OEL ldap client setup with SSL against OID using either ldaps or starttls

Similar Messages

• LDAP setup with SSL - Can't use tls auth type

  I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
  # ldapclient mod -a authenticationMethod=tls:simple
  Cannot specify LDAP port with tls
  # ldapclient mod -a authenticationMethod=tls
  Unable to set value: invalid authenticationMethod (tls)
  Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
  NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
  NS_LDAP_SERVERS= 10.10.1.14:636
  NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SERVER_PREF= 10.10.1.14:636
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
  Thanks,
  Jay

  When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
  Also, you need to setup up your client to use FQN as well (/etc/hosts).

• OSB cluster setup with SSL

  Hi,
  Could any one help me here..
  Cluster setup for OSB with SSL enable
  1) Admin and 2 Managed server are running on same host
  2) cluster domain created in development mode
  2) While starting second managed server getting below error..
  <Oct 4, 2010 8:04:58 AM PDT> <Error> <ClusterTimer> <BEA-000000> <Cannot contact Admin server. Therefore constructing the Cluster Authority Current time with
  the time skew 0
  java.rmi.RemoteException: ClusterTimerAuthority error; nested exception is:
  javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://hostname:SSLport: Destination unreachable; nest
  ed exception is:
          java.io.IOException: Stream closed.; No available router to destination]
  at com.bea.wli.sb.init.RemoteClusterTimerAuthority.getClusterTimerAuthorityCurrentTime(RemoteClusterTimerAuthority.java:38)
  at com.bea.wli.timer.ClusterTimerService.clusterTimeAuthorityCurrentTimeMillis(ClusterTimerService.java:177)
  at com.bea.wli.timer.ClusterTimerService.initialize(ClusterTimerService.java:88)
  at com.bea.wli.sb.init.FrameworkStarter._preStart(FrameworkStarter.java:221)
  at com.bea.wli.sb.init.FrameworkStarter.access$000(FrameworkStarter.java:79)
  Truncated. see log file for complete stacktrace
  Thanks,
  Sushma.

  Even I faced the same issue..but eventually the problem got resolved with below resolution:
  Resolution: The managed server was not able to connect to t3s://hostname:sslport. The SSL configuration on Adminserver was wrong. After correcting SSL setting on Adminserver..i was able to resolve this error.

• Solaris 7 ldap client setup

  Hi,
  Please any one can help me in setting ldap client for solaris 7 guidelines or any website or docs help.
  Thanking you,
  Naren

  hi mukherjee,
  you can configure both solaris 8 and 9 as ldapclient to sunone 5.2 installed on solaris 9 box. make sure i think you cannot configure client on same maching on which directory server is installed.
  No my question is how to setup ldapclient on solaris 6 andsolaris 7. as both does not support ldap. like solaris 7 has no nsswitch.ldap. can you provide me details to configure solaris7 as ldap client
  PATEL

• Java Client FTP with ssl and fxp

  Hy, I make java ftp client that supports ssl and fxp. I found for ssl something but nothing for fxp. Do you have any information for me regarding java and fxp?
  Best regards

  is this going over the internet, a private connection. a vpn over the internet? are there any logs that show any ftp error codes? if there is a firewall in play, does it show any logs on this connection?

• Solaris 8 client setup with solaris 9 ldap

  I have managed to install iplanet directory server 5.1 that comes with solaris 9 using the utility idsconfig. As far as i can tell, all went well. Now i'm trying to initialize a solaris 8 client to authenticate to the iDS 5.1 on my solaris 9 box. What do i have to do on the solaris 8 client to "initialize it"? I've tried using ldapclient on the solaris 8 client as follows:
  # ldapclient -v -P default x.x.x.x
  but i keep getting the following errors:
  findDN rename(/var/ldap/ldap_client_file.orig, /var/ldap/ldap_client_file) failed!
  findDN rename(/var/ldap/ldap_client_cred.orig, /var/ldap/ldap_client_cred) failed!
  There are no files in /var/ldap. I thought that one uses ldapclient to create them. Am i wrong?
  Also, the output from idsconfig says that a 'NisDomainObject' was added to my domain but looking at the object classes in iDS5.1, there is no nisdomainobject.
  I also noticed that when i run the command domain on my solaris 8 box, there's no output. Do i need to set the domain on my solaris 8 client? I have the domain defined in /etc/resolv.conf.
  Stewart

  hi Stewart,
  You may find what you are looking for in the following technical note: http://knowledgebase.iplanet.com/ikb/kb/articles/7966.html
  It is called: "Cookbook for Solaris 8 client with Directory Server 5.1/Solaris 9" :-)
  Hope this will help you.
  Cheers / Damien.

