Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
ramesh9 Acclaimed Contributor.
Acclaimed Contributor.
1044 views

OMI Integration with LDAP in secure mode

Hello All

OMI 10.60 in Linux.

We are planning to integrate OMI with LDAP and integration is successful for non-secure integration.

However when we try to integrate over TLS(secure connection), when we put following URL,

ldaps://etisalat.corp.ae:636/DC=test,DC=example,DC=com

it throws below error,

LDAP Server URL not valid.

Please note we had imported LDAP root certificates into OMI as discussed in OMI admin guide.

Please clarify if we need to configure anything other than above.

Tags (1)
0 Likes
5 Replies
LuiR Super Contributor.
Super Contributor.

Re: OMI Integration with LDAP in secure mode

Hi

Ive got the exact same problem. I am trying to setup our OMi to use LDAPS instead of LDAP login. I started out using ldap and default port 389. This works, but it took forever to login. I was unable to use ldaps on port 636. LDAP Configuration in OMi keeps saying "LDAP server url not valid".

I was adviced my the support to use the AD Global Catalog ports instead to overcome the login delay issue.

I firsly tried using ldap and port 3268, this works and all login delay are gone. But my AD admin wants me to use ldaps, but i am just not allowed to enter a ldaps url and use port 3269 (secure). Just like i could not use ldaps and 636

in the LDAP server url ive tried:

normal ldap on port 389:
ldap://servername:389/DC=,DC=,DC=??sub        (this works)

secure ldaps on port 636:
ldaps://servername:636/DC=,DC=,DC=??sub        (LDAP server url not valid error)

global catalog ldap on 3268:
ldap://servername:3268/DC=,DC=,DC=??sub        (this works)

secure global catalog ldaps on 3269:
ldaps://servername:3269/DC=,DC=,DC=??sub    (LDAP server url not valid error)

What do i need to do to be able to enter a ldaps URL?

I have also imported the Certificate from my AD guys. My OMi 10.60 is running on windows 2012 (seperate DPS and GW servers)

0 Likes
Valued Contributor.. philwhite Valued Contributor..
Valued Contributor..

Re: OMI Integration with LDAP in secure mode

I have not done this on OMi yet however we have done this with Proactivenet.  Both are similar in how they implement LDAPS.  They both use keytool/keystore.  We were able to get it to work in one environment but on another we ran into the issue of a cipher mismatch.  My guess is if there is anything custom in regards to security then you may have issues.  BTW Splunk just works out of the box for LDAPS.  I know completely unhelpful.  I'll be in the same boat soon.

0 Likes
LuiR Super Contributor.
Super Contributor.

Re: OMI Integration with LDAP in secure mode

Hi ramesh9. I would very much like to know if you solved this?

I have a support case about this going. But its kind of stalled, what I did get out from the support is that the "URL check" does check if there is a certificate loaded. I suspect that the loaded certificate needs to include the AD url in either the subject or issuer field. I cant seem to figure out how this is read. I have tried doing several certificates that includes the url in diffrent ways in the subject field like:

Subject: CN=domain.domain.com

and

Subject: CN=Certificate-name, domain, domain, com

DC= domain

DC= domain

DC= com

But i can still not get OMi to accept the ldaps URL in the LDAP configuration. I have tested with AD DS (ldp.exe) with the above mentioned certificate, SSL enabled and port 3269/636, and this works.

 

0 Likes
ramesh9 Acclaimed Contributor.
Acclaimed Contributor.

Re: OMI Integration with LDAP in secure mode

Hi

We have not solved it even though support case is going on with product team.

In short LDAPS not working, even though product team claims it is working in their environment with same OMI version.

0 Likes
LuiR Super Contributor.
Super Contributor.

Re: OMI Integration with LDAP in secure mode

Hi Ramesh9

I did get it to work, in my case it was a faulty certificate provided by my AD guys. Have you tried testing the connection with another tool?

My OMi is on a windows 2012R2 server, so i installed "Active Directory Lightweight Directory Services", which included "ldp.exe", afterwards i loaded the certificate in Local Computer / Truested Root Certification Authorties. I could then verify the SSL connection to the LDAPS server. If you get an error 81, its the certificate thats the problem.

I did still have a problem with group mapping when using OMi 10.12, but ive since updated to 10.62 and this problem is resolved there.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.