Welcome Serena Central users!
The migration of the Serena Central community is happening today. Be sure to read THIS MESSAGE to get your new login set up to access your account.
jmontm42 Absent Member.
Absent Member.
716 views

IG 3.5 install, LDAP schema error

I've got a new 3.5 install with a local OSP, pointing at an exisitng IDV ldap source. I get this in the OSP log after turning up debug. Any idea why it's having problems getting schema?

Preamble: [OIDP]
Priority Level: INFO
Java: internal.osp.oidp.service.oauth2.handler.WellKnown.addSupportedScopesAndClaims() [397] thread=http-nio-8080-exec-7
Time: 2019-01-03T08:28:36.993-0800
Log Data: Error obtaining schema for auth source 'bisadus: internal.atlaslite.jcce.ldap.jndi.JNDIExceptionLDAPServiceNotAvailable: No LDAP connection available.
internal.atlaslite.jcce.ldap.jndi.JNDIStore: JNDIStore.java: getIdentitySchema: 783
internal.osp.oidp.service.source.ldap.LDAPSource: LDAPSource.java: getNativeIdentitySchema: 970
internal.osp.oidp.service.source.DataSourceImpl: DataSourceImpl.java: getSchema: 615
internal.osp.oidp.service.source.ldap.LDAPAuthenticationSource: LDAPAuthenticationSource.java: getSchema: 455
internal.osp.oidp.service.oauth2.handler.WellKnown: WellKnown.java: addSupportedScopesAndClaims: 379
internal.osp.oidp.service.oauth2.handler.WellKnown: WellKnown.java: handle: 273
internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: processRequest: 447
internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler: AuthenticationServiceRequestHandler.java: handleRequest: 380
internal.osp.framework.handler.TenantRequestHandler: TenantRequestHandler.java: handleRequest: 155
internal.osp.framework.handler.OSPHandler: OSPHandler.java: handleRequest: 157
internal.osp.framework.servlet.OSPServlet: OSPServlet.java: process: 214
internal.osp.framework.servlet.OSPServlet: OSPServlet.java: doGet: 156
javax.servlet.http.HttpServlet: HttpServlet.java: service: 634
javax.servlet.http.HttpServlet: HttpServlet.java: service: 741
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 231
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166
org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 53
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 193
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166
org.apache.catalina.core.StandardWrapperValve: StandardWrapperValve.java: invoke: 199
org.apache.catalina.core.StandardContextValve: StandardContextValve.java: invoke: 96
org.apache.catalina.authenticator.AuthenticatorBase: AuthenticatorBase.java: invoke: 607
org.apache.catalina.core.StandardHostValve: StandardHostValve.java: invoke: 139
org.apache.catalina.valves.ErrorReportValve: ErrorReportValve.java: invoke: 92
org.apache.catalina.valves.AbstractAccessLogValve: AbstractAccessLogValve.java: invoke: 668
org.apache.catalina.core.StandardEngineValve: StandardEngineValve.java: invoke: 74
org.apache.catalina.connector.CoyoteAdapter: CoyoteAdapter.java: service: 343
org.apache.coyote.http11.Http11Processor: Http11Processor.java: service: 408
org.apache.coyote.AbstractProcessorLight: AbstractProcessorLight.java: process: 66
org.apache.coyote.AbstractProtocol$ConnectionHandler: AbstractProtocol.java: process: 770
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor: NioEndpoint.java: doRun: 1,415
org.apache.tomcat.util.net.SocketProcessorBase: SocketProcessorBase.java: run: 49
java.util.concurrent.ThreadPoolExecutor: ThreadPoolExecutor.java: runWorker: 1,149
java.util.concurrent.ThreadPoolExecutor$Worker: ThreadPoolExecutor.java: run: 624
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable: TaskThread.java: run: 61
java.lang.Thread: Thread.java: run: 748
0 Likes
5 Replies
Micro Focus Expert
Micro Focus Expert

