cfrench3 Absent Member.
Absent Member.
254 views

SSL for a LDAP Driver


Good afternoon all,

I have a LDAP driver installed/configured and working fine, it is
currently using port 389 and I want to move to SSL.

I have the following questions:

- Is there any specific documentation on how to configure the SSL
settings on the engine?
- I can find a ton of documentation on how to configure the R/L
side but nothing on the engine side.
- Do I need to create a keystore for the engine side like I did for the
R/L?
- I tried creating a keystore for the engine but when I use it I get
the following error:

Dev ISD LDAP Driver :Remote Interface Driver: Exception in
Connection.run(): java.lang.NegativeArraySizeException
java.lang.NegativeArraySizeException
at
com.novell.nds.dirxml.remote.ReadAheadInputStream.<init>(ReceiveDocumentHandler.java:493)
at
com.novell.nds.dirxml.remote.ReadAheadInputStream.<init>(ReceiveDocumentHandler.java:477)
at
com.novell.nds.dirxml.remote.ReceiveDocumentHandler.parse(ReceiveDocumentHandler.java:225)
at
com.novell.nds.dirxml.remote.Connection.receive(Connection.java:1120)
at com.novell.nds.dirxml.remote.Connection.run(Connection.java:835)
at java.lang.Thread.run(Unknown Source)

I know nothing about Java so any translation would be greatly
appreciated.

Thanks,

Claude


--
cfrench3
------------------------------------------------------------------------
cfrench3's Profile: http://forums.novell.com/member.php?userid=39200
View this thread: http://forums.novell.com/showthread.php?t=452903

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SSL for a LDAP Driver

You need to put the trusted root of the LDAP servers cert into a java keystore.
That instruction can be found here:
http://www.novell.com/documentation/idm401drivers/ldap/data/aboqqp8.html#aboqslv

As long as your java is up to date any keytool from the JRE on your desktop will work. Look in
c:\prog files\java\jre\bin or something like that to find one.

I would not name it ".keystore" but something else without a leading period.
Also include the trustcacerts option in your keytool import. The doc is wrong there.

Then in your driver settings adjust as needed:
http://www.novell.com/documentation/idm401drivers/ldap/data/b94m51z.html#bs29epj

Use SSL, path on your vault server to the keystore file, don't use mutual auth.

Post back if you are still stuck.



On 3/2/2012 2:36 PM, cfrench3 wrote:
>
> Good afternoon all,
>
> I have a LDAP driver installed/configured and working fine, it is
> currently using port 389 and I want to move to SSL.
>
> I have the following questions:
>
> - Is there any specific documentation on how to configure the SSL
> settings on the engine?
> - I can find a ton of documentation on how to configure the R/L
> side but nothing on the engine side.
> - Do I need to create a keystore for the engine side like I did for the
> R/L?
> - I tried creating a keystore for the engine but when I use it I get
> the following error:
>
> Dev ISD LDAP Driver :Remote Interface Driver: Exception in
> Connection.run(): java.lang.NegativeArraySizeException
> java.lang.NegativeArraySizeException
> at
> com.novell.nds.dirxml.remote.ReadAheadInputStream.<init>(ReceiveDocumentHandler.java:493)
> at
> com.novell.nds.dirxml.remote.ReadAheadInputStream.<init>(ReceiveDocumentHandler.java:477)
> at
> com.novell.nds.dirxml.remote.ReceiveDocumentHandler.parse(ReceiveDocumentHandler.java:225)
> at
> com.novell.nds.dirxml.remote.Connection.receive(Connection.java:1120)
> at com.novell.nds.dirxml.remote.Connection.run(Connection.java:835)
> at java.lang.Thread.run(Unknown Source)
>
> I know nothing about Java so any translation would be greatly
> appreciated.
>
> Thanks,
>
> Claude
>
>


0 Likes
cfrench3 Absent Member.
Absent Member.

Re: SSL for a LDAP Driver


Will,

Thanks for the assistance on this issue.

The keystore which you refer to is that on tyhe R/L side of the
equation or on the eDir engine side? We added the
trusted root of the eDir server to the keystore on the R/L side and
still no luck. I see the follwing in the trace:

14:22:56 51B3B940 Drvrs: Dev ISD LDAP Driver :Remote Interface Driver:
Exception in Connection.run(): java.lang.NegativeArraySizeException
java.lang.NegativeArraySizeException
at
com.novell.nds.dirxml.remote.ReadAheadInputStream.<init>(ReceiveDocumentHandler.java:493)
at
com.novell.nds.dirxml.remote.ReadAheadInputStream.<init>(ReceiveDocumentHandler.java:477)
at
com.novell.nds.dirxml.remote.ReceiveDocumentHandler.parse(ReceiveDocumentHandler.java:225)
at
com.novell.nds.dirxml.remote.Connection.receive(Connection.java:1120)
at com.novell.nds.dirxml.remote.Connection.run(Connection.java:835)
at java.lang.Thread.run(Unknown Source)

