CONTENTS Title Page Copyright Page Preface 1 Introduction to Problem Solving 1.1 Network Control Language 1.1.1 Remote Management Using TCP/IP 1.2 Error and Status Messages 1.3 Events 1.4 DSA Counters 1.5 OSAK Trace Utility 1.5.1 Starting a Trace 1.5.2 Stopping a Trace 1.6 DSA Worksheets and Planning Information 1.7 Network Isolation Tool 2 Problems with Installation, Configuration and Startup 2.1 Installing the Directory Service Software 2.1.1 Directory Cannot Be Found (OpenVMS) 2.1.2 The Subset Cannot Be Installed 2.1.3 The Subset Requires a Specific Operating System Version 2.1.4 The Subset Requires Another Subset to Be Installed 2.1.5 DECnet/OSI NCL Dictionary Could Not Be Updated 2.1.6 DECnet/OSI Help Could Not Be Updated 2.1.7 Failed to Rename MAILbus 400 MTA File 2.1.8 No Valid DEC X.500 Database Found or Error Occurred 2.1.9 CML Configuration File Could Not Be Updated 2.1.10 Incorrect Operating System Version 2.1.11 DECnet Not Installed or Incorrect Version 2.1.12 Incorrect OSAK Version (OpenVMS) 2.1.13 DECwindows Motif Not Installed or Incorrect Version (OpenVMS) 2.1.14 A DSA Is Already Running on This Node 2.1.15 Insufficient Disk Space 2.1.16 Insufficient Free Global Pages (OpenVMS) 2.1.17 Insufficient Free Global Sections (OpenVMS) 2.1.18 DXD$SERVER Account Not Found (OpenVMS) 2.1.19 Incorrect Ordering of Installation Subsets 2.1.20 License Not Installed 2.1.21 Incorrect Privileges 2.1.22 IVP Returns Errors or Warnings 2.2 Configuring the DSA 2.2.1 The DSA Is in the Wrong State 2.2.2 Invalid Attribute Value in AE Title 2.2.3 Invalid Attribute Value in Presentation Address 2.3 Starting the DSA or DSA Not Running 2.3.1 Director Does Not Recognize DSA Management Directives 2.3.2 Error Sending Command Request (OpenVMS) 2.3.3 DSA Information Tree Corrupt 2.3.3.1 DSA Cannot Open Schema File 2.3.3.2 DSA Cannot Load DUB Fragment 2.3.4 DSA Information Tree Incompatible 2.3.5 No Resource Available 2.3.6 AE Title Is Not Valid 2.3.7 Presentation Address Is Not Valid 2.3.8 License Check Has Failed 2.3.9 DSA Entity Already Exists 2.4 Stopping the DSA 2.5 Running the DUA Configuration Procedure 2.5.1 Configuration Procedure Not Found 2.5.2 Insufficient Privileges to Run the Utility 2.5.3 DXD$DIRECTORY Logical Name Not Defined (OpenVMS) 2.5.4 Unable to Obtain DUA Defaults from DSA 2.5.5 Cannot Write DUA Defaults File 2.5.6 Unable to Reach a BIND Server 2.5.7 Node Name is not Recognized 2.5.8 Unable to Bind to DSA Over RFC1006 2.6 Starting DXIM 2.6.1 DXIM Command Not Found or Not Recognized 2.6.2 File /usr/bin/dxd_dxim_motif Not Found (DEC OSF/1) 2.6.3 File /usr/bin/dxd_dxim_cli Not Found (DEC OSF/1) 2.6.4 Error Activating Image (OpenVMS) 2.6.5 DXIM Cannot Open the Schema File 2.6.6 DXIM Cannot Read the Schema File 2.6.7 DXIM Cannot Open the UID File 2.6.8 DXIM Cannot Open the Message Catalog File (DEC OSF/1) 2.6.9 DSA Is Unavailable (Motif Interface Only) 2.6.10 Unable to Communicate with DSA 2.7 DXIM Not Operating as Expected 2.7.1 Initial Entry Set to the Root Entry (Motif Interface Only) 2.7.2 Incorrect Browse or Search Base (Motif Interface Only) 2.7.3 DXIM Initialization File Has Not Been Run (Command Line Interface Only) 3 Problems with Communications 3.1 Applications Cannot Bind to a DSA 3.1.1 