Re: IG 3.5 install, LDAP schema error

On 1/3/19 11:36 AM, jmontm42 wrote:
>
> I've got a new 3.5 install with a local OSP, pointing at an exisitng IDV
> ldap source. I get this in the OSP log after turning up debug. Any
> idea why it's having problems getting schema?
>
>
> Code:
> --------------------
> Preamble: [OIDP]
> Priority Level: INFO
> Java: internal.osp.oidp.service.oauth2.handler.WellKnown.addSupportedScopesAndClaims() [397] thread=http-nio-8080-exec-7
> Time: 2019-01-03T08:28:36.993-0800
> Log Data: Error obtaining schema for auth source 'bisadus: internal.atlaslite.jcce.ldap.jndi.JNDIExceptionLDAPServiceNotAvailable: No LDAP connection available.
> internal.atlaslite.jcce.ldap.jndi.JNDIStore: JNDIStore.java: getIdentitySchema: 783
> internal.osp.oidp.service.source.ldap.LDAPSource: LDAPSource.java: getNativeIdentitySchema: 970
> internal.osp.oidp.service.source.DataSourceImpl: DataSourceImpl.java: getSchema: 615
> internal.osp.oidp.service.source.ldap.LDAPAuthenticationSource: LDAPAuthenticationSource.java: getSchema: 455
> internal.osp.oidp.service.oauth2.handler.WellKnown: WellKnown.java: addSupportedScopesAndClaims: 379
> internal.osp.oidp.service.oauth2.handler.WellKnown: WellKnown.java: handle: 273
> internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: processRequest: 447
> internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler: AuthenticationServiceRequestHandler.java: handleRequest: 380
> internal.osp.framework.handler.TenantRequestHandler: TenantRequestHandler.java: handleRequest: 155
> internal.osp.framework.handler.OSPHandler: OSPHandler.java: handleRequest: 157
> internal.osp.framework.servlet.OSPServlet: OSPServlet.java: process: 214
> internal.osp.framework.servlet.OSPServlet: OSPServlet.java: doGet: 156
> javax.servlet.http.HttpServlet: HttpServlet.java: service: 634
> javax.servlet.http.HttpServlet: HttpServlet.java: service: 741
> org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 231
> org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166
> org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 53
> org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 193
> org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166
> org.apache.catalina.core.StandardWrapperValve: StandardWrapperValve.java: invoke: 199
> org.apache.catalina.core.StandardContextValve: StandardContextValve.java: invoke: 96
> org.apache.catalina.authenticator.AuthenticatorBase: AuthenticatorBase.java: invoke: 607
> org.apache.catalina.core.StandardHostValve: StandardHostValve.java: invoke: 139
> org.apache.catalina.valves.ErrorReportValve: ErrorReportValve.java: invoke: 92
> org.apache.catalina.valves.AbstractAccessLogValve: AbstractAccessLogValve.java: invoke: 668
> org.apache.catalina.core.StandardEngineValve: StandardEngineValve.java: invoke: 74
> org.apache.catalina.connector.CoyoteAdapter: CoyoteAdapter.java: service: 343
> org.apache.coyote.http11.Http11Processor: Http11Processor.java: service: 408
> org.apache.coyote.AbstractProcessorLight: AbstractProcessorLight.java: process: 66
> org.apache.coyote.AbstractProtocol$ConnectionHandler: AbstractProtocol.java: process: 770
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor: NioEndpoint.java: doRun: 1,415
> org.apache.tomcat.util.net.SocketProcessorBase: SocketProcessorBase.java: run: 49
> java.util.concurrent.ThreadPoolExecutor: ThreadPoolExecutor.java: runWorker: 1,149
> java.util.concurrent.ThreadPoolExecutor$Worker: ThreadPoolExecutor.java: run: 624
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable: TaskThread.java: run: 61
> java.lang.Thread: Thread.java: run: 748
> --------------------
>
>

Greetings,

1) Are you connecting to eDirectory or Active Directory?

2) During the OSP 6.3.0 install, did the install successfully connect to
the above LDAP Source?

3) Are you connecting to the LDAP Source on a secure or non-secure port?

4) Can you telnet from the ID Gov server to the LDAP Source using the
port from #3?



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Highlighted
jmontm42 Absent Member.
Absent Member.

Re: IG 3.5 install, LDAP schema error

stevewdj;2493130 wrote:

1) Are you connecting to eDirectory or Active Directory?

2) During the OSP 6.3.0 install, did the install successfully connect to
the above LDAP Source?

3) Are you connecting to the LDAP Source on a secure or non-secure port?

4) Can you telnet from the ID Gov server to the LDAP Source using the
port from #3?



1) This is going against eDirectory. Note that this same eDir was used successfully by a 3.0 install.
2) OSP 6.3.0 successfully connects. Configupdate tool can query the directory as well.
3) I've tried both, this error was on 636. When I switched to 389, the error disappears and I can login successfully. I manually added the ldap cert into the jre truststore, but that didn't change anything.
4) I could telnet successfully, I could use ldapsearch against the directory.

