Security Attributes with Multiple/NULL values

I have a couple of situations where I can't seem to get the authorization component working as I need it to work for a database source.
1) In the first case, I have two attributes set for "grant security attributes" in the data source, one of which has a single attribute value, and the other which has multiple values, e.g.
I want to set "grant security attributes" to something like "client_id role_id" where for my dataset, client_id will always be a single numeric value, but I might have multiple role_ids that can view this record. How do I specify in my data source query those multiple attribute values? I tried separating them with spaces, e.g.
SELECT ...
'A B' role_id
FROM
where "A" and "B" represent unique values (looking to match A OR B). I also tried delimiting them with commas, but neither spaces nor commas seems to work consistently.
On the authorization end, using oracle.search.plugin.security.auth.db.DBAuthManager as the authorization plug-in, I have the authorization query set as
SELECT client_id, security_lvl as role_id from test_user_id where user_id = ?
Each user may have more than one role, so in the above query, security_lvl could be something like "B C"; I'm assuming from the documentation that the delimiter for attribute values in this case should be a space.
The crawler logs make it appear that everything is getting indexed, so I suspect the issue is on the authorization front.
2) In the second case, one of my security attributes for the data source may be NULL, meaning that there's no particular authorization restriction on a particular record, so to use the same example as in #1,
role_id might be NULL for some records, in which case, I want those records returned in the search if the client_id matches, but I can't get the records with the NULL role_id to be returned at all. Again, the crawler logs indicate that everything is being indexed, and I'm not sure if there's a log where I can further troubleshooting authorization issues.
Any guidance would be appreciated.
Thanks

1) The security attributes are OR'd together so if the user has any ONE of the attributes (either client ID or role ID), the document can be seen by the user. What I would try is to create a view to call rather than directly against the table. The view can then leverage a PL/SQL function and encapsulate the logic behind the security tokens to return.
So the view would look like this...
CREATE OR REPLACE VIEW USER_SECURITY_V AS
SELECT
USER_T.ID,
MY_SECURITY_FUNCTION(USER_T.ID) AS AUTH_ID
FROM
USER_T
The PL/SQL function would look something like this...
CREATE OR REPLACE FUNCTION MY_SECURITY_FUNCTION(USER_ID NUMBER) RETURN VARCHAR2 IS
-- Do whatever you need to do to build a single space-deliminted list of tokens for both Client and Role ID "CLIENTID4 ROLEID5 ROLEID9" then return
END;
The data source authorization query then would look like this...
SELECT AUTH_ID FROM USER_SECURITY_V A WHERE A.ID = ?
Using a PL/SQL Function to control the tokens gives you the flexibility of modifying security without having to touch the data source directly
2) I don't quite follow. If any ONE of the tokens match, the document is returned. If the role ID is null, you might try stamping each document a "master" security token indicating it's open to everyone such as "ALL". Then in the PL/SQL Function, return "ALL" in front of the actual values.
The crawler logs will only tell you what is indexed at crawl time, not how searching is actually working. Try checking the server logs. These should be under something like oracle/ses/seshome/search/base_domain/servers/AdminServer/logs
Hope this helps!

Similar Messages

  • Problem in summation on a column with possible null values

    Hi,
    I want to do summation on a column.
    If I use <?sum(amount)?>, if there is any null value,its giving NaN as output.
    From the forum I got the below syntax
    <?sum(AMOUNT[number(.)!='NaN'])?>
    but it is also not giving me the expected result. Its always displays 0.
    I want some thing like sum(NVL(amount,0)). Could some body please help me out?
    Thanks in Advance,
    Thiru

    If the column has many, many null values, and you want to use the index to identify the rows with non-null values, this is a good thing, as a B*Tree index will not index the nulls at all, so, even though your table may be very large, with many millions of rows, this index will be small and efficient, cause it will only contain index entries for those rows where the column is not null.
    Hope that helps,
    -Mark

  • Object would have more then one attribute with the tag :VALUE

    I'm creating a new component in Ultiboard - a 100 pin connector.  This connector (Hirose) has 4 rows of 25 pins. Alternate rows are staggered. I'm trying to name each pin with it's appropiate name: A1, A2, A3 ....A50. Then B1, B2, B3 .....B50.
    When I change the VALUE or NUMBER attribute, I get the DRC error  message:
    This action cannot be completed because the resulting Object would have more then one attribute with the tag :VALUE
    Please remove one of the attributes and try again.
    Okay, so I've tried deleting the tag and now I can't name the pin at all. 
    What am I missing?

