Issue by enabling LDAP + SSL

Hi!!
I tried to enable LDAPS and for that I created a standalone CA within my network. I made the certificate request as follows:
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=PDC.example.local"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
I have created a .req file
In the certmgr.msc I have downloaded de certificate chain. I have installed de cert from de standalone CA in Trusted Root Certificates and the cert from my Domain Controler in Personal.
I have reboot the DC but when checking with ldp.exe shows me the following error:
ld = ldap_sslinit ("192.168.1.8", 636, 1);
Error 0 = ldap_set_option (hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect (hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 192.168.1.8.
I followed all manuals and i cannot enable LDAPS, I need Help!!

It seems the ldap client cannot connect to the dc on port 636
Make sure the port is allowed in firewall(s). Check if it is listening on the dc using netstat -an and check if you can connect to it using telnet <ip> <port>
MCP/MCSA/MCTS/MCITP

Similar Messages

Rodc ldap ssl

I am putting an rodc on the DMX in a separate forest than the internal network
On the DMZ, I have a Read/write 2012 DC in 2008R2 mode. Then I added a RODC in the same DMZ forest.
I want to open up 636 to the RODC from the public for ldap ssl.
Is this ok? How would I go about setting up the ldap ssl over the public internet? I guess I will need a public cert

Hello,
maybe you can describe the reason which requires LDAP over SSL access?
In the meanwhile see
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
You can also work with self-signed certificates
http://gregtechnobabble.blogspot.de/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html
It depends on the service/application requirement.
We use for example an external access to our network but work with self-signed certificates for password change if accounts are required to change the password.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

What should be done in certmap.conf for 2-way SSL support from a standalone Java application to an SSL enabled LDAP Server

To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?

have you out.flush() and out.close() before you call connection.getInputStream()?

EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
Andrew

Hard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub

Open Directory: After enabling of SSL encryption the Open Directory server is not reachable anymore! What's wrong?

After enabling of SSL encrypton on LDAP I can't connect anymore to the LDAB. I think the Lions Server supports now the SSL encrypton for Open Directory.

.....

How to configure LDAP SSL using auto login wallet?

Hello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno Lavoie

Hello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno Lavoie

Any issues with using LDAP on LINUX for GRC 5.2 UME?

Our company is converting our LDAP servers from AIX to LINUX. The DNS name used in our UME connection should not change. Are there any issues with using LDAP on LINUX? We are currently on GRC 5.2 SP9 (in the middle of upgrading to SP12).
Also, I have been trying to connect our test UME system to a test LDAP box that has already been converted to LINUX but keep getting a 'connection failed' error when I try to test it.
Do you have to reboot the server to test changing the LDAP connections? I've been trying it by going into UME, pulling up the LDAP tab, hitting the Modify button, entering the new userid and password for test LDAP, and hitting the Test Connection button. I've verified that this userid and password is correct for test LDAP.
Is there a way to get more information about why the connection failed?
Thanks.

I've been told by our LDAP Support group that none of the other configuration settings should have to be changed. I should only have to change the id and password to connect to a test version of LDAP instead of our regular connection to the production LDAP.
Can you test a connection for a different userid/password without having to reboot/restart the server? Do I need to change these two settings, save then, reboot/restart, and then do the Test Connection button?
Thanks.

Convergence with LDAP SSL Failure

Hello,
I'm now having a problem securing connections between Convergence and my LDAP server.
Once I set it in iwcadmin, ugldap.enablessl to true and change the port to 636, the following error occurs and convergence just couldn't authenticate.
server.log in Glassfish 2.1.1, enterprise profile using NSS keystore
[#|2010-11-12T20:17:15.208+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|LDAPS:Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values|#]
[#|2010-11-12T20:17:15.209+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap.LDAPSingleHostPool|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|buildConnection: got LDAPException while connecting to Pool number:0. Host=<ldaphost> :netscape.ldap.LDAPException: Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values (91)|#]
HTTP SSL connections to Webmail server and calendar servers are fine. I tried deploying the same configuration using developer profile with JKS keystore, the SSL authentication goes through then, but I need clustering for high availability.
Does anyone have any ideas?
Thanks so much in advance!
Mathew

Hard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub

How can i enable ldap service in my system?

