Anonymous_User Absent Member.
Absent Member.
1225 views

Configuring SSPR, schema status says "unable to check schema: null"

I am attempting to configure SSPR 4.1 (appliance version) in my test
environment. I set it to authenticate against an eDirectory 9.03 tree.
I followed the guided configuration to completion, but when I tested the
application, I got an error 5045 -- unable to save challenge responses.
I checked the proxy user's rights as well as the user rights to [This],
and everything looked okay. I then decided to wipe the configuration
and start over. Now, when I get to the schema check/extension portion
of the guided configuration, I get "unable to check schema: null". If I
click 'Extend Schema', I get '5015 ERROR_UNKNOWN'.


What could be causing this?

Thanks

0 Likes
18 Replies
Knowledge Partner
Knowledge Partner

Re: Configuring SSPR, schema status says "unable to check schema:null"

I'd probably check to see what you get from eDirectory, probably with the
LDAP filter in ndstrace, to see what is being attempted.

The first error sounded like maybe schema was not extended, so have you
tried looking to see if the (I think) pwmUser aux class is in your tree
with appropriate attributes as you would expect? Are you pointing to the
Master replica of the [root] partition to extend schema (not required, but
best practice for sure)?


ldapconfig set 'LDAP Screen Level=all' #soon to be a default
ndstrace
> set dstrace=nodebug
> dstrace +time +tags +ldap
> set dstrace=*m9999999
> dstrace file on
> set dstrace=*r


#perform test here

> dstrace file off
> quit



Post the ndstrace.log file by default at
/var/opt/novell/eDirectory/log/ndstrace.log for us to review.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuring SSPR, schema status says "unable to check schema:null"

ab,

>
> Post the ndstrace.log file by default at
> /var/opt/novell/eDirectory/log/ndstrace.log for us to review.
>


NDS trace log can be found here: https://pastebin.com/q5UiqwUK


Thanks

0 Likes
Knowledge Partner
Knowledge Partner

Re: Configuring SSPR, schema status says "unable to check schema:null"

Looks like your CA is not trusted:


3191437056 LDAP: [2017/07/24 14:54:10.955] New TLS connection 0xfa223c0
from 10.80.6.139:50800, monitor = 0xbf1a5700, index = 17
3206174464 LDAP: [2017/07/24 14:54:10.955] Monitor 0xbf1a5700 initiating
TLS handshake on connection 0xfa223c0
3212490496 LDAP: [2017/07/24 14:54:10.955]
(10.80.6.139:50800)(0x0000:0x00) DoTLSHandshake on connection 0xfa223c0
3212490496 LDAP: [2017/07/24 14:54:10.961]
(10.80.6.139:50800)(0x0000:0x00) TLS accept failure 1 on connection
0xfa223c0, setting err = -5875. Error stack:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown - SSL alert number 46
3212490496 LDAP: [2017/07/24 14:54:10.961]
(10.80.6.139:50800)(0x0000:0x00) TLS handshake failed on connection
0xfa223c0, err = -5875
3212490496 LDAP: [2017/07/24 14:54:10.961] BIO ctrl called with unknown cmd 7
3212490496 LDAP: [2017/07/24 14:54:10.961] Server closing connection
0xfa223c0, socket error = -5875
3212490496 LDAP: [2017/07/24 14:54:10.962] Connection 0xfa223c0 closed




When you configured SSPR to point to eDirectory did you have it import the
CA and trust it as well? Do you have multiple LDAP servers configured
within SSPR? Do they all have certificates used from the same CA (meaning
trusting one of them would trust all of them)?


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuring SSPR, schema status says "unable to check schema:null"

ab,

> Looks like your CA is not trusted:
>

<snip>
>
>
> When you configured SSPR to point to eDirectory did you have it import the
> CA and trust it as well? Do you have multiple LDAP servers configured
> within SSPR? Do they all have certificates used from the same CA (meaning
> trusting one of them would trust all of them)?
>


I'm not sure how to answer question 1...

During the guided configuration process, on the 'LDAP Server
Certificates' page, I see two certificates. Certificate 0 has a subject
name that matches the DNS name of the server I've chosen as my LDAP
source. Certificate 1 is the organizational CA for that tree. There is
no option to edit these or select some other cert.

Since there appeared to be no other way to proceed with the
configuration, I checked the box that says "use application to manage
certificate(s) and import certificates into configuration file".


0 Likes
Knowledge Partner
Knowledge Partner

Re: Configuring SSPR, schema status says "unable to check schema:null"

On 07/25/2017 06:41 AM, Black, Douglas wrote:
>>
>> When you configured SSPR to point to eDirectory did you have it import the
>> CA and trust it as well? Do you have multiple LDAP servers configured
>> within SSPR? Do they all have certificates used from the same CA (meaning
>> trusting one of them would trust all of them)?
>>

>
> Since there appeared to be no other way to proceed with the configuration,
> I checked the box that says "use application to manage certificate(s) and
> import certificates into configuration file".


That sounds about right, so at least the server you pointed-to then should
be trusted, but then it is odd that your client (SSPR) is closing the
connection with that SSL alert. I suppose to be clear, it looks like the
client is closing the connection, but a LAN/wire trace would be able to
confirm that better. Assuming you are still pointing to just the one
eDirectory server there should not be any concern about different CAs
behind different LDAP interfaces, so we can rule that out until you add
second LDAP server into the SSPR configuration (assuming you have not done
so already).