Check DSA State is ON 3.1.2 Display DUA Presentation Address Used 3.1.3 Check Outbound Template 3.1.4 Check NSAP Address Used by the DUA 3.1.5 Check DUA and DSA Selector Values 3.1.6 Check Inbound Templates 3.1.7 Monitor DSA Counters 3.1.8 Investigate the Network Problem 3.1.9 Check for Protocol, Resource and Security Events 3.2 Connection Between the DUA and the DSA Is Lost 3.3 Response Cannot Be Decoded 3.4 You Receive a ROSE Error 3.5 Event Specifies a Communications Problem 3.5.1 Fatal Interface Error 3.5.2 Insufficient Resources 3.5.3 Network Unavailable 3.5.4 Address Already in Use 3.5.5 Invalid AEI 3.5.6 Transport Error 3.5.7 System Error 3.5.8 Invalid Transport Template 3.5.9 Unknown Error 3.5.10 ACSE User Reject 3.6 Testing Network Connections 3.6.1 Running the Network Isolation Tool 3.6.1.1 Running the Server 3.6.1.2 Running the Client 3.7 Checking the RFC1006 Daemon 4 Problems With Distributed Operations 4.1 Cannot Create a Naming Context 4.1.1 Cannot Create a Naming Context called "/" 4.1.2 Specified Name has Subordinates 4.1.3 Naming Context Already Exists 4.1.4 Superior Master Naming Context needs a Subordinate Reference 4.1.5 Superior Shadow Naming Context needs a Subordinate Reference 4.1.6 Specified Name is an Entry 4.1.7 Specified Name is an Alias Entry 4.1.8 Identifier is Incorrect 4.1.9 Alias Entry Prevents Creation 4.2 Cannot Create a Subordinate Reference 4.2.1 Subordinate Reference Already Exists 4.2.2 Specified Name is a Naming Context 4.2.3 Cannot Create a Subordinate Reference on a Shadow Naming Context 4.2.4 Cannot Create a Subordinate Reference Called "/" 4.2.5 Specified Name is an Entry 4.2.6 Specified Name is an Alias Entry 4.2.7 Specified Name has Subordinates 4.2.8 Existing Subordinate Reference Prevents Creation 4.2.9 Alias Entry Prevents Creation 4.2.10 Identifier is Incorrect 4.3 Cannot Delete a Naming Context 4.3.1 No Such Entity 4.3.2 Naming Context has Subordinates 4.3.3 Cannot Delete a Shadow Naming Context 4.3.4 Cannot Delete a Naming Context that Contains an Entry 4.3.5 Cannot Delete a Naming Context that Contains an Alias Entry 4.3.6 Alias Entry Prevents Deletion 4.4 Cannot Delete a Subordinate Reference 4.4.1 No Such Entity 4.4.2 Naming Context Prevents Deletion 4.4.3 Shadow Naming Context Prevents Deletion 4.4.4 Cannot Delete a Shadow Subordinate Reference 4.4.5 Specified Name has Subordinates 4.4.6 Alias Entry Prevents Deletion 4.5 Replication Fails 4.5.1 DSA in Wrong State 4.5.2 Consumer Access Point Not Present 4.5.3 Invalid AE Title of Supplier DSA 4.5.4 Cannot Read Supplier Address 4.5.5 Consumer Not Authenticated 4.5.6 Supplier DSA is Unavailable 4.5.7 Update Incompatible with the DSA 4.5.8 Insufficient Resources 4.5.9 DIT Incompatible 4.5.10 Schema Incompatible 4.5.11 Replication Between V1. * and V2.0 Fails 4.6 You Want to Replicate Between a V2.0 DSA and V1. * 4.7 Shadowing Agreement Automatic Management Fails 4.7.1 Shadowing Agreement Invalid 4.7.2 Shadowing Agreement Currently Not Decidable 5 Problems With Data Management 5.1 User Receives Information that Is Out of Date or Wrong 5.1.1 User Is Using Copy Entries 5.1.2 Frequency of Replication Too Low 5.1.3 Alias Points to Wrong Entry 5.2 User Continually Receives Referrals 5.2.1 DSA Prohibit