Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
1209 views

LDAP Server configuration problem

I've recently discovered a problem with the LDAP server on one of my
servers. It was a 5.1 server originally and I did an in-place upgrade to
6.5 a year ago. I hadn't noticed the LDAP problem until late last year when
I was trying to get Apache to do user authentication.
The problem looks to me like the LDAP schema is somehow broken. As an
example of the problems I'm having, I can't login to the Apache
Administration tool using the username cn=admin,o=hamilton but I can login
using commonname=admin,o=hamilton
The first username gives NDS error: no such entry (-601) in the DSTrace,
while the second version works fine. I'm using SSL on port 636 to connect
to the server.
I tried uninstalling LDAP, Tomcat & Apache on the server & re-installing
them but that didn't fix the problem.

Below is the DStrace of me logging onto the apche admin tool, first with
cn=admin and then with commonname=admin. At the end, you can see that it
also tries to find the group "cn=Apache Group,o=hamilton", which exists,
but it fails because it's not using commonname=
My other servers all work just fine with LDAP. I want to fix this because
the server holds the master replica and I'm trying to install an OES Linux
server into the tree and don't want problems with it talking to this server.

Wednesday, 24 Jan 2007
15:46:36 92B17560 LDAP: New TLS connection 0x92cc88c0 from
10.61.40.52:30448, monitor = 0x280, index = 7
15:46:36 9713D300 LDAP: Monitor 0x280 initiating TLS handshake on
connection 0x92cc88c0
15:46:36 9715F240 LDAP: (10.61.40.52:30448)(0x0000:0x00) DoTLSHandshake on
connection 0x92cc88c0
15:46:36 9715F240 LDAP: (10.61.40.52:30448)(0x0000:0x00) Completed TLS
handshake on connection 0x92cc88c0
15:46:36 9715F240 LDAP: (10.61.40.52:30448)(0x0001:0x60) DoBind on
connection 0x92cc88c0
15:46:36 9715F240 LDAP: (10.61.40.52:30448)(0x0001:0x60) Bind
name:cn=admin,o=hamilton, version:3, authentication:simple
15:46:36 9715F240 LDAP: (10.61.40.52:30448)(0x0001:0x60) Failed to resolve
full context on connection 0x92cc88c0, err = no such entry (-601)
15:46:36 9715F240 LDAP: (10.61.40.52:30448)(0x0001:0x60) Failed to
authenticate full context on connection 0x92cc88c0, err = no such entry (-601)
15:46:36 9715F240 LDAP: (10.61.40.52:30448)(0x0001:0x60) Sending operation
result 32:"":"NDS error: no such entry (-601)" to connection 0x92cc88c0
15:46:49 92B17560 LDAP: New TLS connection 0x9d107d20 from
10.61.40.52:30449, monitor = 0x280, index = 8
15:46:49 9713D300 LDAP: Monitor 0x280 found connection 0x92cc88c0 ending
TLS session
15:46:49 9715F240 LDAP: (10.61.40.52:30448)(0x0000:0x00) DoTLSShutdown on
connection 0x92cc88c0
15:46:49 9713D300 LDAP: Monitor 0x280 initiating TLS handshake on
connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0000:0x00) DoTLSHandshake on
connection 0x9d107d20
15:46:49 9713D300 LDAP: Monitor 0x280 found connection 0x92cc88c0 socket
closed, err = -5871, 0 of 0 bytes read
15:46:49 9713D300 LDAP: Monitor 0x280 initiating close for connection
0x92cc88c0
15:46:49 9BDDF520 LDAP: Server closing connection 0x92cc88c0, socket error
= -5871
15:46:49 9BDDF520 LDAP: Connection 0x92cc88c0 closed
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0000:0x00) Completed TLS
handshake on connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0001:0x60) DoBind on
connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0001:0x60) Bind
name:commonname=admin,o=hamilton, version:3, authentication:simple
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0001:0x60) Sending operation
result 0:"":"" to connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0002:0x63) DoSearch on
connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0002:0x63) Search request:
base: "commonname=admin,o=hamilton"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0002:0x63) Empty attribute
list implies all user attributes
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0002:0x63) Sending search
result entry "commonName=Admin,o=Hamilton" to connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0002:0x63) Sending operation
result 0:"":"" to connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0003:0x63) DoSearch on
connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0003:0x63) Search request:
base: "commonname=admin,o=hamilton"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0003:0x63) Empty attribute
list implies all user attributes
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0003:0x63) Sending search
result entry "commonName=Admin,o=Hamilton" to connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0003:0x63) Sending operation
result 0:"":"" to connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0004:0x63) DoSearch on
connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0004:0x63) Search request:
base: "o=hamilton"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0004:0x63) Empty attribute
list implies all user attributes
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0004:0x63) Sending search
result entry "o=Hamilton" to connection 0x9d107d20
15:46:49 9715F240 LDAP: (10.61.40.52:30449)(0x0004:0x63) Sending operation
result 0:"":"" to connection 0x9d107d20
15:46:50 9715F240 LDAP: (10.61.40.52:30449)(0x0005:0x63) DoSearch on
connection 0x9d107d20
15:46:50 9715F240 LDAP: (10.61.40.52:30449)(0x0005:0x63) Search request:
base: "cn=Apache Group,o=hamilton"
scope:0 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
15:46:50 9715F240 LDAP: (10.61.40.52:30449)(0x0005:0x63) Cannot resolve NDS
name 'Full Name=Apache Group.O=hamilton' in ResolveAndAuthNDSName, err = no
such entry (-601)
15:46:50 9715F240 LDAP: (10.61.40.52:30449)(0x0005:0x63) Base "cn=Apache
Group,o=hamilton" not found, err = no such entry (-601)
15:46:50 9715F240 LDAP: (10.61.40.52:30449)(0x0005:0x63) Sending operation
result 32:"o=hamilton":"NDS error: no such entry (-601)" to connection
0x9d107d20