    You should be in the footprint editor to edit the pin name.  Select tools>>Database>>Database Manager, highlight the component in your database and click on the Edit icon.  In the footprint editor, double click on the pad and a SMT or THT pin Properties dialog appears, select the Attributes tab and highlight the Number row, press the change button and you should be able to change the pin name.   
    Tien P.
    National Instruments

  • Is their a difference between primary key and unique key with not null valu

    What is the difference in having a column as primary key and having unique key with not null for the column.
    vinodh

    SBH wrote:
    For quick review, below is the link
    http://www.dba-oracle.com/data_warehouse/clustered_index.htm
    You appear to have stumbled on a site that is a mine of disinformation about Oracle.
    >
    It would be helpful, if you explain it too..thnx !!
    The site is wrong and makes up its own terminology as it goes along.
    If the value for clustering factor approaches the number of blocks in the base table, then the index is said to be clustered. http://www.oracle.com/pls/db112/search?remark=quick_search&word=clustered+index
    There is no create clustered index in Oracle.
    - Clustering factor affects the efficiency of an index.
    - There can be clustered tables that you can create indexes on.
    - An Index Organized table is a similar concept to the Microsoft SQL Server clustered index, but it isn't the same thing at all.

  • CreateInsert and LOV with multiple return values

    HI. I am on Build JDEVADF_11.1.2.3.0_GENERIC_120914.0223.6276.1
    I have a View Object which is based on Entity Object.
    View Object has customer_name and customer_id attributes.
    customer_name attribute has LOV (input field with LOV) based on some other View Object (which of caurse holds customer name and customer id data)
    I defined that when LOV return the chosen values it will populate customer_name with "Customer Name" value and customer_id with "Customer Id" value
    All atributes are updatable
    I droped my View Object on the page and also "CreateInsert" buton. When I click on "CreateInsert" button, I can see new row added as expected, customer_name field has LOV. I can choose from LOV and can see customers and customer_id data. But when I click OK in the LOV pop-up only customer_name attribute is populated!
    I do see that customer_id is returned from LOV (I implemented ReturnPopupEvent listener), but still the customer id remains empty.
    I though maybe I need to add LOV as auto submit = true and set LOV to be a partial trigger for customer_id. But still  - it didn't help
    However, if I run Application Module tester, I do get what I want. I can create new row and when I change customer name , both customer name and customer id fields are populated
    Please advice

    Hi Michael,
    On Lov VO, make sure you have at least one or combination of attributes as Key attribute. and re test.
    Thanks,
    Jeet

  • Mapping problem with Multiple destination values

    Hi,
    I recently started to work on SAP MDM as a beginner. I am posting this message to get some help to solve the problems that I encountered as I run the SAP.
    For example, we can sub-categorize a 'Product' as Food>ProcessedFood>Frozen Food>Pizzas'. However, notice that there exist the sameNode name under the 'Commodity' as following two categories show.
    Product>Food>Processed Food>Frozen Food>Pizzas
    Commodity>Food>Processed Food>Frozen Food>Pizzas
    The Node name, 'Pizzas', under two different categories has fewattributes such as A, B, C, and D. When I tried mapping these attributes at Map Field/Values Tab under the import manager, I ended up getting warning messages due to the overlapping.
    The message says "One or more of the source values were mapped to multiplz destination values. Some of the mapped destination values may need to be unmapped before performing the import."
    Does anyone have an idea to solve this overlapping problem?
    I will really appreciate your answer.
    Edited by: coolpsy on Jun 8, 2010 4:27 AM
    Edited by: coolpsy on Jun 8, 2010 7:55 AM

    Hi,
    As per my understanding, there are two categories as shown by you
    Product>Food>Processed Food>Frozen Food>Pizzas
    Commodity>Food>Processed Food>Frozen Food>Pizzas
    and you want to link Attributes with specific correct Category say Product not with Commodity. So in order to avoid overlapping, try using option Split Hierarchy. For more details Please refer below Article: refer page 11-15/20
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/308c62a2-5faa-2a10-fda6-fa4aa7169734?quicklink=index&overridelayout=true
    Also refer, http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/6090d0bd-1da7-2a10-468f-bdd17badb396?quicklink=index&overridelayout=true
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8090941f-a5a7-2a10-3ba6-b4af5ec6d97b?quicklink=index&overridelayout=true
    Just check and revert with Result if it helps..
    Regards,
    Mandeep Saini

  • How to replace a "notfound" output with a null value?

    hi,
    I'm just getting a output of "Rows Notfound" for a script..
    instead of this , i just need to show the output with a record as null value or some value..
    do we have any option to use this in oracle..

    Apart from capturing with an exception in PL/SQL code, if you're wanting something in a script as pure SQL, you'd have to generate an additional row and only select that where no data is found e.g...
    SQL> ed
    Wrote file afiedt.buf
      1  select ename from emp where ename = 'FRED'
      2  union all
      3* select 'No Data' from dual where not exists (select * from emp where ename = 'FRED')
    SQL> /
    ENAME
    No Data
    SQL>Of course this does effectively double-up on the queries being executed, so if you're dealing with a heavily complex query, it may be best just just have the regular exception come out, but then this will also depend on your actual requirements and why you want to do this in the first place.

  • Grand Total with few NULL values in column.

