but no LDAPS connections work for obvious reasons. And I cannot authenticate because it requires confidentiality aka TLS. So things are half baked, and I like it well done
Any ideas would be great!
Thank you!
Best regards
Marcus