Created:
3/15/2008 11:57:51 AM

Author:
Przemek Radzikowski

permalink [Permalink]





International Careers & Jobs - An international employment directory, reviewing world-wide top job sites




  • Home  ›
  • Articles  ›
  • Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS & Novell eDirectory 8.7.3



| More

Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS & Novell eDirectory 8.7.3

Troubleshooting eDirectory LDAP connections or lack thereof can be particularly annoying. This annoyance becomes an almost unbearable fact when you start to encrypt the data stream, such as SSL and LDAP over port 636.


 

 

Introduction

A few months back I was doing quite a bit of work with Novell eDirectory and Microsoft's ILM (Identity Lifecycle Manager).  The project required that ILM synchronize passwords and usernames between various eDirectory and other LDAP directory systems.  But for some reason I was having problems making an SSL LDAP connection over port 636 between ILM and eDirectory. 

Resolving eDirectory SSL LDAP Connection on Port 636

Some problems are easier solved than others, however LDAP over SSL is particularly tricky to diagnose. I've compiled a list which outlines some of the more common things to try in order to restore/establish and/or troubleshoot connectivity between ILM/MIIS and your Novell eDirectory. 

1. Use ldp.exe to Troubleshoot the Connection

Ldp.exe is a Windows 2000/2003 Support Tools utility you can use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory, eDirectory or any other LDAP compliant directory for specific information given search criteria.

Things to try:

  1. Use ldp.exe to ensure you can successfully bind to the eDirectory server.
  2. Ensure that you can connect to eDirectory using ldp.exe on the standard unencrypted port 389.
  3. If you were able to establish connectivity on port 389 – try to switch ldp.exe to a secure communications mode and try connecting on port 636.  If ldp.exe reports bind errors, then chances are there are certain SSL issues you need to fix.  

2. Connecting to LDAP using SSL on Port 636

One of the most common problems with SSL communication are problems caused by the SSL certificates themselves.  The certificates are created by either eDirectory or imported into eDirectory using a third party.  Unfortunately people forget about these certificates once they are deployed, which can cause many such problems.

Things to try:

  1. If you’re trying to connect using port 636 (SSL), check that the SSL certificates have not expired.  It is quite common for these to go unnoticed if the enterprise uses port 389 for most operations as well as connectivity to eDirectory.
  2. Install the SSL certificates on your local ILM server.
  3. The client (your ILM/MIIS server) machine must trust the RootCA certificate as well as any intermediary certificates.  Install the RootCA certificate into the Trusted Root on your ILM server – this root certificates would have been used to generate the certificates on the eDirectory server.
  4. The server name used in the bind statement must match the fully qualified DNS A record name of the server, so that the name requested matches the server name on the certificate.  Ensure that the server you’re connecting to correspond to the fully qualified domain name included in the SSL certificate.  If these are different you may need to edit the ILM server’s host file to match the IP address with the fully qualified domain name.  This is quite common in self-sign scenarios where a single certificate is used to secure a number of servers. 

 3. ILM & eDirectory Peculiarities

There are a few things that you might consider quirks of either ILM or eDirectory - however, things will go smoother if you remember the following things:

  1. Ensure that you’re using fully qualified Dn notation to enter in the username, For example:

     cn=username,ou=yourunit,o=yourorg 
  2. eDirectory has a Nonstandard Client Schema Compatibility Mode switch that allows nonstandard schema output so that current ADSI and old Netscape clients can read the schema. This is implemented by setting an attribute in the LDAP Server object. The attribute name is nonStdClientSchemaCompatMode. The LDAP Server object is usually in the same container as the Server object.

    Ensure that you enable this mode by editing the nonStdClientSchemaCompatMode attribute in eDirectory.  You can use iManager to change this attribute. 
  3. I've been told that another attribute to try is enableoldADSIandNetscapeSchemaOutput, however I've not been able to find any reference to it on the web.
  4. ILM/MIIS is quite particular which versions of eDirectory it will connect to.  Ensure that the eDirectory version you’re trying to connect to is version 8.7.3. 

Conclusion

This article outlined a number of common troubleshooting techniques for diagnosing SSL LDAP connectivity issues between ILM (Identity Lifecycle Manager) and Novell's eDirectory.

 

permalink [Permalink] - Updated: Monday, October 28, 2013





| More

 

Articles of Interest


 
 
(c) Capitalhead Pty Ltd
Contact Capitalhead About Us Articles & Publications Partners Solutions & Services Products Valid XHTML Valid CSS