14:22:56 51B3B940 Drvrs: Dev ISD LDAP Driver :Remote Interface Driver:
Closing connection...
14:22:56 51B3B940 Drvrs: Dev ISD LDAP Driver :Remote Interface Driver:
Connection closed
14:22:56 421F6940 DirXML:
14:22:57 51939940 Drvrs: Dev ISD LDAP Driver
ST:SubscriptionShim.execute() returned:
14:22:57 51939940 Drvrs: Dev ISD LDAP Driver ST:
<nds dtdversion="3.5" ndsversion="8.x">
<output>
<status event-id="query-driver-ident" level="retry"
type="remoteloader">No connection to remote loader</status>
</output>
</nds>
14:22:57 51939940 Drvrs: Dev ISD LDAP Driver ST:Requesting 30 second
retry delay.

Thanks,

Claude


--
cfrench3
------------------------------------------------------------------------
cfrench3's Profile: http://forums.novell.com/member.php?userid=39200
View this thread: http://forums.novell.com/showthread.php?t=452903

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL for a LDAP Driver

OK, I completely glazed over the fact you are running it in a remote loader.
Out of curiosity why not just run it in the engine?

There are two aspect to address.
1. The SSL connection between the engine and the remote loader.
2. The SSL connection between the shim and the directory.

Unless you have some unique constraints, performance concerns, etc there is little reason to run
this in a remote loader. It adds a layer of complexity. For really big installations you might do
it for performance reasons but the driver is pretty darn fast as it is.

Another reason to do it would be to run the remote loader on the LDAP server itself. Then you can
SSL the remote loader connection and just use 389 locally if your LDAP server doesn't have SSL support.

So for the engine to remote loader connection see here:
http://www.novell.com/documentation/idm401/idm_remoteloader/data/bf7vb78.html

But before going down that road, do you really have a need to run it in a remote loader? More
specifics about your installation would help tailor the answer to you.

On 3/20/2012 1:36 PM, cfrench3 wrote:
>
> <status event-id="query-driver-ident" level="retry"
> type="remoteloader">No connection to remote loader</status>
> </output>
> </nds>


0 Likes
cfrench3 Absent Member.
Absent Member.

Re: SSL for a LDAP Driver


Will Schneider;2183806 Wrote:
> OK, I completely glazed over the fact you are running it in a remote
> loader.
> Out of curiosity why not just run it in the engine?


The engine is running on our eDir authentication tree and the LDAP
server is OpenLDAP which I do not think I can run an engine on.

Will Schneider;2183806 Wrote:
>
> There are two aspect to address.
> 1. The SSL connection between the engine and the remote loader.
> 2. The SSL connection between the shim and the directory.
>
> Unless you have some unique constraints, performance concerns, etc
> there is little reason to run
> this in a remote loader. It adds a layer of complexity. For really
> big installations you might do
> it for performance reasons but the driver is pretty darn fast as it
> is.
>
> Another reason to do it would be to run the remote loader on the LDAP
> server itself. Then you can
> SSL the remote loader connection and just use 389 locally if your LDAP
> server doesn't have SSL support.


We are trying to run the R/L on the OpenLDAP server and when it is set
to use clear text wverything works fine. The SSL is what is killing us.

Will Schneider;2183806 Wrote:
> So for the engine to remote loader connection see here:
> 'Novell Doc: Identity Manager 4.0.1 Remote Loader Guide - Creating a
> Secure Connection'
> (http://www.novell.com/documentation/idm401/idm_remoteloader/data/bf7vb78.html)
>
> But before going down that road, do you really have a need to run it in
> a remote loader? More
> specifics about your installation would help tailor the answer to you.


What additional information would you need?

Thanks,

Claude


--
cfrench3
------------------------------------------------------------------------
cfrench3's Profile: http://forums.novell.com/member.php?userid=39200
View this thread: http://forums.novell.com/showthread.php?t=452903

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL for a LDAP Driver

Ahhaa!
You don't need to.

Get the trusted root of the cert that is used for the LDAPS connection on your openLDAP server.
Import it into a keystore using keytool and the trustedcacerts option
Put that keystore somewhere on your vault server
In the driver config, change it to run local instead of remote loader.
Change the driver config to point to the IP or host of your openLDAP server
In the SSL config give it the path on the vault server to the keystore file you created.

That should do it.


Run the driver locally

On 3/21/2012 1:16 PM, cfrench3 wrote:
>
>
> The engine is running on our eDir authentication tree and the LDAP
> server is OpenLDAP which I do not think I can run an engine on.
>

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.