Highlighted
Respected Contributor.
Respected Contributor.
912 views

One PO Agent with LDAP SSL authentication to another Tree

I have a SLES10 server with 4 PO and we are interested in pointing one PO to authenticate against another eDirectory tree (our IDVault). I know it's odd but we have a few users that should have an active account in the main eDirectory tree but they have approval to keep access to GroupWise. To resolve this we thought we'd put them on their own PO and point that PO to the IDV tree such that login is still done against the directory. We'd rather not use the password in GroupWise as the IDVault is linked to an HR system so their GW account would still expire based on that HR system's account expiry.

We always authenticate using LDAP with SSL. To test this idea in the lab I've created a new GW LDAP server entry that uses the root cert for the IDVault tree and of course points to its LDAP server.
I can authenticate using an LDAP client over SSL but the GroupWise agent never succeeds.

I always get these TLS errors:
13:00:56 7AFF7BA0 00000000 FFFFFFFF LDAP: TLS accept failure 5 on connection 0x1528c000, setting err = -5875. Error stack:
13:00:56 7AFF7BA0 00000000 FFFFFFFF LDAP: TLS handshake failed on connection 0x1528c000, err = -5875

Does anyone know if it's even possible to have one PO point to a different LDAP server for authentication?

I suspect that something in GW needs to trust this new LDAP server's trusted root CA but I can't find anything that will resolve.

Any suggestions?

Thanks,
Marc
Labels (2)
0 Likes
1 Reply
Highlighted
Knowledge Partner
Knowledge Partner

Re: One PO Agent with LDAP SSL authentication to another Tree

In article <ohico.6xgl2n@no-mx.forums.microfocus.com>, Ohico wrote:
> 13:00:56 7AFF7BA0 00000000 FFFFFFFF LDAP: TLS accept failure 5 on
> connection 0x1528c000, setting err = -5875. Error stack:
> 13:00:56 7AFF7BA0 00000000 FFFFFFFF LDAP: TLS handshake failed on
> connection 0x1528c000, err = -5875


have you checked that the cert used by the LDAP server is current? I.e.
Within its valid date range.
I have seen a number of LDAP clients connect with such certs without a
bleep, others complain when the cert has expired.

https://www.novell.com/support/kb/doc.php?id=10098063 goes over the
process including how to export/import the LDAP cert to the right
place.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.