How can i enable ldap service in my system?while running my prgram i am getting an error connection refused why?

hi
thanks for u r kind attention.
i want execute simple jndi program on WinXPwhich uses ldap sevices.
in the JNDI Tutorial it is given that u can make use of ldap service provided by JDK.i am using a latest version of jdk.
where the programs for enabling ldap sevice is located in JDk ?how can i enable it?
and also i have down latest releases of openLDAP software?if the earlier is not possible u tell me how to configure openLDAP?
thanks in advance

OIM server - Enable LDAP sync

Hi everyone,
I'm currently working with OIM 11.1.1.5.0, and I have to integrate an Active Directory which is on a different machine. Problem is that I saw in the installation guide I had to enable LDAP Sync when I configured my oim server, but I didn't.
So I would like to know if it's still possible to enable this option without deleting my current oim server and reinstall everything.
Thanks,
Thibault

I found the solution ... http://docs.oracle.com/cd/E25054_01/doc.1111/e14308/ldapsync.htm
Sorry for the post

Enabling LDAP Sync after OIM configuration in R2

Friends,
Did anyone tried enabling LDAP Sync after OIM configuration in R2?
I am trying to do the steps given in the below url.
http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#IDMIG4357
But I am not finding the below.
/db/LDAPUser
/db/LDAPRole
/db/LDAPRoleHierarchy
/db/LDAPRoleMembership
/db/RA_LDAPROLE.xml
/db/RA_LDAPROLEHIERARCHY.xml
/db/RA_LDAPROLEMEMBERSHIP.xml
/db/RA_LDAPUSER.xml
/db/RA_MLS_LDAPROLE.xml
/db/RA_MLS_LDAPUSER.xml
Few of them exist in /metadata/iam-features-ldap-sync but not all. I am not finding LDAPContrainerRules.xml any where at all.
Am I doing something wrong or this documentation is wrong.
Please suggest.

From another post, try following
I have not tiried it yet, but looks ok. Post your results/experiences, shall also try it out.
Find detail steps at below link
http://docs.oracle.com/cd/E27559_01/install.1112/e27301/oim.htm#CDDGJIBJ
http://docs.oracle.com/cd/E14571_01/install.1111/e12002/oidonly014.htm

Issues when configure LDAP server in OBIEE

Hi,
I have a big issue, I configure LDAP server for authentication of users, and everything looks fine, but my problem is when I log in Interactive Dashbaords, I enter without any problem, but some parameters and some filters and some functions are NOT working, for example:
-In a parameter I have this condition for Default value: SELECT YEAR(Tiempo.Dia) FROM Finanzas WHERE Tiempo.dia = CURRENT_DATE, and returns me a null value, but if I change to this SELECT YEAR(Tiempo.Dia) FROM Finanzas WHERE Tiempo.dia = CURRENT_DATE-1, returns me "2010"
I have similar behaviors in other parameters, and some filters and some functions.
Everything happen in Development instance. I configure LDAP server in Development instance.
In Production instance nothing of this is happen, but I do not configure LDAP server yet.
What do anyone think is happen here? This happens because I configure LDAP server? What do you think that mades this behavior for my parameters, filters and functions?
Do you think is a better practice to clone Production instance to Development instance? If so, how can I do a clone instance, only for OBIEE?
Regards,
Arnulfo
Edited by: ArnulfoPA on 25-may-2010 15:35

The date returned by CURRENT_DATE is determined by the system in which the Oracle BI Server is running. So, does CURRENT_DATE returns an equal values on prom and dev instances in your case?

LDAP SSL requirement and setup

Can someone point me the direction on setting up LDAP SSL in Apex 2.2?
Is there any documentation available? Thank you.

I have same request. Only information i could find was here: LDAP Authentication Failed

How to enable LDAP authentication for APEX

How do I enable LDAP authentication for APEX 4.2? Thank for your help.
Kevin

you need to create new authentication based on predefined LDAP authentication from shared components => Authentication
and provide your company LDAP authentication credentials

