Absent Member.
Absent Member.
4816 views

LDAP Server on OES, Cannot connect from client

Hi,

Could anyone help in the configuration of the ldap server on a SLES, OES installation.

I have the server up and running, am able to LUM enable users, have samab working as a PDC which is all working correctly. However I am trying to use the connect LDAP client to the server but am unable to get it to connect.

From an ldap client I am able to browse the server using non TLS/SSL connections and fetch the base DN but I am not able to authenticate any users to the LDAP server. I am also unable to get it to connect with TLS/SSL which is what i wish to do.

Do I have to do something with the SSL certificates from the OES server, copy them to the client??

any help would be most appricated
Labels (2)
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

cstech_swansea;2210054 wrote:
Hi,

Could anyone help in the configuration of the ldap server on a SLES, OES installation.

I have the server up and running, am able to LUM enable users, have samab working as a PDC which is all working correctly. However I am trying to use the connect LDAP client to the server but am unable to get it to connect.

From an ldap client I am able to browse the server using non TLS/SSL connections and fetch the base DN but I am not able to authenticate any users to the LDAP server. I am also unable to get it to connect with TLS/SSL which is what i wish to do.

Do I have to do something with the SSL certificates from the OES server, copy them to the client??

any help would be most appricated


When you setup eDirectory, did you leave the default options checked? I believe one of them mentions to use TLS for binding. I normally uncheck that. But if you left it the default, then you will HAVE to use TLS/SSL to do any bind operations.

In that case, it's up to the program you are using as to how it needs to deal with the SSL certs.

Which software are you using that needs to do the binds?
0 Likes
Absent Member.
Absent Member.

cstech swansea sounds like they 'said':

>
> Hi,
>
> Could anyone help in the configuration of the ldap server on a SLES,
> OES installation.
>
> I have the server up and running, am able to LUM enable users, have
> samab working as a PDC which is all working correctly. However I am
> trying to use the connect LDAP client to the server but am unable to
> get it to connect.
>
> From an ldap client I am able to browse the server using non TLS/SSL
> connections and fetch the base DN but I am not able to authenticate
> any users to the LDAP server. I am also unable to get it to connect
> with TLS/SSL which is what i wish to do.
>
> Do I have to do something with the SSL certificates from the OES
> server, copy them to the client??
>
> any help would be most appricated


So my response to cstech's comment is...

Sounds like a dsfw server. If it is, might try changing the ldap ports
used for connecting to 1389 and 1636. I know if I use the dns console
& point it to one of my dsfw servers, those are the ports I need to use
instead of 389 & 636.

--
Stevo
0 Likes
Absent Member.
Absent Member.

I am/have tried to connect another SLES server to the OES server and an opensuse client to the OES server with no luck.

I dont mind using non TLS/SSL connections (i would prefer to) if I can get that to work, but as I say I can fetch the base DN but still cannot authenticate to the server for any users. I get this error from the client when trying to connect.

Jul 31 17:00:59 server nscd: nss-ldap: do_open: do_start_tls failed:stat=-1
Jul 31 17:00:59 server nscd: nss-ldap: do_open: do_start_tls failed:stat=-1
Jul 31 17:00:59 server nscd: nss_ldap: could not search LDAP server - Server is unavailable

I have the OES server setup with these options for the ldap server in imanager

Server Certificate: SSL CertificateDNS
Client Certificate: Not Requested
Trusted Root Containers: NONE

Require TLS for all operations : - Unchecked
Enable and require mutual authentication : - Unchecked

and these for the ldap group in imanager

Authentication Options
Proxy user: NONE

Require TLS for Simple Binds with Password: - Unchecked



kjhurni;2210080 wrote:
When you setup eDirectory, did you leave the default options checked? I believe one of them mentions to use TLS for binding. I normally uncheck that. But if you left it the default, then you will HAVE to use TLS/SSL to do any bind operations.

In that case, it's up to the program you are using as to how it needs to deal with the SSL certs.

Which software are you using that needs to do the binds?
0 Likes
Absent Member.
Absent Member.

update

I am getting this from an ndstrace log when trying to authenticate to the eDirectory LDAP server

(137.44.6.11:59046)(0x0002:0x63) Sending operation result 0:"":"" to connection 0xe60b340
Monitor 0xfffffffffe07b700 found connection 0xe60b340 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xfffffffffe07b700 initiating close for connection 0xe60b340
Server closing connection 0xe60b340, socket error = -5871
Connection 0xe60b340 closed

anyone know what this is?
0 Likes
Absent Member.
Absent Member.

cstech_swansea;2210391 wrote:
update

I am getting this from an ndstrace log when trying to authenticate to the eDirectory LDAP server

(137.44.6.11:59046)(0x0002:0x63) Sending operation result 0:"":"" to connection 0xe60b340
Monitor 0xfffffffffe07b700 found connection 0xe60b340 socket closed, err = -5871, 0 of 0 bytes read
Monitor 0xfffffffffe07b700 initiating close for connection 0xe60b340
Server closing connection 0xe60b340, socket error = -5871
Connection 0xe60b340 closed

anyone know what this is?

Did you try searching the KB? I found this:
Support | Error -5871 in LDAP trace

Andrew C Taubman (Sorry, support is not provided via e-mail) Opinions expressed above are not necessarily those of Micro Focus.
0 Likes
Absent Member.
Absent Member.

Thanks for the info, to get it to connect I had to create a new user with edirectory that had trustee right the the areas that I was searching within the tree and then bind to that user from the ldap client
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.