7023346: -603 error attemping to add server to Driver Set

This document (7023346) is provided subject to the disclaimer at the end of this document.

Environment


Identity Manager 4.7

Situation

When attempting to add a new server with IDM 4.7 installed on it to a new Driver Set, a -603 error is recieved.

Error message: Unable to associate the server with the Driver Set.

com.novell.admin.common.exceptions.UniqueSPIException: (Error-603) The requested attribute could not be found. In the Directory, if an attribute does not contain a value then the attribute does not exist for the specific object.

Resolution

After installing IDM 4.7 on the server, make sure you run the configure.sh script. This should extend schema on the Identity Vault.

Or run the /opt/novell/eDirectory/bin/idm-install-schema script to extend schema.

Then attempt to add the server to the driver set again.

Additionally, make sure the new server holds a read write replica of the partition where the driver set resides.

Cause

Missing IDM schema

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7002449: Troubleshooting -641 -783 -299 Errors Starting an IDM driver – eDirectory fails to load (vrdim)

Those steps will show you exactly what the engine is doing as it loads, as well as all jvmloader related messages. Somewhere in the trace you probably will see the exact problem, and after that occurs, the -783 will happen.

There are several possible causes for the error, some are listed bellow with suggestions to help fix and/or track them further:

– Cause: Misconfiguration of the JVM heap sizes

Suggestions: Clear any custom settings to the Initial heap size and Max heap size on the properties of the driver set, misc tab. Then try to load the vrdim modules. ****Too large of heap settings accounts for about 90% of these issues****

Additional detail on these errors can be found using the +misc flag in ndstrace. All jvmloader messages come under the MISC flag on Linux/Unix, and under the MISC OTHER flag on dstrace.dlm (Windows). Unfortunately there is no way of seeing them on Netware ( but we can always check the SYS:/ETC/JAVA.CFG file there)

– Cause LD_LIBRARY_PATH not set properly causing “error: libjvm.so: cannot open shared object file: No such file or directory” and “JVM interface initialization failed <failed, -299 (0xfffffed5)>, unloading DIRXML” errors.

Verify that echo $LD_LIBRARY_PATH returns a valid path. . /opt/novell/eDirectory/bin/ndspath will get it running for the current session, then restarting ndsd should load vrdim. The path can be set by exporting it after logging in as root, or adding it to an env_idm file in /etc/opt/novell/eDirectory/conf directory.

LD_LIBRARY_PATH=//opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/server://opt/novell/eDirectory/lib64/nds-modules/jre/lib/amd64/native_threads::$LD_LIBRARY_PATH:/opt/novell/eDirectory/lib64/apr:/opt/novell/eDirectory/lib64:/opt/novell/lib64:/opt/novell/eDirectory/lib64/nds-modules:$LD_LIBRARY_PATH

– Cause: Installing Novell Identity Manager, versions 3.5.1 or 3.6 or 3.6.1, on a server that already has eDirectory 8.8.5 ftf1 will cause issues when IDM tries to load. Drivers will not start and give the errors -641 or -783. Running ndstrace with +DXML and +DVRS flags will show the message:

DirXML JVM interface initialization failed <failed, -299 (0xfffffffffffffed5)>, unloading DIRXML

Suggestions: The easy fix in this case is to install eDirectory 8.8.5 ftf4. See TID 7004299 for details on this problem.

– Cause: Corruption in the association between the driverset and the server

Suggestions: The easy fix in this case is to remove the association between the driverset and the server, cycle ndsd, add the association back again

– Cause: Damage/corruption in the DirXML-ServerKeys attribute that resides in the local DIB’s Pseudo-Server object

Suggestions: DSDUMP (only done by Novell support) is needed to remove the attribute with pre-IDM 3.6. Use the new command within the dxcmd utility for IDM 3.6 and later.

– Cause: Using Dib Clone or dsbk will cause damage or corruption in the DirXML-ServerKeys attribute that resides in the local DIB’s Pseudo-Server object

Suggestions: DSDUMP (only done by Novell support) is needed to remove the attribute with pre-IDM 3.6. Use the new command within the dxcmd utility for IDM 3.6 and later.

– Cause: Too much memory allocated to eDirectory cache.

Suggestions: Check the eDirectory cache configuration from iMonitor -> Agent Configuration -> Cache Maximum Size. Try reducing this size if it seems high and reload dirxml.dlm (Windows) or restart ndsd (Linux).