• Ical client setup with 10.6 server

  I have iCal server up and running on my 10.6 server and everything seems to be working right. however I have set the server side up to use ssl and have opened those ports on my firewall which works. My problem is that after setting up a user I send out the welcome email and that has the configure my mac link. Which was done before I change the iCal server settings to use ssl. And now every time I go in and manually set the server settings to use ssl on the client side and quit and reopen ical another account is added without the ssl settings. How do i get it to stop automatically adding an account to iCal?

  This looks like a bug in the iCal client. I, too, have had problems with delegated calendars and end users mistaking events for being missing, not updated or incorrect only because their local copy was not synced with the true copy on the server. The refresh rate on delegated calendars can be changed with the "Refresh calendars: [ Every 1 minute ]" preference. You can verify this by right-clicking or control-clicking on the delegated calendar and choosing "Show CalDAV Queue." This brings up a queue of activity with the iCal Server. You'll note at the top that it mentions "Refresh every 1 minute."
  The problem, of course, is if you quit iCal and recheck the "Show CalDAV Queue" on the delegated calendar, the refresh interval has reverted to some long interval like 300 or 900 minutes. This is a bug, for sure. For now, you can tell your clients not to quit iCal or to refresh manually or reset the refresh interval whenever they restart iCal/their computer, etc.

• [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

  Hi,
  Have just started with Archlinux and trying to set up a VPN tunnel using pptp.
  I have been following the guide at:
  https://wiki.archlinux.org/index.php/Mi … pptpclient
  I want to connect to a service from www.ipredator.se
  Info from them when connection to Windows XP are:
  Enter company name "Ipredator". Click Next.
  Enter "vpn.ipredator.se" as "Host name or IP address".
  I have been given a <USERNAME> and <PASSWORD> from them.
  I got the VPN tunnel up and running in Ubuntu with the settings.
  Only enabled MSCHAPv2
  use MPPE 128 bit
  and allow data compression, BSD, Deflate and TCP header.
  My configuration files:
  options.pptp
  # $Id: options.pptp,v 1.3 2006/03/26 23:11:05 quozl Exp $
  # Sample PPTP PPP options file /etc/ppp/options.pptp
  # Options used by PPP when a connection is made by a PPTP client.
  # This file can be referred to by an /etc/ppp/peers file for the tunnel.
  # Changes are effective on the next connection. See "man pppd".
  # You are expected to change this file to suit your system. As
  # packaged, it requires PPP 2.4.2 or later from [url]http://ppp.samba.org[/url]/
  # and the kernel MPPE module available from the CVS repository also on
  # [url]http://ppp.samba.org[/url]/, which is packaged for DKMS as kernel_ppp_mppe.
  # Lock the port
  lock
  # Authentication
  # We don't need the tunnel server to authenticate itself
  noauth
  # We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
  # (you may need to remove these refusals if the server is not using MPPE)
  refuse-pap
  refuse-eap
  refuse-chap
  refuse-mschap
  # Compression
  # Turn off compression protocols we know won't be used
  nobsdcomp
  nodeflate
  # Encryption
  # (There have been multiple versions of PPP with encryption support,
  # choose with of the following sections you will use. Note that MPPE
  # requires the use of MSCHAP-V2 during authentication)
  # [url]http://ppp.samba.org[/url]/ the PPP project version of PPP by Paul Mackarras
  # ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
  # Require MPPE 128-bit encryption
  # require-mppe-128
  # [url]http://polbox.com/h/hs001/[/url] fork from PPP project by Jan Dubiec
  # ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
  # Require MPPE 128-bit encryption
  # mppe required,stateless
  chap-secrets
  # Secrets for authentication using CHAP
  # client server secret IP addresses
  <USERNAME> pptpd <PASSWORD> *
  I named my tunnel "ipredator"
  /etc/ppp/peers/ipredator
  pty "pptp vpn.ipredator.se --nolaunchpppd"
  name <USERNAME>
  remotename Ipredator
  require-mppe-128
  file /etc/ppp/options.pptp
  ipparam ipredator
  When I try to connect I get following:
  [root@archlinux ppp]# pon $TUNNEL ipredator dump logfd 2 nodetach
  pppd options in effect:
  nodetach # (from command line)
  logfd 2 # (from command line)
  dump # (from command line)
  noauth # (from /etc/ppp/options.pptp)
  refuse-pap # (from /etc/ppp/options.pptp)
  refuse-chap # (from /etc/ppp/options.pptp)
  refuse-mschap # (from /etc/ppp/options.pptp)
  refuse-eap # (from /etc/ppp/options.pptp)
  name <USERNAME> # (from /etc/ppp/peers/ipredator)
  remotename Ipredator # (from /etc/ppp/peers/ipredator)
  # (from /etc/ppp/options.pptp)
  pty pptp vpn.ipredator.se --nolaunchpppd # (from /etc/ppp/peers/ipredator)
  crtscts # (from /etc/ppp/options)
  # (from /etc/ppp/options)
  asyncmap 0 # (from /etc/ppp/options)
  lcp-echo-failure 4 # (from /etc/ppp/options)
  lcp-echo-interval 30 # (from /etc/ppp/options)
  hide-password # (from /etc/ppp/options)
  ipparam ipredator # (from /etc/ppp/peers/ipredator)
  proxyarp # (from /etc/ppp/options)
  nobsdcomp # (from /etc/ppp/options.pptp)
  nodeflate # (from /etc/ppp/options.pptp)
  require-mppe-128 # (from /etc/ppp/peers/ipredator)
  noipx # (from /etc/ppp/options)
  Using interface ppp0
  Connect: ppp0 <--> /dev/pts/1
  MPPE required, but MS-CHAP[v2] auth not performed.
  Connection terminated.
  [root@archlinux ppp]#
  I have not managed to understand way MS-CHAP[v2] auth is not performed.
  Any ideas on what I have missed during my configuration would be most appreciated!
  use code tags instead of quote since they provide scrollers and keep the thread from becoming a mile long -- Inxsible
  Thank you!
  Regards,
  /Christer
  Last edited by agkbill (2011-06-14 15:23:15)