Labels (2)
0 Likes
13 Replies
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

imoore@hamcoll.sa.edu.au wrote:

> I've recently discovered a problem with the LDAP server on one of my
> servers. It was a 5.1 server originally and I did an in-place upgrade
> to 6.5 a year ago. I hadn't noticed the LDAP problem until late last
> year when I was trying to get Apache to do user authentication.
> The problem looks to me like the LDAP schema is somehow broken. As an
> example of the problems I'm having, I can't login to the Apache
> Administration tool using the username cn=admin,o=hamilton but I can
> login using commonname=admin,o=hamilton
> The first username gives NDS error: no such entry (-601) in the
> DSTrace, while the second version works fine. I'm using SSL on port
> 636 to connect to the server.
> I tried uninstalling LDAP, Tomcat & Apache on the server &
> re-installing them but that didn't fix the problem.
>
> Below is the DStrace of me logging onto the apche admin tool, first
> with cn=admin and then with commonname=admin. At the end, you can see
> that it also tries to find the group "cn=Apache Group,o=hamilton",
> which exists, but it fails because it's not using commonname=
> My other servers all work just fine with LDAP. I want to fix this
> because the server holds the master replica and I'm trying to install
> an OES Linux server into the tree and don't want problems with it
> talking to this server.


Do you still have the attribute mappings for the CN in place in your
ldap group object for that server ?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

> imoore@hamcoll.sa.edu.au wrote:
>
> > I've recently discovered a problem with the LDAP server on one of my
> > servers. It was a 5.1 server originally and I did an in-place upgrade
> > to 6.5 a year ago. I hadn't noticed the LDAP problem until late last
> > year when I was trying to get Apache to do user authentication.
> > The problem looks to me like the LDAP schema is somehow broken. As an
> > example of the problems I'm having, I can't login to the Apache
> > Administration tool using the username cn=admin,o=hamilton but I can
> > login using commonname=admin,o=hamilton
> > The first username gives NDS error: no such entry (-601) in the
> > DSTrace, while the second version works fine. I'm using SSL on port
> > 636 to connect to the server.
> > I tried uninstalling LDAP, Tomcat & Apache on the server &
> > re-installing them but that didn't fix the problem.
> >
> > Below is the DStrace of me logging onto the apche admin tool, first
> > with cn=admin and then with commonname=admin. At the end, you can see
> > that it also tries to find the group "cn=Apache Group,o=hamilton",
> > which exists, but it fails because it's not using commonname=
> > My other servers all work just fine with LDAP. I want to fix this
> > because the server holds the master replica and I'm trying to install
> > an OES Linux server into the tree and don't want problems with it
> > talking to this server.

>
> Do you still have the attribute mappings for the CN in place in your
> ldap group object for that server ?


Yes, CN is mapped to cn and in the Class mappings, User is mapped to
iNetOrgPerson (though the list of class mappings is much shorter than for
the other servers).
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

imoore@hamcoll.sa.edu.au wrote:


> Yes, CN is mapped to cn and in the Class mappings, User is mapped to
> iNetOrgPerson (though the list of class mappings is much shorter than
> for the other servers).


Do you have the same issue when you use a LDAP Browser ?


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

> imoore@hamcoll.sa.edu.au wrote:
>
>
> > Yes, CN is mapped to cn and in the Class mappings, User is mapped to
> > iNetOrgPerson (though the list of class mappings is much shorter than
> > for the other servers).

>
> Do you have the same issue when you use a LDAP Browser ?
>
>
> --
> Cheers,
> Edward


I haven't used an LDAP browser before, but I've just downloaded & installed
the Softerra browser. To connect to any of my servers, I seem to have to
use anonymous bind and the unsecure port (389).
On the faulty server, all leaf objects show as commonname=xxxx, whereas on
the other servers, they show up twice, once as commonname=xxxx and again as
cn=xxxx.
BTW, the LDAP Server objects are all using the same settings and the only
difference I can see in the LDAP group objects is in the Class Mappings.

