Highlighted
Absent Member.
Absent Member.
777 views

Cannot get LDAP driver to connect

I am trying to get a new driver to an OpenLDAP server working. I just keep getting the following error when starting the drive:

15:30:38 F5DE1700 Drvrs: Luminis ST:Luminis: java.net.ConnectException: Connection refused (Connection refused)
15:30:38 F5DE1700 Drvrs: Luminis ST:SubscriptionShim.execute() returned:
15:30:38 F5DE1700 Drvrs: Luminis ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20170208_0947" instance="Luminis" version="4.0.1.0">Identity Manager Driver for LDAP</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="query-driver-ident" level="retry">SubShim.execute(): Not connected to LDAP server or couldn't read its schema.</status>
</output>
</nds>
15:30:38 F5DE1700 Drvrs: Luminis ST:Requesting 30 second retry delay.
15:30:38 F5DE1700 Drvrs: Luminis ST:
DirXML Log Event -------------------
Driver: \ISU-IDV\isu\services\ISU-VaultDriverSet\Luminis
Channel: Subscriber
Status: Retry
Message: Code(-9006) The driver returned a "retry" status indicating that the operation should be retried later. Detail from driver: SubShim.execute(): Not connected to LDAP server or couldn't read its schema.


I am following the LDAP driver guide but I might have missed something I imported the cert and added all the keystore info to the driver. I checked all the passwords. Not sure what I am overlooking. IDM 4.5. Any ideas?
Labels (1)
0 Likes
6 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

On 10/08/2018 04:24 PM, bobbintb wrote:
>
> Code:
> --------------------
> 15:30:38 F5DE1700 Drvrs: Luminis ST:Luminis: java.net.ConnectException: Connection refused (Connection refused)



This is a simple error meaning that the driver, reaching out to wherever
you configured it, is being told by the target/destination that there is
nothing listening. You can get this anytime you point to the wrong
server, or the wrong port on a server, when that target socket (IP/port
combination) is willing to send back an ICMP packet indicating nothing is
there listening.

In other words, you have your driver connection information (to the
application) entered incorrectly. Fix it.

If you want, post the driver configuration's startup trace and let us see
where you are pointing, and then we can tell you which IP (or DNS name) is
the one you need to change. It will be under the driver object's
properties in Designer (or iManager if you are only using that for some
reason).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Try to make "external" LDAP query with your LDAP driver parameters.
Are you able to connect to your LDAP server from LDAP browser (for example, from APACHE Directory Studio)?
0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

On 10/9/2018 8:54 AM, al b wrote:
>
> Try to make "external" LDAP query with your LDAP driver parameters.
> Are you able to connect to your LDAP server from LDAP browser (for
> example, from APACHE Directory Studio)?


I think even more fundamentally, from the server running the driver shim
(Engine or RL, which ever you used) try to telnet to the LDAP port. I.e.
validate there are no firewalls in the way.


0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

On 10/09/2018 07:37 AM, Geoffrey Carman wrote:
> On 10/9/2018 8:54 AM, al b wrote:
>>

> I think even more fundamentally, from the server running the driver shim
> (Engine or RL, which ever you used) try to telnet to the LDAP port. I.e.
> validate there are no firewalls in the way.


A refused connection usually means that firewalls are NOT in the way, but
rather the service is not running, so I think I'd agree that testing from
another tool is a good first step.

If it is preferred to test from the IDM box itself, though, do that with
netcat, not telnet:


netcat -zv ip.address.goes.here 636

#or

nc -v ip.address.goes.here 636


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Absent Member.
Absent Member.

I was able to connect but I had not yet checked from the server in question. It turns out it was a local firewall rule missing. I had previously put in a request to add a firewall rule but I did not think to check others' work. Thank you all.
0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Thank-you for sharing your results, as they will likely help others.

For what it is worth, because of the nature of my job (consultant) and the
ability to misconfigure firewalls I often test these independent of any
particular application using the netcat/nc commands mentioned previously.
It provides a simple way to verify up through layer four (4) connectivity
(IP and port) without involving any particular application, or in this
case setting up an entire driver object and analyzing its responses, even
if in this case the responses were pretty clear (if you have been around
this particular block once or twice).

What is even nicer is that netcat has a listener, so you can even, before
a server-side application is deployed on a box made available to you, use
netcat to be the listener so you can test the full end-to-end
connectivity, seeing data go back and forth, before the application is
even installed (in this case some LDAP service). That does not apply all
the time, but for green field situations it is very nice.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.