– Cause: Corruption/damage/insufficient rights on the libraries IDM requires in the box (check the install log, also do an rpm -V on the IDM packages)

Suggestions: This is by far the hardest to track down properly, but here are some options:

> Use rpm -V liberally against all IDM-related libraries. The command line works well for that:

rpm -qa | grep DXML | xargs rpm -V

> ldd your IDM libraries to see the dependencies they have, and check those dependencies as well. The checkbin.sh script can help greatly when checking dependencies, it is part of the ntsutils package that can be downloaded here: https://www.novell.com/communities/node/2332/supportconfig-linux

> use strace / ltrace to track what is happening. strace works on scripts, so that will probably be the best option. ltrace can only be run against binary files. These tools provide a lot of information, and quite a bit of it requires basic C knowledge

> For a quick solution, reinstall IDM on top of itself. That will simply overwrite the libraries/rights. If you run IDM 3.0.1 or 3.5.1 installer with the -DCLUSTER_INSTALL=”true” option, it will only lay down the rpms again without extending the schema (even though it does show the messages that its doing that).

If the above still does not resolve the issue, ensure the jclnt symbolic link is pointed to the correct directory. View TID 7006778 for further information.

Related:

IDM 4.6 Engine & Remote Loader Service Pack 3 4.6.3.0

Abstract: This is an Engine and Remote Loader Service Pack for Identity Manager 4.6. It will take the IDM Engine to version 4.6.3.0 and should only be applied on top of IDM 4.6. This patch is for both the IDM 4.6 engine and the remote loader.

Document ID: 5393130
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:

  • IDM_engine_rl_IDM4.6.3.zip (547.57 MB)

Products:

  • Identity Manager 4.6

Superceded Patches:

Related:

  • No Related Posts

IDM 4.6 Engine & Remote Loader Service Pack 3 4.6.3.0

Abstract: This is an Engine and Remote Loader Service Pack for Identity Manager 4.6. It will take the IDM Engine to version 4.6.3.0 and should only be applied on top of IDM 4.6. This patch is for both the IDM 4.6 engine and the remote loader.

Document ID: 5393130
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:

  • IDM_engine_rl_IDM4.6.3.zip (547.57 MB)

Products:

  • Identity Manager 4.6

Superceded Patches:

Related:

  • No Related Posts

IDM 4.6 Engine & Remote Loader Service Pack 3 4.6.3.0

Abstract: This is an Engine and Remote Loader Service Pack for Identity Manager 4.6. It will take the IDM Engine to version 4.6.3.0 and should only be applied on top of IDM 4.6. This patch is for both the IDM 4.6 engine and the remote loader.

Document ID: 5393130
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:

  • IDM_engine_rl_IDM4.6.3.zip (547.57 MB)

Products:

  • Identity Manager 4.6

Superceded Patches:

Related:

  • No Related Posts

IDM 4.6 Engine & Remote Loader Service Pack 3 4.6.3.0

Abstract: This is an Engine and Remote Loader Service Pack for Identity Manager 4.6. It will take the IDM Engine to version 4.6.3.0 and should only be applied on top of IDM 4.6. This patch is for both the IDM 4.6 engine and the remote loader.

Document ID: 5393130
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:

  • IDM_engine_rl_IDM4.6.3.zip (547.57 MB)

Products:

  • Identity Manager 4.6

Superceded Patches:

Related:

  • No Related Posts

IDM 4.6 Engine & Remote Loader Service Pack 3 4.6.3.0

Abstract: This is an Engine and Remote Loader Service Pack for Identity Manager 4.6. It will take the IDM Engine to version 4.6.3.0 and should only be applied on top of IDM 4.6. This patch is for both the IDM 4.6 engine and the remote loader.

Document ID: 5393130
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:

  • IDM_engine_rl_IDM4.6.3.zip (547.57 MB)

Products:

  • Identity Manager 4.6

Superceded Patches:

Related:

  • No Related Posts

IDM 4.6 Engine & Remote Loader Service Pack 3 4.6.3.0

Abstract: This is an Engine and Remote Loader Service Pack for Identity Manager 4.6. It will take the IDM Engine to version 4.6.3.0 and should only be applied on top of IDM 4.6. This patch is for both the IDM 4.6 engine and the remote loader.

Document ID: 5393130
Security Alert: No
Distribution Type: Field Test File
Entitlement Required: Yes
Files:

  • IDM_engine_rl_IDM4.6.3.zip (547.57 MB)

Products:

  • Identity Manager 4.6

Superceded Patches:

Related:

  • No Related Posts