Chaining Attribute Set 5.2.2 Insufficient Authentication 5.2.3 Node Unavailable 5.2.4 Chained DSA Is Disabled 5.2.5 Connection to DSA Is Broken 5.3 Information Known to Exist Cannot Be Retrieved 5.3.1 Insufficient Access Rights 5.3.2 Missing Superior Reference 5.3.3 Missing Subordinate Reference 5.3.4 Invalid Reference 5.3.5 Incomplete Knowledge in First Level DSA 5.3.6 Wrong Setting of Local Scope Service Control 5.3.7 Chaining Prohibited 5.3.8 DSA Cannot Be Reached 5.3.9 Shadow Naming Context Out of Date 5.4 Problems Compiling the Schema 5.4.1 Missing Source Files 5.4.2 Missing Attribute Definitions 5.4.3 Missing Referenced Object Classes 5.4.4 Missing Referenced Name Forms 5.4.5 Missing Referenced Structure Rules 5.4.6 Matching Rules Not Applicable to Syntax 5.4.7 Duplicate Structure Rule Identifiers Found 5.4.8 Superclass Wrong Kind for Class 5.4.9 Too Many Structural Superclass Chains 5.4.10 Wrong Kind of Object Class for Name Form 5.4.11 Duplicate Keyword 5.4.12 Multiple Windows for Name Form 5.4.13 Cannot Open Input File 5.4.14 Cannot Write Schema Output File 5.4.15 Loop Detected While Processing 5.5 Cannot Create an Entry of a Specific Class (Motif Interface Only) 5.6 You Want to Backup the Database While the DSA is Running 6 Problems with Access Control and Security 6.1 User Cannot Access Directory Information As Expected 6.1.1 User Has Insufficient Access Rights 6.1.1.1 Finding Out What Access Controls Are Implemented 6.1.1.2 Analyzing Access Controls 6.1.2 DSAs Do Not Trust Each Other 6.2 Cannot Replicate Between DSAs 6.2.1 Supplier DSA Cannot Verify the Identity of the Consumer DSA 6.3 User Receives Information that Is Known to Be Incomplete 6.3.1 Access Controls Are Denying Access to Some Information 6.4 Authentication Is Not Successful 6.4.1 Username Missing or Incorrect 6.4.2 Password Missing or Incorrect 6.4.3 DSA Cannot Find the User's Entry 6.5 Directory Returns an Unwilling to Perform Error 6.5.1 DSA Entity Configuration Is Preventing Access 6.6 Changing Security Configuration Seems to Have No Effect 6.7 Need to Analyze Your Access Controls 6.8 Need to Bypass Access Controls 7 Problems With Resources 7.1 DSA Process Quotas (OpenVMS) 7.2 DSA Cannot Load DIB fragment 7.2.1 No Resource Available 7.3 Replication Fails with No Resources Available 7.3.1 Insufficient Disk Space 7.3.2 Insufficient Memory 7.4 Create or Enable DSA Directive Fails with No Resources Available 7.4.1 Insufficient Memory 7.4.2 OSI Transport Entity Not Available 7.4.3 Insufficient Process Quotas (OpenVMS) 7.4.4 Local Access Point Establishment Failure 7.4.5 Internal Software Error 7.5 DXIM Fails with Insufficient Memory Error 7.6 DIB Fragment Becomes Excessively Large 7.6.1 Increase Disk Space 7.6.2 Reduce Shadowing 7.6.3 Reduce the Use of Indexes in the DSA 8 The DSA Accounting Facility 8.1 Managing the Accounting Facility 8.1.1 Enabling and Disabling the Accounting Facility 8.1.2 Configuring the Accounting Facility 8.1.3 The Location and Filename of the Accounting File 8.1.4 Managing Accounting File Rollover 8.1.5 Backing Up Accounting Files 8.2 Processing the Accounting File 8.2.1 Types of Record in the Accounting File 8.2.2 The ASN.1 Definition of Elements Included in Accounting Records 8.2.3 The Information