Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
380 views

"LDAP Server is not associated with a certificate"

Last week I installed a third-party signed cert for LDAP use. It worked
fine for a few days, then stopped. When eDirectory starts it fails on
nldap_check and says the LDAP server is not associated with a
certificate. I've tried exporting the externally-signed cert and
re-importing it to (hopefully) reassociate it with the LDAP server. I
even tried changing back to one of the default certificates. No dice.

eDirectory version 8.8.7 (20701.48)
server platform RHEL version 6.4.


Thoughts?


Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: "LDAP Server is not associated with a certificate"

Did you do anything else recently, such as patch eDirectory at all? The
reason I ask is that this error may be misleading per a bug I reported
quite a while ago which basically has the 'Version' attribute on one of
the LDAP objects (server or group... it's only one one of them I think)
out of sync with the actual eDirectory version. Fixing that may help. If
so, please post back confirming as much; if not, post back and we'll work
some more.

Getting more info from eDirectory may help, for example by being sure all
Screen/Tracing options are enabled on the LDAP Server object for this eDir
box and then doing the following on the command line:

Code:
----------
ndstrace
set dstrace=nodebug
dstrace +time +tags +ldap +init
dstrace file on
set dstrace=*r
unload nldap
load nldap
dstrace file off
quit
----------

Post the contents of the ndstrace.log file which is probably somewhere
like /var/opt/novell/eDirectory/log/ndstrace.log by default.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "LDAP Server is not associated with a certificate"

ab

> Getting more info from eDirectory may help, for example by being sure all
> Screen/Tracing options are enabled on the LDAP Server object for this eDir
> box and then doing the following on the command line:
>
> Code:
> ----------
> ndstrace
> set dstrace=nodebug
> dstrace +time +tags +ldap +init
> dstrace file on
> set dstrace=*r
> unload nldap
> load nldap
> dstrace file off
> quit
> ----------
>
> Post the contents of the ndstrace.log file which is probably somewhere
> like /var/opt/novell/eDirectory/log/ndstrace.log by default.
>


That was easy. "Proxy identity 'CN=ldapps.O=[organization]' does not
have a null password."

Now I just have to figure out how to get iManager to accept a null
password for the account. Even after I put the proxy account in a
special policy that disallows Universal Password and allows a
zero-length password, iManager complains that I have set a password
that's too short. 😕





0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "LDAP Server is not associated with a certificate"


>
> Now I just have to figure out how to get iManager to accept a null
> password for the account. Even after I put the proxy account in a
> special policy that disallows Universal Password and allows a
> zero-length password, iManager complains that I have set a password
> that's too short. 😕
>


.... do I even need a proxy user? It loads fine without one.




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "LDAP Server is not associated with a certificate"

Do you need a proxy user for LDAP to work? Definitely not (default is to
not have one, in fact) for normal functionality, but if you (or somebody
else) added this at some point in order to give anonymous users better
rights or something then removing it will break those users. If all of
your clients to this service are authenticated (vs. anonymous) then the
proxy user is not used, so again it is pointless. Since this has been
broken for a while since the proxy user was added, chances are that
anything that should have shown up as broken (because LDAP was not
available at all) has long since been pointed at another service or
something. All depends on your environment.

Anyway, setting a user with a zero-length password should be possible from
the user object. Set password, leave fields blank, and when you save it
will prompt you asking if you want a zero-legnth password or no password
at all; choose the former, as the latter is not desired for a proxy user.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "LDAP Server is not associated with a certificate"

ab,

>
> Anyway, setting a user with a zero-length password should be possible from
> the user object. Set password, leave fields blank, and when you save it
> will prompt you asking if you want a zero-legnth password or no password
> at all; choose the former, as the latter is not desired for a proxy user.
>
> Good luck.
>


When I try to set a blank password for the account, I get a popup saying
"Failure to enter a password will allow the user to login without a
password. Do you want to continue?" When I click OK, I get "The Set
Password request failed. The password does not match the admin defined
password restrictions."

If everything works without an LDAP proxy assigned, I won't worry about
that though.

Thanks


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "LDAP Server is not associated with a certificate"

Besides the Universal Password (UP) policy there could also be password
restrictions defined on the proxy user itself, perhaps from when the
previous policy was applied. Go to the user object, Restrictions Tab,
then 'Password' something or another section, and be sure there are not
restrictions there preventing the password-set operation.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.