  The problem was that <PASSWORD> was never found.
  What is written after "remotename" in peers file in the guide "PPTP" is used to find the password in chap-secreds.
  But in the guide chap-secrets look like "<USERNAME> pptpd <PASSWORD> *".
  Consecuently <PASSWORD> will never be found. It should have been  "<USERNAME> PPTP <PASSWORD> *" then it would have worked OK.
  The solution was to understand how password was found.
  require-mppe-128 works fine as well.
  Now it looks like this.
  # Secrets for authentication using CHAP
  # client server secret IP addresses
  <USERNAME> PPTP <PASSWORD> *
  pty "pptp vpn.ipredator.se --nolaunchpppd"
  lock
  noauth
  nobsdcomp
  nodeflate
  name <USERNAME>
  remotename PPTP
  require-mppe-128
  #file /etc/ppp/options.pptp
  ipparam ipredator
  Output:
  [root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
  using channel 14
  Using interface ppp0
  Connect: ppp0 <--> /dev/pts/1
  sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
  rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
  sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
  rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
  sent [LCP EchoReq id=0x0 magic=0x7540313b]
  rcvd [LCP EchoReq id=0x0 magic=0xc615076a]
  sent [LCP EchoRep id=0x0 magic=0x7540313b]
  rcvd [CHAP Challenge id=0x46 <be769cd654150cc3dc0fd20bc73c03>, name = "pptpd"]
  sent [CHAP Response id=0x46 <6ce74a85ab09e4ae223bc85f679395f0000000000000000dbb8dc66e8950ab46831b62f5815e015b1e72de1e01a4d00>, name = "<USERNAME>"]
  rcvd [LCP EchoRep id=0x0 magic=0xc616076a]
  rcvd [CHAP Success id=0x46 "S=2694D1D727F2B8C8E402125EA401750011F24F20"]
  CHAP authentication succeeded
  sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
  rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
  sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
  rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
  MPPE 128-bit stateless compression enabled
  sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
  rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
  sent [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
  rcvd [IPCP ConfNak id=0x1 <addr 93.182.150.56>]
  sent [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
  rcvd [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
  Cannot determine ethernet address for proxy ARP
  local IP address
  remote IP address x.x.x.x
  Script /etc/ppp/ip-up started (pid 1778)
  Script /etc/ppp/ip-up finished (pid 1778), status = 0x0
  All the best!
  /Christer

• New SAP R/3 Client setup with SRM

  Hi Guys,
  Can anyone guide me if I am deleting my SAP R/3 backend client and setting up a new client then do I need to delete all the current material groups and do an Initial upload by setting up the middleware settings in new R/3 client.
  Also is it necessary to delete the settings of Old middleware settings?
  Please clarify me.
  Thanks !!!!
  Regards,
  Srujank

