UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Vice Admiral
Vice Admiral
272 views

Driver Ecmascript LDAP SSL Connection fail

Jump to solution

I am trying to do LDAP Search using Driver Ecmascript, for this I was trying to connect LDAP using SSL connection, for this I have below code.

I have imported the IDV cert into cacert keystore.

But with this below code I am getting error "JavaException: com.novell.ldap.InterThreadException: Connect Error"

 

importPackage(Packages.com.novell.ldap);
var tracer = new Packages.com.novell.nds.dirxml.driver.Trace("LDAPSearch");
function ldapSearch(host, port, user, password, base, scope, filter, attrList, dtdversion, cacert_pwd) {
	var nodeSet = new Packages.com.novell.xml.xpath.NodeSet();
	try {
		var document = Packages.com.novell.xml.dom.DocumentFactory.newDocument();
		var ndsElement = document.createElement("nds");
		document.appendChild(ndsElement);
		ndsElement.setAttributeNS(null, "dtdversion", dtdversion);
		var outputElement = document.createElement("output");
		ndsElement.appendChild(outputElement);
		var searchScope = LDAPConnection.SCOPE_ONE;
		if (scope == "base") {
			searchScope = LDAPConnection.SCOPE_BASE;
		} else if (scope == "sub") {
			searchScope = LDAPConnection.SCOPE_SUB;
		}
		var attrSplit = attrList.split(',');
		var attrArray = java.lang.reflect.Array.newInstance(java.lang.String, attrSplit.length);
		for (var attrIndex in attrSplit) {
			attrArray[attrIndex] = attrSplit[attrIndex];
		}

		java.lang.System.setProperty("javax.net.ssl.trustStore", "/opt/netiq/common/jre/lib/security/cacerts");
		java.lang.System.setProperty("javax.net.ssl.trustStorePassword", cacert_pwd);
		var ssf = new LDAPJSSESecureSocketFactory();
		var lc = new LDAPConnection(ssf);
		lc.connect( host, port );
		lc.bind( LDAPConnection.LDAP_V3, user, new java.lang.String(password).getBytes("UTF8") );
		var searchResults = lc.search(base,searchScope,filter,attrArray,false);

		while (searchResults.hasMore()) {
			var nextEntry = searchResults.next();
			var instanceElement = document.createElement("instance");
			instanceElement.setAttributeNS(null, "src-dn", nextEntry.getDN());
			nodeSet.add(instanceElement);
		}
	} catch(e) {
		tracer.trace("Error In LDAP Search: " + e.toString(), 5);
	}
	return nodeSet;
}

 

I am using IDM 4.7.3.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Knowledge Partner Knowledge Partner
Knowledge Partner

Your ECMA does not trust the certificate of the LDAP server. You need to import it's signing CA into the truststore (and if you use the script in a driver: restart Edirectory to activate the change).

______________________________________________
https://www.is4it.de/identity-access-management

View solution in original post

0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Please get the full stack trace from the exception:

/**
 * Return Java Stack Trace as string
 * @since 1.2.4
 * @Param {Exception} exception
 * @returns {string} Stack Trace
 */
function getJavaStackTrace(exception) { // eslint-disable-line no-unused-vars
    var str = '';
    if (exception instanceof java.lang.Exception) {
        var sw = new Packages.java.io.StringWriter();
        var pw = new Packages.java.io.PrintWriter(sw);
        exception.printStackTrace(pw);
        pw.flush();
        str = sw.toString();
    }
    return str;
}

 

--
Norbert
0 Likes
Vice Admiral
Vice Admiral

I am getting below error in ndstrace.log, I am trying to make SSL connection using 636 port.

[2021/03/04  1:54:33.971] New TLS connection 0x100bee00 from <eDir IP Address>:40216, monitor = 0xe1ae2700, index = 6
[2021/03/04  1:54:33.975] Monitor 0xe1ae2700 initiating TLS handshake on connection 0x100bee00
[2021/03/04  1:54:33.975] (<eDir IP Address>:40216)(0x0000:0x00) DoTLSHandshake on connection 0x100bee00
[2021/03/04  1:54:33.994] (<eDir IP Address>:40216)(0x0000:0x00) TLS accept failure 1 on connection 0x100bee00, setting err = -5875. Error stack: 
	error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown - SSL alert number 46
[2021/03/04  1:54:33.994] (<eDir IP Address>:40216)(0x0000:0x00) TLS handshake failed on connection 0x100bee00, err = -5875
[2021/03/04  1:54:33.994] BIO ctrl called with unknown cmd 7
[2021/03/04  1:54:33.994] Server closing connection 0x100bee00, socket error = -5875
[2021/03/04  1:54:33.994] Connection 0x100bee00 closed

 

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Your ECMA does not trust the certificate of the LDAP server. You need to import it's signing CA into the truststore (and if you use the script in a driver: restart Edirectory to activate the change).

______________________________________________
https://www.is4it.de/identity-access-management

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.