Included in Accounting Records 8.2.3.1 Session Start Record 8.2.3.2 Session End Record 8.2.3.3 Operation Record 8.2.3.4 File Start Record 8.2.3.5 File End Record 8.2.3.6 Discard Record 8.2.4 Notes About Accounting Files 9 Error Messages 9.1 NCL Messages 9.2 DXIM Error Messages 10 Events and Counters 10.1 Events 10.1.1 Accounting Disabled 10.1.2 Accounting Enabled 10.1.3 Accounting File Rollover 10.1.4 Accounting File Access Failure 10.1.5 Accounting Records Discarded 10.1.6 Authentication Failure 10.1.7 Changes of State 10.1.8 Create Failure 10.1.9 Distributed Operation Failure 10.1.10 Failure To Start Accounting Facility 10.1.11 Internal Error 10.1.12 Listen Failure 10.1.13 Resource Exhausted 10.1.14 Shadow Agreement Update Completed 10.1.15 Shadow Agreement Update Failure 10.1.16 Shadow Update Complete 10.1.17 Shadow Update Failure 10.2 Counters A Reporting Problems A.1 Information Required A.2 Contacting Digital B Directory Service Files B.1 Files on a DEC OSF/1 System B.2 Files on an OpenVMS System C Summary of Directory Service NCL Directives C.1 NCL Directives for the DSA Entity C.2 NCL Directives for the Superior Reference Subentity C.3 NCL Directives for the Subordinate Reference Subentity C.4 NCL Directives for the Naming Context Subentity C.5 NCL Directives for the Accessor Subentity FIGURES 3-1 Steps to Solve Bind Problems 3-2 Steps to Solve Bind Problems (contd) TABLES 2-1 Problems with Installation 2-2 Problems Configuring the DSA 2-3 Problems Starting the DSA 2-4 Problems with DUA Configuration Procedure 2-5 Problems Starting DXIM 2-6 Problems Running DXIM 3-1 Connection Problems 3-2 Problems Binding 3-3 Communications Problems 4-1 Problems with Distributed Operations 4-2 Problems Creating a Naming Context 4-3 Problems Creating a Subordinate Reference 4-4 Problems Deleting a Naming Context 4-5 Problems Deleting a Subordinate Reference 4-6 Problems with Replication 4-7 Problems with Shadow Agreement Management 5-1 Problems Manipulating Directory Information 5-2 Problems with Accuracy of Information 5-3 Problems Reaching a DSA 5-4 Problems Retrieving Information 5-5 Problems Compiling the Schema 6-1 Problems with Security and Access Control 6-2 Problems Accessing Information 6-3 Problems with Replication 6-4 Incomplete Information 6-5 Problems with Authentication 6-6 Directory Unwilling to Perform 7-1 Problems with System Resources 7-2 DSA Process Quotas 7-3 Problems Loading the DIB Fragment 7-4 Problems with Replication 7-5 Problems Creating or Enabling a DSA 7-6 Problems with the Size of a DIB Fragment 10-1 Directory Service Events 10-2 Directory Service Counters B-1 File Locations on a DEC OSF/1 System B-2 Files Installed from Each Subset on a DEC OSF/1 System B-3 File Permissions on a DEC OSF/1 System B-4 File Locations on an OpenVMS System B-5 Files Installed from Each Saveset on an OpenVMS System B-6 File Protections on an OpenVMS System C-1 NCL Directives for the DSA Entity C-2 DSA Entity Attributes C-3 NCL Directives for Superior Reference C-4 NCL Directives for Subordinate Reference Entity C-5 Subordinate Reference Entity Characteristic Attributes C-6 NCL Directives Naming Context Entity C-7 Naming Context Entity Characteristic Attributes C-8 NCL Directives for Accessor Entity