I guess I would probably start over and see if it happens to work.
Alternatively, maybe check the LDAP server configuration to see if it is
oddly requiring client certificates or mutual authentication or something,
which may then cause that interface to reject your SSPR connections
because they lack those certificates, though this is all a bit in left field.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuring SSPR, schema status says "unable to check schema:null"

ab,
>
> That sounds about right, so at least the server you pointed-to then should
> be trusted, but then it is odd that your client (SSPR) is closing the
> connection with that SSL alert. I suppose to be clear, it looks like the
> client is closing the connection, but a LAN/wire trace would be able to
> confirm that better. Assuming you are still pointing to just the one
> eDirectory server there should not be any concern about different CAs
> behind different LDAP interfaces, so we can rule that out until you add
> second LDAP server into the SSPR configuration (assuming you have not done
> so already).
>
> I guess I would probably start over and see if it happens to work.
> Alternatively, maybe check the LDAP server configuration to see if it is
> oddly requiring client certificates or mutual authentication or something,
> which may then cause that interface to reject your SSPR connections
> because they lack those certificates, though this is all a bit in left field.
>

I went through the configuration again. This time, just to see what
would happen, I ignored the error about being unable to read the schema,
and completed the configuration. I then logged into the application as
an ordinary user and tried to save my challenge questions. I got a SSPR
5045 error and the LDAP trace says pwmResponseSet is an illegal
attribute. Looking at the properties of that attribute in iManager, I see:
Syntax: Octet String
Asn ID: 1.3.6.1.4.1.35015.1.2.2
Attribute Flags: Synchronize immediately
Class using attribute: <none>

Shouldn't there be at least one object class permitted to use this
attribute? Maybe I should try nuking all the attributes that were added
by SSPR, then run through the install again?


Thanks

0 Likes
Knowledge Partner
Knowledge Partner

Re: Configuring SSPR, schema status says "unable to check schema:null"

On 07/25/2017 07:48 AM, Black, Douglas wrote:
>
> I went through the configuration again. This time, just to see what would
> happen, I ignored the error about being unable to read the schema, and
> completed the configuration. I then logged into the application as an
> ordinary user and tried to save my challenge questions. I got a SSPR 5045
> error and the LDAP trace says pwmResponseSet is an illegal attribute.
> Looking at the properties of that attribute in iManager, I see:
> Syntax: Octet String
> Asn ID: 1.3.6.1.4.1.35015.1.2.2
> Attribute Flags: Synchronize immediately
> Class using attribute: <none>
>
> Shouldn't there be at least one object class permitted to use this
> attribute? Maybe I should try nuking all the attributes that were added
> by SSPR, then run through the install again?


Yes, and that is probably the problem. I think the aux class is named
pwmUser and should be linked to these various pwm* things. Is an LDIF
still included with the install media which may be used manually to extend
schema? Worst case I can probably find a tree of mine with it and paste
the appropriate LDIF here.

If you can try extending schema from the application now that may be
interesting since apparently SSPR can talk to your tree just fine via
LDAP, meaning no more problems with the CA.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuring SSPR, schema status says "unable to check schema:null"

ab,

I don't know for sure that this is an approved fix, but via iManager I
added all attributes beginning with 'pwm' to the pwmUser object class,
and SSPR is now able to save my challenge responses. On to more testing.



Thanks again!

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuring SSPR, schema status says "unable to check schema:null"


>
> I don't know for sure that this is an approved fix, but via iManager I
> added all attributes beginning with 'pwm' to the pwmUser object class,
> and SSPR is now able to save my challenge responses. On to more testing.
>



Not quite there yet. It lets me change the password for an account, but
eDirectory sees it as an administrative change, i.e., it expires
immediately.

Maybe a clean reinstall (after removing the pwm* attributes and object
class) is the way to go.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Configuring SSPR, schema status says "unable to check schema:null"

On 07/25/2017 08:47 AM, Black, Douglas wrote:
>
> Not quite there yet. It lets me change the password for an account, but
> eDirectory sees it as an administrative change, i.e., it expires immediately.


Well yes, if you changed another account's password then it WAS an
administrative change. If you changed it as the user itself, then you'll
probably need to specify that as I am not assuming so based on what you
wrote above.

> Maybe a clean reinstall (after removing the pwm* attributes and object
> class) is the way to go.


I doubt any of that matters, but if you have time then we will see.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuring SSPR, schema status says "unable to check schema:null"


>>
>> Not quite there yet. It lets me change the password for an account, but
>> eDirectory sees it as an administrative change, i.e., it expires immediately.

>
> Well yes, if you changed another account's password then it WAS an
> administrative change. If you changed it as the user itself, then you'll
> probably need to specify that as I am not assuming so based on what you
> wrote above.


No, I logged into the portal and configured my challenge responses, then
changed my password. When I logged off & back on, my password had
already expired.

>
>> Maybe a clean reinstall (after removing the pwm* attributes and object
>> class) is the way to go.

>
> I doubt any of that matters, but if you have time then we will see.
>


I was able to remove the pwmUser class and all associated attributes
except for the pwmResponseSet attribute. It gave me an error -644. I
then re-ran the configuration, but when I got to "extend schema", all
attributes failed with -672 (no access). To resolve this, I backed up
to the beginning and changed the proxy user to the tree admin. I then
completed the configuration and changed the proxy user back to
'sspr-proxy'. Now I get SSPR 5045 when I try to save my challenge
questions, and error -608 (illegal attribute) in the LDAP log. Checked
the user account and it did not have the pwmUser object class applied. I
seem to be going backward.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.