Novell eDirectory Security Patch Install – LDAP/Novell Down

A major security patch must be applied to the Novell Directory Services (NDS) system. The process will require several hours of down time. Systems affected will be Novell file servers and all other systems that authenticate with LDAP (i.e. email, calendar, certain web services).

Plans are to begin shortly before 7am on Saturday, 2/28. If all goes well all systems should return to service by 2:00pm.

During the outage the following network services will NOT be available:

NOVELL FILE/PRINT: (P:, G:, Z: drives and network printers)
EMAIL: LDAP authentication will be down so users cannot login to email. No email will be lost because it will be held in queue.
CALENDAR: The Oracle Calendar LDAP authentication will be down. Users will not be able to login to the calenar server.
CERTAIN WEB SERVICES: A few functions on the EMU web site require user login (i.e. access to web directory from off-campus). These rely on LDAP which will be unavailable.

Concurrent with this upgrade technicians will be upgrading Linux servers. Each server will be down for a short time and the entire upgrade process is expected to take less than two hours–between 8:00am and 10:00am.

All other network services should remain operational (i.e. Internet access for browsing and IM).

During the EDirectory upgrade, several items were noted – they are as follows:

On server FS:
Several schema changed produced an error – they were SASSecretStore:Key, SASSecretStore:Data, PKIStore:keys, NDSPKI:Keystore. On doing a check with Novell’s knowledgebase these could be errors in the install of 8.7.1 where the attributes should be marked as hidden, but are not. They state that this error can be ignored and processing continue (TID 1008666) and that Novell can dial-in to correct this problem.
There was also a problem wher “PKI Install encountered an error -641” and “NMAS object could not be installed – error -641”. After the installation I checked and things seemed to be installed correctly – I’m hoping these errors were because of the “hidden field” problem stated earlier.

On server LD:
A schema error occured with houseIdentifier. Again – according to Novell’s knowledgebase, this error is because the shema wasn’t updated correctly with the schema enhancements of DSREPAIR. We know this not to be the case, so after everything was completed on all servers I issued a command for LD to abtain a new schema from the tree. There were also errors where, during the upgrade serveral files were not replaced because newer ones were already on the server. These files are as follows: JCERT.JAR, JNET.JAR, JSSE.JAR

On server FSAPPS:
“An error occured while installing product LDAP – error -254”. This occured during the eDirectory upgrade. The server also crashed while it was trying to reboot (during the upgrade). This required me to powercycle the machine to continue.

On server ST:
The server hung after the reboot – it didn’t show a console screen. I was able to spawn another console process and dismount all the volumes and power it off.

After all servers were upgraded, I ran DSREPAIR to check on timesync and synchronization errors – ST wouldn’t sync – error 625. After running an unattended repair it seemed to work fine.

Also noted were SOMETIMES when DSREPAIR was run (unattended full) an error would occur on the console screen that stated:

NLSLSP: main was unsuccessful
SERVER-5.00-205: Module NLS FLAIM Database Engine cannot be unloaded at this tim
e.
Module NLSLSP.NLM is being referenced
You must unload NLSFLAIM.NLM before you can unload NLSLSP.NLM
You must unload NLSTRAP.NLM before you can unload NLSLSP.NLM

2-28-2004 12:04:45 pm: SERVER-5.0-1400
Error unloading killed loadable module

This occured on most servers and didn’t occur all the time. I couldn’t find anything regarding this from Novell and all seemed to still be fine on the server afterwards – so – time will tell if we need to deal with this.

Duration: 8 hours

Assigned Technicians: Dan Marple Jr