Cheers,
Ian
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

imoore@hamcoll.sa.edu.au wrote:


> I haven't used an LDAP browser before, but I've just downloaded &
> installed the Softerra browser. To connect to any of my servers, I
> seem to have to use anonymous bind and the unsecure port (389).
> On the faulty server, all leaf objects show as commonname=xxxx,
> whereas on the other servers, they show up twice, once as
> commonname=xxxx and again as cn=xxxx.
> BTW, the LDAP Server objects are all using the same settings and the
> only difference I can see in the LDAP group objects is in the Class
> Mappings.


Now I haven't used the softerra ldap browser but what you are seeing
doesn't sound right. Can you check if you see the same with dsbrowse ?


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

> imoore@hamcoll.sa.edu.au wrote:
>
>
> > I haven't used an LDAP browser before, but I've just downloaded &
> > installed the Softerra browser. To connect to any of my servers, I
> > seem to have to use anonymous bind and the unsecure port (389).
> > On the faulty server, all leaf objects show as commonname=xxxx,
> > whereas on the other servers, they show up twice, once as
> > commonname=xxxx and again as cn=xxxx.
> > BTW, the LDAP Server objects are all using the same settings and the
> > only difference I can see in the LDAP group objects is in the Class
> > Mappings.

>
> Now I haven't used the softerra ldap browser but what you are seeing
> doesn't sound right. Can you check if you see the same with dsbrowse ?
>

DSBROWSE only shows CN= objects and the schema only lists CN, there is no
CommonName in the eDir schema, only in LDAP.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

imoore@hamcoll.sa.edu.au wrote:


> DSBROWSE only shows CN= objects and the schema only lists CN, there
> is no CommonName in the eDir schema, only in LDAP.


Can you check the primary LDAP attribute for the NDS attribute CN on
the LDAP Group object ?

--
Cheers,
Edward
0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

> imoore@hamcoll.sa.edu.au wrote:
>
>
> > DSBROWSE only shows CN= objects and the schema only lists CN, there
> > is no CommonName in the eDir schema, only in LDAP.

>
> Can you check the primary LDAP attribute for the NDS attribute CN on
> the LDAP Group object ?
>
> --
> Cheers,
> Edward


Sorry, You've lost me there - where do i find the primary LDAP attribute?

Cheers,
ian
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

imoore@hamcoll.sa.edu.au wrote:


> Sorry, You've lost me there - where do i find the primary LDAP
> attribute?


If you go the LDAP Group Object you can access the attribute mappings.
Click on the CN mapping and you'll see NDS Attributes and LDAP
attrbutes. Here you'll find the primary and secondary LDAP attribute.


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

> imoore@hamcoll.sa.edu.au wrote:
>
>
> > Sorry, You've lost me there - where do i find the primary LDAP
> > attribute?

>
> If you go the LDAP Group Object you can access the attribute mappings.
> Click on the CN mapping and you'll see NDS Attributes and LDAP
> attrbutes. Here you'll find the primary and secondary LDAP attribute.


Duh, I hadn't tried clicking on the modify button!
Well the Primary LDAP attribute is cn and the secondary is commonnmame.
It's the same on the other servers' LDAP Group objects too.

Cheers,
Ian
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

imoore@hamcoll.sa.edu.au wrote:

> > imoore@hamcoll.sa.edu.au wrote:
> >
> >
> > > Sorry, You've lost me there - where do i find the primary LDAP
> > > attribute?

> >
> > If you go the LDAP Group Object you can access the attribute
> > mappings. Click on the CN mapping and you'll see NDS Attributes
> > and LDAP attrbutes. Here you'll find the primary and secondary LDAP
> > attribute.

>
> Duh, I hadn't tried clicking on the modify button!
> Well the Primary LDAP attribute is cn and the secondary is
> commonnmame. It's the same on the other servers' LDAP Group objects
> too.


Hmm...i have no clue what is going on here to be honest. Maybe delete
and recreate your LDAP Server and Group object and recreate them ?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

>
> Hmm...i have no clue what is going on here to be honest. Maybe delete
> and recreate your LDAP Server and Group object and recreate them ?
>


That worked! I've uninstalled LDAP, deleted both objects, re-installed LDAP
(received a -603 error when I did that, the error message said to create
LDAP objects manually in ConsoleOne), then re-created both objects and it
works just fine now.
Thanks very much for helping with this.

Cheers,
Ian
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Server configuration problem

imoore@hamcoll.sa.edu.au wrote:

> That worked! I've uninstalled LDAP, deleted both objects,
> re-installed LDAP (received a -603 error when I did that, the error
> message said to create LDAP objects manually in ConsoleOne), then
> re-created both objects and it works just fine now.
> Thanks very much for helping with this.


Nice 🙂 Thanks for the feedback. Glad you got it resolved.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.