ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

iManager & Role Based Entitlements

I'm re-posting this here as I didn't get any response from the original post linked below:


A while back we had to re-create our Organisational CA and server certificates. (Don't ask why...) Everything seemed to go well except for one issue I've been having since.

We have OES2 SP3 (eDir 8.8 SP6) running on SLES 10 SP3.
iManager version is 2.7.4
Identity Manager Version is 3.6.1

When I try to edit a role based entitlement I get the error:

"Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server is for a tree other than the one iManager was originally set up for, and SSL has not been set up between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate. "

I have tried deleting the iMKS file and importing the certificate manually as detailed here:

There are plenty of other pages showing the same method of resolving this issue but none have worked.

Any ideas?

Labels (2)
2 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

For some reason I cannot find your old post via NNTP, though I see it on
the web interface. Perhaps the gateway had a problem, which would have
limited your responses. Either way, for future reference, you may want to
post questions on the RBE features in the iManager or IDM forums, both
located on (same looking page, same account,
just focused on the NetIQ products, including those moved over from
Novell). Also, for iManager problems, same thing: try the iManager forum
specifically on the NetIQ site. Considering you've been with Novell for a
while, it's definitely understandable that you'd look here for those
forums, though, as they used to be on this site.

The vast majority of iManager functions use NCP exclusively; adding users,
modifying them, associating with groups, setting up file services
(CIFS/SMB/AFP/NSS), managing most of IDM, configuring LDAP services
provided by eDirectory, etc.. eDirectory, after all, is NCP-based and
LDAP is an interface added to it to do things that work better via LDAP.
Thus, most things work just fine no matter what you do via LDAP.

In your case you are describing one of the few services where iManager
actually needs to work with eDirectory via LDAP. Other examples including
working with Universal Password (UP) under the Passwords role. In these
cases iManager uses eDirectory to find appropriate LDAP services and then
connects to those as well for specific operations. As a result, we look
at LDAP as it sounds like you have already done. TID# 7008836 seems to
have very similar instructions to the documentation link you posted, but
you may find it useful in some way.

You mentioned recreating your CA and server certificates (Key Material
Objects, or KMOs). Doing this SHOULD have made it so all certificates you
created (presumably after the CA change) would be minted by the new CA, so
if you browse to those certificates you should see them with a Trusted
Root of the new CA, which should have (by default) an expiration ten years
from its creation (individual KMOs expire by default two years after
creation). With this verified, your LDAP Server object (for which there
is usually one per NCP/eDirectory server) will also have a link to one
KMO. If you did not delete old certificates, it is very possible that the
LDAP Server is still pointed to an old KMO and using it happily even
though the rest of the tree is using new data, and the old KMO may be
expired causing issues with clients (like iManager). Be sure to check
that. If pointed to an old KMO, point it to a new one and then restart
eDirectory (or maybe just the LDAP module).

Other things you may try include setting up iManager Workstation 2.7 SP7;
it runs on your workstation and then otherwise acts like the server in
most areas. Getting old IDM 3.6.1 plugins on there may be the hardest
part, but really should not be that hard if you have the IDM media
somewhere. With this you can test pointing to your enviornment to see if
anything works there, ruling in/out a weird iManager problem.

Also, is it safe to assume that eDirectory 8.8 SP6 is the latest version
in your tree? If 8.8 SP8 exists there is a change in LDAP configuration
data, specifically the ldapInterfaces attribute on the LDAP Server object,
which can cause LDAP-using plugins to have a hard time finding 8.8 SP8
servers specifically.

Lastly, especially if you have iManager Workstation or if you have
iManager on a non-eDirectory box, getting a LAN trace could help us see
exactly what iManager is doing on the wire, and then isolate better why it
is failing.

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class


Thanks very much for the information. It's given me a few things to check and try. I've managed to re-create the problem in a test environment so I can try it there first.


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.