Created:
3/15/2008 11:57:51 AM

Updated:
3/15/2008 12:10:26 PM

Author:
Przemek Radzikowski

permalink [Permalink]


  • Home  ›
  • Articles  ›
  • Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS & Novell eDirectory 8.7.3


Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS & Novell eDirectory 8.7.3

Troubleshooting LDAP connections or lack thereof can be particularly annoying. This annoyance becomes an almost unbearable fact when you start to encrypt the data stream, such as SSL and LDAP over port 636. This list outlines some of the more common things to try in order to restore or establish connectivity between ILM/MIIS and your Novell eDirectory.

  1. Use ldp.exe to ensure you can successfully bind to the eDirectory server.
  2. Ensure that you can connect to eDirectory using ldp.exe on the standard unencrypted port 389.
  3. If you were able to establish connectivity on port 389 – try to switch ldp.exe to a secure communications mode and try connecting on port 636.  If ldp.exe reports bind errors, then chances are there are certain SSL issues you need to fix.  
  4. If you’re trying to connect using port 636 (SSL), check that the SSL certificates have not expired.  It is quite common for these to go unnoticed if the enterprise uses port 389 for most operations as well as connectivity to eDirectory.
  5. Ensure that you’re using fully qualified Dn notation to enter in the username, e.g. cn=username,ou=yourunit,o=yourorg
  6. ILM/MIIS is quite particular which versions of eDirectory it will connect to.  Ensure that the eDirectory version you’re trying to connect to is version 8.7.3.
  7. Install the SSL certificates on your local ILM server.
  8. The client (your ILM/MIIS server) machine must trust the RootCA certificate as well as any intermediary certificates.  Install the RootCA certificate into the Trusted Rooton your ILM server – this root certificates would have been used to generate the certificates on the eDirectory server.
  9. The server name used in the bind statement must match the fully qualified DNS A record name of the server, so that the name requested matches the server name on the certificate.  Ensure that the server you’re connecting to correspond to the fully qualified domain name included in the SSL certificate.  If these are different you may need to edit the ILM server’s host file to match the IP address with the fully qualified domain name.  This is quite common in self-sign scenarios where a single certificate is used to secure a number of servers.  
  10. eDirectory has a Nonstandard Client Schema Compatibility Mode.  Ensure that you enable this mode by editing the nonStdClientSchemaCompatMode attribute in eDirectory.  You can use iManager to change this attribute.  Another attribute to try is enableoldADSIandNetscapeSchemaOutput.

 

permalink [Permalink] - Updated: Saturday, March 15, 2008


 
 
(c) Capitalhead Pty Ltd
Contact Capitalhead About Us Articles & Publications Partners Solutions & Services Products Valid XHTML Valid CSS