jrmhscht Super Contributor.
Super Contributor.
362 views

LDAPS error editing dynamic groups

Hello,

I'm running iManager 3.1.3 and cannot edit dynamic groups. The error is get is

Unable to obtain a valid LDAP context.

Creating secure SSL LDAP context failed:
simple bind failed: x.x.x.x:636


I have tried importing the CA cert into the java cacerts file, deleting /var/opt/novell/tomcat8/webapps/nps/WEB-INF/iMKS, and the IP addresses are already in the ldap server ldapInterfaces attribute.

Anyone have other options to try get this working? It works fine with my old iManager server running 3.0.3.2.

Thanks,
Jeremiah
Labels (1)
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: LDAPS error editing dynamic groups



On 04/05/2019 03:14 PM, jrmhscht wrote:
>
> I'm running iManager 3.1.3 and cannot edit dynamic groups. The error is
> get is
>
>> Unable to obtain a valid LDAP context.
>>
>> Creating secure SSL LDAP context failed:
>> simple bind failed: x.x.x.x:636


Are you able to find with your user to that socket using something like
Apache Directory Studio?

> I have tried importing the CA cert into the java cacerts file, deleting
> /var/opt/novell/tomcat8/webapps/nps/WEB-INF/iMKS, and the IP addresses
> are already in the ldap server ldapInterfaces attribute.


Is there a reason you think this is a CA issue? That error doesn't
indicate that is the case, but it's pretty vague so maybe it could be related.

> Anyone have other options to try get this working? It works fine with
> my old iManager server running 3.0.3.2.


Have you tried, when logging into iManager, specifying a particular IP
address for a different eDirectory server to see if that one works?
iManager may still move around, but if you tel lit which server to use it
will usually at least try that first.

Do you have another iManager 3.1 instance you can test? What about
iManager Workstation on your Linux or windows workstation to do a quick test?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
jrmhscht Super Contributor.
Super Contributor.

Re: LDAPS error editing dynamic groups

Are you able to find with your user to that socket using something like
Apache Directory Studio?

Apache directory studio works fine. I am connecting to the dns name and not the IP though so certs are happier.

Is there a reason you think this is a CA issue? That error doesn't
indicate that is the case, but it's pretty vague so maybe it could be related.


I was reading a bunch of old threads and TIDs trying to find a solution and certificate issues were referenced a few times so I thought I would try it. This was before I realized that it imports the cert to iMKS automatically. I also replaced the LDAP certificates so there are SAN's in place. I didn't add the IP addresses to the SANs. Is that possibly required now?

Have you tried, when logging into iManager, specifying a particular IP
address for a different eDirectory server to see if that one works?

I just tried connecting to a different edir server and it has the same issue.

Do you have another iManager 3.1 instance you can test?

I have this issue in my dev, qa, and prod environments with imanager 3.1 (three trees and three imanager servers). 3.0 works in all three.

Thanks,
Jeremiah
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: LDAPS error editing dynamic groups

On 04/05/2019 04:04 PM, jrmhscht wrote:
>
>> Are you able to find with your user to that socket using something like
>> Apache Directory Studio?

> Apache directory studio works fine. I am connecting to the dns name and
> not the IP though so certs are happier.


Ah, so perhaps the certificates lack something for the IPs. Considering
that the ldapInterfaces value often has IPs, or else has nothing and
clients then default to IPs, you may want to verify that.


> automatically. I also replaced the LDAP certificates so there are SAN's
> in place. I didn't add the IP addresses to the SANs. Is that possibly
> required now?


You probably should add any possible way to connect, including via
non-127.x.x.x IPs, to the SAN list. I believe there is an open bug
against iManager where it fails to add IPs to SANs when generating
certificates (not necessarily related to your issue), but it is not
commonly known that when a SAN is present the cert's Subject is ignored,
so even if you have an IP in the Subject, and DNS entries in the SAN, the
IP is ignored because the Subject is not valid.

In any case, adding IPs to the SAN list is probably an easy test. A doc
improvement in a Note or troubleshooting guide, or at least a TID, could
come from this if that helps.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAPS error editing dynamic groups

ab wrote:

> > automatically. I also replaced the LDAP certificates so there are SAN's
> > in place. I didn't add the IP addresses to the SANs. Is that possibly
> > required now?

>
> You probably should add any possible way to connect, including via
> non-127.x.x.x IPs, to the SAN list. I believe there is an open bug
> against iManager where it fails to add IPs to SANs when generating
> certificates (not necessarily related to your issue), but it is not
> commonly known that when a SAN is present the cert's Subject is ignored,
> so even if you have an IP in the Subject, and DNS entries in the SAN, the
> IP is ignored because the Subject is not valid.


Pretty sure that during login to iManager, you need to specify tree name as dns
name of local server you are connecting to.
Plus have the OrgCA cert (or whatever the issuer of the cert attached to LDAP
in edirectory) imported into cacerts used by iManager/Tomcat.

That fixed most of my issues from what I recall.

If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
jrmhscht Super Contributor.
Super Contributor.

Re: LDAPS error editing dynamic groups

I usually import the CA into the java cacerts and use the server DNS name to connect. It always worked with 3.x, but didn't work with 3.1.3.

I regenerated the LDAP certificates to include the IP addresses in the Subject Alternate Names and it looks like it is working now.

Thanks.
0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAPS error editing dynamic groups

On 4/8/2019 9:56 AM, jrmhscht wrote:
>
> I usually import the CA into the java cacerts and use the server DNS
> name to connect. It always worked with 3.x, but didn't work with
> 3.1.3.
>
> I regenerated the LDAP certificates to include the IP addresses in the
> Subject Alternate Names and it looks like it is working now.


The 1.8 JVM latest update now requires that the SAN or Subject name
macth the URL it is used against, so heads up on that one. Possibly the
issue here.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.