YAST configuration of Directory Server results in Unknown error 256

Hi,

I hae been attempting to configure a Directory server using the YAST -> Create New Directory Server.

I have filled in the key fields instance name, Directory suffix, Directory Manager DN and password.
I have also created CA and created a CA .PEM certificate and a PKCFS12 certificate for the server.

The instance and service is created but fails to start. Looking at the yast2-auth-server-dir-setup.log contains the following error message.

Could not start the directory server using command ‘/bin/systemctl start dirsrv@MyTestDirectory.service’. The last line from the error log was '[01/Jan/2020:23:02:52.660861275
+0000] - INFO - import_main_offline - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec)
**
'. Error: Unknown error 256**

Error: Could not create directory server instance ‘MyTestDirectory’.

Exiting . . .

Log file is ‘/tmp/setup3gBZoA.log’

I’m unsure of where to look next as the error as the error does give any real clues where to look next.
The certificates are valid

Jan 02 00:12:38 susesvr systemd[1]: dirsrv@MyTestDirectory.service.service: Failed to load environment files: No such file or directory
Jan 02 00:12:38 susesvr systemd[1]: dirsrv@MyTestDirectory.service.service: Failed to run ‘start-pre’ task: No such file or directory
Jan 02 00:12:38 susesvr systemd[1]: Failed to start 389 Directory Server MyTestDirectory.service…
– Subject: Unit dirsrv@MyTestDirectory.service.service has failed
– Defined-By: systemd
– Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit dirsrv@MyTestDirectory.service.service has failed.

– The result is failed.
Jan 02 00:12:38 susesvr systemd[1]: dirsrv@MyTestDirectory.service.service: Unit entered failed state.
Jan 02 00:12:38 susesvr systemd[1]: dirsrv@MyTestDirectory.service.service: Failed with result ‘resources’.
susesvr:/etc/dirsrv/slapd-MyTestDirectory #

Any pointers will be greatly appreciated

I suspect your Unit file is TestDirectory.service and not TestDirectory.service.service.
Whenever using automated tools, one should always be careful when the code may append something silently, thinking it’s helpful… Which sometimes could be true but perhaps not always.

As described, you may have to inspect the log to get more details about your error… Or, is the later snippet from that log, you aren’t clear… You’re missing critical details in your post… Specifically what command was run to generate the result you posted. We’re left to guess where and how your snippets were generated. And, you can further clarify what is a generated result from your personal text by enclosing those snippets in

 tags, which is the hash button "#" in the web editor.

Also, if you feel you don't understand what is in the log and the log is too large to post in these Forums, you can post the log to a pastebin and then include a link to that pastebin posting in your Forum post. Common pastebins people use are
http://paste.opensuse.org/
http://pastebin.com

For example, using CODE tags...

Could not start the directory server using command ‘/bin/systemctl start dirsrv@MyTestDirectory.service’. The last line from the error log was '[01/Jan/2020:23:02:52.660861275
+0000] - INFO - import_main_offline - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec)
**
'. Error: Unknown error 256

Error: Could not create directory server instance ‘MyTestDirectory’.

Exiting . . .

Log file is ‘/tmp/setup3gBZoA.log’

**



TSU

Hi, tsu2

Thanks for your response. One of the reasons why I’m trying to perform this on OpenSUSE is because of yast, Nothing like it elsewhere.

The plan is to use yast as the primary config tool, no CLI tools were used to configure, just YAST, an automated tool as you have stated.

I created a CA, created a server cert using that CA created a Server PKS12 bundle cert with the key and with no password.

Then then ran the YAST “Create New Directory Server” GUI tool **YAST -> Create New Directory Server

**I filled in the GUI YAST form, and supplied the location of my CA file, and server cert, filled in the rest of the form prompts and clicked ok.

It ran for about 4 mins then stated that it could not start the instance and told me to look at the logfile **yast2-auth-server-dir-setup.log

**The snippets you see included i the last few lines of this log file, All the other entries were INFO updates of the directorues it created and plugins.

The other output which I thought would be usefull is the output of systemd related **journalctl -xe

**
The actual reason “256” is quite litreally unknown, therefore was looking for pointers.
Messages like Malformed DN , or CA not found, or incorrect password I can deal with.

The only thing I don’t understand is how it could fail so obtusely using an automated configuration tool.

many thanks

The following is the LEAP documentation for setting up your first LDAP sercer

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha-security-auth.html

Been awhile since I’ve set one of these up…
Firing up the YaST “Create New Directory Server” module,

You should note that the first field (top left) is where you insert your FQDN which means a name with at least 2 parts with a suffix (second part).
The field immediately below which is the Instance Name should <not> be two parts so should not include a period and anything after such period.

Additionally,
I should note some “Best Practices” in choosing names, because changing namespaces later is usually so onerous people often prefer the extreme pain of trashing the entire LDAP with all its customizations and history and starting anew from scratch…

  • Never choose a commonly used name that could be already used for some common functionality like “service.”
  • Never choose a common generic name for a location like “local”
  • Take care to choose your suffix wisely to support either routable or non-routable name resolutions… routable meaning potentially routable on the Internet and non-routable to prevent name resolution on the Internet. Non-routable doesn’t ordinarily mean completely inaccessible from or across the Internet but will mean special tools and possibly authenticated tools may be required which can be a valuable security measure. On the other hand, it can be useful to set up a namespace that is immediately resolvable by any DNS server, even on the Internet.
  • Typically a broad category name is chosen for the Forest, often based on biology or history, maybe a group of physical objects like colors and then each individual object can be given a name that in an intuitive way might describe the object as well.

Avoiding commonly used namespaces can avoid potential “collisions” when certain technologies set up using those namespaces by default and would then either fail or result in unexpected and unwanted consequences.

Although not likely relevant to your current problem, it’s a good security measure to set up a CA that is dedicated to setting up an LDAP network and use it to generate your initial certificates… Then shut it down and literally put it in a drawer or closet somewhere, inaccessible to the world. If it were to be hacked, potentially everything it was used to set up would be compromised so powered off is best when not in use.

HTH,
TSU