  Hi Nagarjun,
  If you look at the exporting and importing paramters of your Method EXECUTE_SYNC...
  You would find the abap equivalent of your Message Type.  Hence you know all the fields.
  No it depends on the business Logic, or ratheer what the RFC is suppose to be requested for is filled in an an Input paramter to the Method. 
  This can be an IDOC To, in that case your MT should be similar.  Fill in the transmiaaion IDOC values.
  OR you can Actually harcode the values, make your Itab, and send it across ( as this is just for test purposes )
  Hope this helps.
  Regards
  Abhishek

• How to Create a Group in OID Using oracle.ldap.util Classes

  Hi, I've searched hi and low to find out how to do this, but with no luck. Could someone share the code they would use to do this, please?
  Thank you,
  Dave

  In Active Directory
  "Memberof" and the name of the DN

• Help with setting up LDAP Client on Oracle Linux 6.4

  Hi,
  I'm having problems getting my Oracle Linux server setup as a ldap client and hoping someone can find where I'm going wrong. We have Oracle/Sun Directory Server 7 with Solaris ldap clients already setup with ssl. We are also using crypt for storing passwords. Here are the steps I have done on the Linux server.
  yum install -y openldap openldap-clients nss-pam-ldapd pam_ldap
  Edited the line FORCELEGACY=no to yes in /etc/sysconfig/authconfig
  Copied the CA certs to /etc/openldap/cacerts
  Ran: authconfig updateall enableldap enableldapauth ldapserver=zldap1.<domain> ldapbasedn="o=<domain>,o=isp" enableldaptls --enableldapstarttls
  Changed pam_password md5 to crypt in /etc/pam_ldap.conf
  Restarted /etc/init.d/nslcd and also tried rebooting.
  I'm seeing the following errors in messages:
  May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] ldap_start_tls_s() failed: Connect error (uri="ldap://zldap1.<domain>/")
  May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] failed to bind to LDAP server ldap://zldap1.<domain>/: Connect error
  May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] no available LDAP server found
  Here is what my /etc/openldap/ldap.conf file looks like:
  TLS_CACERTDIR /etc/openldap/cacerts
  TLS_REQCERT allow
  URI ldap://zldap1.<domain>/
  BASE o=<domain>,o=isp
  Any help would be appreciated.
  Thanks

  Copy cacerts to /etc/openldap/cacerts
  yum install -y openldap ldap-clients nss-pam-ldapd pam_ldap authconfig sssd
  authconfig enablesssd enablesssdauth enablelocauthorize update
  authconfig updateall enableldap enableldapauth ldapserver=zldap1.<domain> ldapbasedn="o=<domain>,o=isp" enableldaptls --enableldapstarttls
  Add line to /etc/sssd/sssd.conf "ldap_tls_reqcert = allow"
  Change /etc/pam_ldap.conf line:
  pam_password md5 --> pam_password crypt
  service sssd restart

• Crystal Report LDAP authentication with SSL to Business Objects XI 3.1 SP3

  Hi,
  Here is the issue
  Business Objects XI 3.1 SP3
  Crystal report 2008
  LDAP is configured with SSL and working great within BO.
  In Crystal report 2008, enterprise authentication worked, but not LDAP with SSL, I got "Security plugin error: Failed to set parameters on plugin.
  If I try with LDAP with no SSL, everythingu2019s fine.  Do I have to setup something on the "workstation" side to be able to user LDAP with SSL ?
  *I already tried to disable firewall
  Thanks for your help

  Hi,
  check SAP Notes 1320510 and 1272536
  Hope that helps.
  Regards
  -Seb.

• Connecting to SSL OID using Apache Directory Studio

  I have an OID instance setup with SSL. SSL settings:
  SSL Authentication: No authentication
  Cipher Suite: All
  SSL Protocol Version: All
  I'm using a wallet which has a cert signed by a CA. When I'm trying to connect to OID using Apache Directory Studio it is failing with SSLHandshakeException and I get no errors in the em console.
  Is there a way to view in apache directory studio what is going wrong?

