${resource:CF_GenericContent}test

If an answer to your question is correct, click on "Verify Answer" under the "More" button.  The answer will now appear with a checkmark.  Please be sure to always mark answers that resolve your issue as verified.  Your fellow Community members will appreciate it!  Learn more.

  • State Not Answered
  • Replies replies
    18
  • Subscribers subscribers
    21
  • Views views
    1540
  • Users 0 members are here

Problem running diagpwd

Sebastijan Sef
 

Hi!

We need to troubleshoot some universal password errors but having problems running diagpwd utility.

eDirectory runs on OES 24.1 (eDirectory 9.2.8) and when running we get following error:

# diagpwd <serverIP> 636 /etc/opt/novell/certs/SSCert.pem <LDAP DN of user to check> base <LDAP DN of admin account>

ERROR -1 ldap_simple_bind_s
Segmentation fault (core dumped)

Please note that:

- LDAP authentication on that server works without any problems

- LDAP SSL certificate has not expired

- LDAP SSL certificate has both DNS and IP as SAN

- We get same error if we use serverDNS name instead of serverIP whe running diagpwd

diagpwd -v returns "diagpwd version 5"

We tested that on multiple servers in same tree with same result, so either we are using utility wrong way or there is something wrong with that version of diagpwd.

Any help appreciated Blush

Kind regards,

Sebastijan

PS: Just for info, on OES servers diagpwd is automatically installed by edirectory-oes-nmas-ldap-extensions-client-9.2.8-150400.1.46.x86_64 package

Kind regards,

Sebastijan

If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Parents
  • 0

    Hi Seb

    I am having a similar issue today (without the core dump) not got to the bottom of it yet.

    I did however note that you are using a PEM and not a DER

    diagpwd usage: <ldap ip addr> <ssl port> <der file> <searchBase> <searchScope> <bind DN> [<bind Pwd>] [<-t>]

    HTH

    Tim

    (See you in Amberg?)

  • 0   in reply to 

    Hi Tim

    timscotland said:
    I did however note that you are using a PEM and not a DER

    Ha, interesting, completely missed that in documentation (obviously getting old - and I thought I will become wiser, not more careless... Sweat smile).

    Anyway, I need to check if that removes segmentation fault.

    Regarding universal password problem, colleague reminded me of very nice universal password features of Console2 (I can only say kudos to  , a "must" tool for any IDM developer), so I have not spent any more time on troubleshooting diagpwd.

    Kind regards

    Sebastijan

    timscotland said:
    (See you in Amberg?)

    Unfortunately not this year, Amberg this year overlaps with some of my other responsibilities that I cannot ditch (although I'd like to...). But sending two of my colleagues there.

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0   in reply to   

    Thank you for the reference for Console2, grabbing it now!

    I'm hitting this same issue, and troubleshooting so far is showing that it is NOT initiating a TLS negotiation at all, unlike JXplorer.  
    Just does the basic TCP handshake up and down (Hi, Bye) 
      So we may be hitting a bug here that is still on OES 24.3 (eDirectory 9.2.8 v40209.00)  Fun the many threads one initiating problem spawns.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

Reply
  • 0   in reply to   

    Thank you for the reference for Console2, grabbing it now!

    I'm hitting this same issue, and troubleshooting so far is showing that it is NOT initiating a TLS negotiation at all, unlike JXplorer.  
    Just does the basic TCP handshake up and down (Hi, Bye) 
      So we may be hitting a bug here that is still on OES 24.3 (eDirectory 9.2.8 v40209.00)  Fun the many threads one initiating problem spawns.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

Children
  • 0   in reply to   

    Hi Andy, off the top of my brain, can you please do a DSTRACE with +NMAS, +LDAP +TAGS. Universal Password uses LDAP NMAS extentions if I still have it in my head. If the server you are measuring is missing, this could be the problem. If this is the case, you should be able to see the extension error in the trace.

    George

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.