DPS 6.3.1.1 - Issues while connecting through SSL

Hello !!
I have a issue where my application client reported that they are unable to connect to the LDAP using SSL. Where as everything works fine in LDAP (non secured)
This is how our deployment looks.
Clients <=> Load Balancer <=> DPS (2 instance) <=> DS (2 masters)
The DPS is configured with DSP (data source pool) (with proportional algorithm of 50:50 to backend data sources). Client Affinity ("read-write-affinity-after-any") is configured for this DSP. The DSP is attached with 2 data sources.
So when the client connected in a secured port using LDAPS, they are unable to authenticate/search against this environment. No issues were found in DS logs for any of the bind/search requests. But in DPS, we noticed below log which i want to get clarification on.
Note: I have removed the hostnames/Ip where ever applicable from the logs.
=====================================================
[04/May/2011:12:24:39 -0400] - PROFILE - INFO - conn=1255260 assigned to connection handler cn=default connection handler, cn=connection handlers,cn=config
[04/May/2011:12:24:39 -0400] - CONNECT - INFO - conn=1255260 client=x.x.x.x:52461 server=x.x.x.x:636 protocol=LDAPS
[04/May/2011:12:24:39 -0400] - OPERATION - INFO - conn=1255260 op=0 BIND dn="uid=app_id,ou=applications,dc=example,dc=com" method="SIMPLE" version=3
[04/May/2011:12:24:39 -0400] - SERVER_OP - INFO - conn=1255260 op=0 BIND dn="uid=app_id,ou=Applications,dc=example,dc=com" method="SIMPLE" version=3 s_msgid=3 s_conn=ds_Master2:26560
[04/May/2011:12:24:39 -0400] - SERVER_OP - INFO - conn=1255260 op=0 BIND RESPONSE err=0 msg="" s_conn=ds_Master2:26560
[04/May/2011:12:24:39 -0400] - PROFILE - INFO - conn=1255260 assigned to connection handler cn=CH_ENV_catch-all_LDAPS,cn=connection handlers,cn=config
[04/May/2011:12:24:39 -0400] - OPERATION - INFO - conn=1255260 op=0 BIND RESPONSE err=0 msg="" etime=0
[04/May/2011:12:24:39 -0400] - OPERATION - INFO - conn=1255260 op=1 msgid=2 SEARCH base="ou=people,dc=example,dc=com" scope=2 filter="(uid=abcdef)" attrs="*"
[04/May/2011:12:24:39 -0400] - SERVER_OP - INFO - conn=1255260 op=1 SEARCH base="ou=people,dc=example,dc=com" scope=2 filter="(uid=abcdef)" attrs="*" s_msgid=498 s_conn=ds_Master1:26072
[04/May/2011:12:24:39 -0400] - SERVER_OP - INFO - conn=1255260 op=1 SEARCH RESPONSE err=0 msg="" nentries=0 s_conn=ds_Master1:26072
[04/May/2011:12:24:39 -0400] - OPERATION - INFO - conn=1255260 op=1 SEARCH RESPONSE err=0 msg="" nentries=0 etime=0
*[04/May/2011:12:24:39 -0400] - DISCONNECT - INFO - conn=1255260 reason="other" msg="Exception caught while polling client connection LDAPS.x.x.x.x.52461 -- javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"*
=======================================================
If noticed in the above logs, the initial Bind request via LDAPS is routed to Master 2. But the susequent search request (for user abcdef) is routed to Master 1.
And finally the DISCONNECT operation came (last line) without a proper unbind.
Is this alternate routing a expected behavior when client affinity is turned ON ? Is this exception causing the application's search failures ?
Please shed some pointers on this..
Thanks.
Edited by: Prasee on May 6, 2011 8:07 AM

Pls see inside:
Thanks for the reply. Yes the client is a loadbalancer in this case. So does it mean that this behavior (sending request to 2 different DS in a same connection) is expected ? I have few additional queries that arise from your reply :-)
Loadbalancing algorithm takes precedence "if the request that starts client affinity has not yet occurred"
Since its the load balancer that connects to DPS for any/every request every time., How do the DPS know whether a request that starts client affinity has occurred / not occurred ?Well, client affinity starts with a certain operation (not by establishing the client<->dps connection) as specified by your client affinity policy. In your case ("client-affinity-policy:read-write-affinity-after-any") it starts for all operations after the first read or write operation. DPS is not a (network) connection based router - so it does not route the client connection to the data source but forwards the client operations (request) on dedicated bind,read,write,.. connections to a data source selected by your load balancing and/or client affinity policy.
In our case, Its the same connection (conn=1255260) that receives bind and search request from the client. So when a connection is established, the client affinity should have got enabled and sent the bind request to Master 2 initially, so for the next search request, shouldn't it be sent to Master 2 again ?No, see above.
>
Sorry for these questions, I am basically trying to understand more on how client affinity works when a load balancer is in between.
Coming to the exception,
[04/May/2011:12:24:39 -0400] - DISCONNECT - INFO - conn=1255260 reason="other" msg="Exception caught while polling client connection LDAPS.x.x.x.x.52461 -- javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"
Does this abrupt shutdown of connection means the search response would have got dropped before reaching the end client (application) ?Yes, that may be possible ...
>
Thanks for your help !!

Issue by enabling LDAP + SSL

Similar Messages

Maybe you are looking for