Secure ldap problem: error 81 / d06b

Hi everyone,

I'm having a problem configuring secure ldap on GroupWise 2014sp1. When I configure plain ldap, everything goes fine.

When i configure secure ldap i get a d06b error in the webmail interface and an "error 81" error in the poa log.

I am 99.999% sure that my entered root CA is correct (obligated proof):
command: openssl s_client -connect <ldaps hostname>:636 -CAfile cert.b64
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 32516CCF8C1DC15A50630366AB2213FA1333ED31F816FDD130AE8153BFE61833
Master-Key: 55B09601C74F8C9FDA43BBE58285D4511F8C4B0C5289ACC398649DB7016BF841DE6B39080218FCBFB1A0FCA32135BC9D
Key-Arg : None
Start Time: 1419348927
Timeout : 300 (sec)
Verify return code: 0 (ok)

And i've entered this same file here:

Am i missing something here?

Kind Regards,
Justin Zandbergen
  • Hi Justin,

    Just a few things to check.... as far as I am aware the certificate file needs to be in .der format, but I stand to be corrected on this. Also, just for reference the certificate file name should adhere to 8.3 naming convention. You also need to enter the path to the certificate and I'm unable to correct see from your graphic if you are doing so.

    Let us know how it goes.

  • Hi Laura,

    Thanks for the reply!

    I have uploaded the .der the path was c:\cert.der (I used the .b64 for the openssl command).

    I need to go now, so I will have to slay this beast tomorrow :)

  • Hi Justin,

    If you are setting up an SSL connection to eDirectory you will need to export the root certificate stored in eDirectory.

    Try that and let us know how it goes.

  • Hi Laura,
    I know, that is what i am doing. And as i showed with the openssl command i have entered the appropiate rootcert.

    (also i have repeated the same procedure in my personal test environment, and there everything works perfectly on secure ldap, so I do not a suspect a "user problem".... "said the user" ;)
  • Hi,

    I'm not too sure what to suggest next as I'm unable to duplicate the error in my environment. Let me think about it for a while.... I'll get back to you if I get a good idea :)

  • Hi Laura,

    Don't think too much about it :) I have opened a SR at novell and it seems i have some DB errors. We can see for example ldap configurations in de poa startup log that we cannot find anywhere in our webinterface. So we tried the usual topdown rebuild and some other fancy hoodoo-voodoo but that did not fix the problem. So the primary domain db lays at novell for further investigation. To be continued.... :)

    I'll let you know when i have some news

    Thanks for your help and a merry x-mass!

    Kind Regards,
    Justin Zandbergen
  • Hi Justin,

    Ah, DB problems can cause all nasty things to crawl out of the woodwork ;)

    Please keep us updated with what happens so that we can all learn from this experience.

    Thank you for your wishes and hope that you have a very good Christmas too.

  • Ok, the stuck ldap server is removed by the following
    [ngw] GW2014 LDAP Server can't be removed

    Morris Blackham mblackham at
    Tue Jul 29 15:30:57 UTC 2014
    Previous message: [ngw] GW2014 LDAP Server can't be removed
    Next message: [ngw] Antw: Re: GW2014 LDAP Server can't be removed
    Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
    Dang, bug... Developer is fixing as we speak. But here's a way to allow you to delete the directory.

    1. In the admin Console, select the MTA's to list all the MTA's

    2. In the filter field (right hand side above the mta list) Enter a filter of "syncLdapServerName != null" . This will give you a list of MTA's that have the sync flag set.

    3. Now the fun part... From a Linux terminal window enter this command for any MTA's you found for the filter above.

    curl -k --user gwadmin:password -H "Content-type:application/json" --data "{\"syncLdapServerName\":\"\"}" -X PUT youradminserverip:9710/.../mta

    make sure you get all the escaped quotes correct inside the { } for the data portion and the syncLdapServerName tag is case sensitive..

    And if you want to use the CA certificate it must be the "Selfsigned certificate" not the CA issued by NICI.... (i feel so stupid, i have it in my test setup actually like this. Anywho, fixed!)

    edit, picture for clarity:
  • Hi,

    So glad that you got this fixed. Thank you very much for the feedback - that way we all learn :)