--Jim
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: IG 3.5 install, LDAP schema error

On 1/4/19 10:44 AM, jmontm42 wrote:
>
> stevewdj;2493130 Wrote:
>>
>> 1) Are you connecting to eDirectory or Active Directory?
>>
>> 2) During the OSP 6.3.0 install, did the install successfully connect
>> to
>> the above LDAP Source?
>>
>> 3) Are you connecting to the LDAP Source on a secure or non-secure
>> port?
>>
>> 4) Can you telnet from the ID Gov server to the LDAP Source using the
>> port from #3?

>
>
> 1) This is going against eDirectory. Note that this same eDir was used
> successfully by a 3.0 install.
> 2) OSP 6.3.0 successfully connects. Configupdate tool can query the
> directory as well.
> 3) I've tried both, this error was on 636. When I switched to 389, the
> error disappears and I can login successfully. I manually added the
> ldap cert into the jre truststore, but that didn't change anything.
> 4) I could telnet successfully, I could use ldapsearch against the
> directory.
>
> --Jim
>
>

Greetings Jim,
Since this issue is happening on Secure LDAP, I am wondering if the
Subject of the eDirectory certificate does not match the full DNS name
of the actual server.

For example if the Subject on the Certificate is:
CN=steve,O=MyTree

and the DNS Name of the server is:
steve.netiq.com

Then two do not match and you are experience a side effect of java
1.8.0.181 (or later) that is now performing a more complex compare on these.

You have two (2) options:
a) update the certificate to have the Subject match the actual DNS name
(For Example: CN=steve.netiq.com, O=MyTee)

b) In the setenv(.sh/bat) in the JAVA_OPTS section add the following entry:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true


Then restart Tomcat and try again.

Please let me know.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
jmontm42 Absent Member.
Absent Member.

Re: IG 3.5 install, LDAP schema error

stevewdj;2493173 wrote:

You have two (2) options:
a) update the certificate to have the Subject match the actual DNS name
(For Example: CN=steve.netiq.com, O=MyTee)

b) In the setenv(.sh/bat) in the JAVA_OPTS section add the following entry:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true


You are spot on. Default edir Tree cert subject didn't match the fully qualified host name I was using in configupdate.

Previsously, I would rely on entering credentials in configupdate then browsing for a user container to help "confirm" that my LDAP settings were all working. In this case I could browse successfully with the tool, so I was assuming all was right in the world. With infinite time and resources, an enhancement to the configupdate would help detect if that hostname doesn't match an existing cert subject in the truststore. The only evidence of failure was that schema related exception in the LDAP call, so there isn't a whole lot there to lead customers to a successful outcome, given that I don't think i've ever seen anyone change out the edir certs for ldap, and its a good habit to use fqdn's, so I think this might come up more often that not.

Anyhow, thanks for two great options to fix it!
--Jim
<insert ASCII Thumbs Up here>
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: IG 3.5 install, LDAP schema error

On 1/4/19 1:06 PM, jmontm42 wrote:
>
> stevewdj;2493173 Wrote:
>>
>> You have two (2) options:
>> a) update the certificate to have the Subject match the actual DNS name
>> (For Example: CN=steve.netiq.com, O=MyTee)
>>
>> b) In the setenv(.sh/bat) in the JAVA_OPTS section add the following
>> entry:
>> -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
>>

>
> You are spot on. Default edir Tree cert subject didn't match the fully
> qualified host name I was using in configupdate.
>
> Previsously, I would rely on entering credentials in configupdate then
> browsing for a user container to help "confirm" that my LDAP settings
> were all working. In this case I could browse successfully with the
> tool, so I was assuming all was right in the world. With infinite time
> and resources, an enhancement to the configupdate would help detect if
> that hostname doesn't match an existing cert subject in the truststore.
> The only evidence of failure was that schema related exception in the
> LDAP call, so there isn't a whole lot there to lead customers to a
> successful outcome, given that I don't think i've ever seen anyone
> change out the edir certs for ldap, and its a good habit to use fqdn's,
> so I think this might come up more often that not.
>
> Anyhow, thanks for two great options to fix it!
> --Jim
> <insert ASCII Thumbs Up here>
>
> Greetings Jim,

There should have been an error in the osp log similar to
"java.security.cert.CertificateException: No name matching error"

I do not know if you still have your osp logs from when the problem was
seen with OSP logging enabled.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.