  Did you import a certificate into your java cacerts file that is being used by your Apache instance?
  -Kevin

• LDAP/Kerberos issue with DEs

  I'm running arch on workstations with network accounts authenticating using Kerberos/LDAP and with home directories stored in AFS. After upgrading a workstation to systemd and ensuring the authentication works, logging into any DE is extremely slow and opening the logout dialog in XFCE.
  Relevant (sanitized) logs (don't mind the different timestamps, the errors are the same each trial):
  arch client:
  error.log:
  Jan 11 11:44:19 myclient polkitd[536]: nss_ldap: could not search LDAP server - Server is unavailable
  Jan 11 11:44:20 myclient polkitd[536]: nss_ldap: could not search LDAP server - Server is unavailable
  Jan 11 11:44:21 myclient polkitd[536]: nss_ldap: could not search LDAP server - Server is unavailable
  Jan 11 11:44:23 myclient dbus-daemon: nss_ldap: could not search LDAP server - Server is unavailable
  Jan 11 11:44:24 myclient dbus-daemon: nss_ldap: could not search LDAP server - Server is unavailable
  Jan 11 11:44:25 myclient dbus-daemon: nss_ldap: could not search LDAP server - Server is unavailable
  Jan 11 11:44:26 myclient dbus-daemon: nss_ldap: could not search LDAP server - Server is unavailable
  auth.log:
  Jan 11 14:26:56 myclient dbus-daemon: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)
  Jan 11 14:26:56 myclient polkitd[605]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)
  Jan 11 14:26:56 myclient polkitd[605]: nss_ldap: failed to bind to LDAP server ldap://myserver.mydomain: Local error
  Jan 11 14:26:56 polkitd polkitd[605]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)
  Jan 11 14:26:56 polkitd polkitd[605]: nss_ldap: failed to bind to LDAP server ldap://myserver.mydomain: Local error
  Jan 11 14:26:56 polkitd polkitd[605]: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
  everything.log:
  Jan 11 14:26:55 polkitd dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://myserver.mydomain: Local error
  Jan 11 14:26:55 polkitd dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://myserver.mydomain: Local error
  Jan 11 14:26:55 polkitd dbus-daemon: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
  Jan 11 14:26:56 polkitd dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://myserver.mydomain: Local error
  Jan 11 14:26:56 polkitd dbus-daemon: nss_ldap: could not search LDAP server - Server is unavailable
  server syslog:
  Jan 11 14:26:59 myserver slapd[997]: conn=149656 fd=2710 ACCEPT from IP=A.B.C.D:57065 (IP=0.0.0.0:389)
  Jan 11 14:26:59 myserver slapd[997]: conn=149656 op=0 UNBIND
  Jan 11 14:26:59 myserver slapd[997]: conn=149656 fd=2710 closed
  Jan 11 14:26:59 myserver slapd[997]: conn=149657 fd=2710 ACCEPT from IP=A.B.C.D:57066 (IP=0.0.0.0:389)
  Jan 11 14:26:59 myserver slapd[997]: conn=149657 op=0 UNBIND
  Jan 11 14:26:59 myserver slapd[997]: conn=149657 fd=2710 closed
  Logging in via ssh or tty works fine. Window managers (xmonad, i3) work perfectly (i.e., with no delay). DEs (xfce, e17, and kde tested) work but there is a long delay while logging in (and opening the xfce logout dialog). Testing was done by starting staring the WM/DE with startx. Having dbus-launch lines in .xinitrc does not seem to make a difference in terms of speed for xmonad and i3, and the DEs were started without those lines. LightDM also takes a long time to display the greeter after the xserver has started and the cursor appears. The issue effects both network users and local users.
  http://mindref.blogspot.com/2011/02/dbu … -ldap.html describes this issue and placing nscd before dbus in the daemons array in rc.conf resolved it, but adding "Requires=nscd.service" and "After=nscd.service" to dbus.service does not resolve the issue. Manually (with systemctl) stopping and starting nscd and dbus in the proper order after boot also does not resolve the issue.
  Anyone have any ideas? My guess is that it has something to do with systemd/dbus/polkit because I can't think of anything else relevant that a DE environment would be doing but a WM/ssh session/tty session wouldn't be, but I haven't been able to trace the issue further.
  Thanks

  We have learned that the cause, or at least part of the cause, is due to an issue where workstations that have a special character in the machine name have trouble joining the domain and therefore trouble getting or renewing a Kerberos ticket. In our case, a hyphen in the machine name seemed to be causing the problem. We have not had a case where the issue occurred, then we renamed the machine without using special characters, and then the issue occurred again. I don't think that we have completely solved the issue, but we have made progress.

• How to fetch data from Mysql with SSL.

  I am using jdk1.5 and mysql 5.0.
  How to fetch data from Mysql with SSL
  I am using url = jdbc:mysql://localhost/database?useSSL=true&requireSSL=true.
  It shows error. how to fetch

  I have created certificate in mysql and checked in mysql.
  mysql>\s
  SSL: Cipher in use is DHE-RSA-AES256-SHA
  but through ssl how to fetch data in java.