    Hi All,
    In my requirement, I have few null values in the column and I have to show those null values as it is( can't use IfNull function).
    Can I able to grand total in such scenerio..?
    I am using OBIEE 11.1.1.3
    Thanks,
    Archie

    HI Archie,
    Are you using the "Grand Total" option that comes with the view?.I don't think there will be any issue , it will ignore the null values while calculating the total.
    Rgds,
    Dpka

  • How to avoid SYSTEM_NO_TASK_STORAGE  with multiple single values variable

    Hi experts,
    I am trying to do a distribution with reference data standart SAP function.
    Fields to be changed:
    ZPDHIER2 (Economic Group II)
    ZPDHIER3 (Economic Group III)
    ZPDCLIENT (Client)
    Fields for condition:
    KEY FIGURE NAME
    Fields for reference:
    KEY FIGURE NAME
    ZPDSTATUS (Status)
    FISCPER3 (Fiscal Period)
    The parameters group is like:
    Fields for condition:
    Key figure: ZM_070 (one of the key figures)
    Fields for reference:
    Key figure: ZMONT_TN
    FISCPER3: 001
    Status: DE
    - "Only distribute not assigned" is checked
    I do not want the data to be distributed by any ZPDHIER2, ZPDHIER3 and ZPDCLIENT so I have restricted these characteristics in the planning level by some variables. These variables are user exit type and return multiple single values.
    The issue regarding this message is that when I execute this function, depending on the size of the data brought by ZPDCLIENT user exit variable, this dump might or might not occur. As for the testing I've done, i realize that if the number of clients exceed 500, dump will occur.
    This multiple single values variable (or any other solution) must be prepared for 3900 clients, and this number is expected to increase.
    Anyone have faced same problem?
    Hope you can provide me some help regarding this issue.
    Tanks in advance,
    André Oliveira

    Hi Wadih saad,
    I think the memory is not suffcient to hold the load. Check your swap space and memory during the client export and also check whether there is sufficient space in the hard disk to hold the export files.
    You must have calculated the client size by using the test run. This size must be available as free space in hard disk to do the export.
    Make the available space and do the export it will work.
    Regards,
    Maheswaran J

  • ODI - Issue with handling null value

    Hi,
    I have a flat file as below. When i am trying to load the data file into Essbase through ODI, i am not able to load. If i given the Null value as 0, i'm able to load the file into Essbase. If we pass 0 in place of null value, blocks will be created in Essbase and it might cause the performance issue.
    Account,Product,Customer,Version,Year,BU,Data
    A1,P1,C1,V1,2010,BU1,7677
    A2,P2,C2,V2,2010,BU2,0908
    A3,P3,C3,V1,2010,BU3,
    Can any one help if there is any way to handle the null values to load the data into Essbase?
    Your help is more important to us as it is one of the critical one we are facing.
    Thanks
    V D Reddy

    Hi
    I am not using any query.
    Data column is empty (no data) for few records in my flat file. After the data load is done to Hyperion Essbase, in the excel retrieve should show me as #Missing. But ODI is defaultly loading it as 0 into Essbase.
    Is there any way to load it as #Missing?
    Thanks
    V D Reddy

  • N:1 mapping problem with incoming NULL value

    Dear experts,
    i have a problem mapping an incoming Idoc to XML file. Here's the situation:
    1) Structure of inbound Idoc
        ZTST00
        ZTST01 Structure: FIELDNAME, FIELDVALUE. Values: FIELDNAME = "Z1", FIELDVALUE = "4";
        ZTST01 Structure: FIELDNAME, FIELDVALUE. Values: FIELDNAME = "Z2", FIELDVALUE = null;
        ZTST01 Structure: FIELDNAME, FIELDVALUE, Values: FIELDNAME = "ZABC", FIELDVALUE = "5";
        ZTST01 Structure: FIELDNAME, FIELDVALUE. Values: FIELDNAME = "Z4", FIELDVALUE = "6";
        ZTST02
    2) Resulting XML:
        LINEHEADER (1 line)
        LINEDETAIL (1 line, Structure: VALUE)
        LINEFOOTER (1 line)
    3) I need to map ZTST01-FIELDVALUE to LINEDETAIL-VALUE, but only if the FIELDNAME equals "ZABC".
    In my message mapping, i put an IF FIELDNAME = 'ZABC' THEN FIELDVALUE->VALUE, on context ZTST00. But because of the null value in line 2 of the Idoc, the value that is returned to the XML is "6", as the null value is disregarded and not in the queue of FIELDVALUE.
    How can I put the correct value ("5") to LINEDETAIL-VALUE?
    Regards
    William

    Hi William,
    Simply go back to the default context ZTST01 (for both: FIELDNAME and FIELDVALUE fields) and it should be fine.
    Hope this helps,
    Greg

  • Copy using Variables with multiple single values in BEX

    Hi,
    I have a requirement wherein on executing the planning function, the system should take the FROM and TO values of 0FISCPER and copy the data accordingly.
    Source variable is 'Single Value'.
    Target variable is 'Multiple Single Value'.
    I tried to give the Command Range as below:
    $A$30:$C$31.
    The button sequence is as below:
    VAR_NAME_1      0         ZFISCPER
    VAR_VALUE_1     0
    VAR_NAME_2      1         ZFISCPER_M
    VAR_VALUE_2     1
    In the Analyzer, I entered the values as
    In A30, VAR_NAME_1     0     =C20
    In A31, VAR_NAME_2     1     =C21:C24
    The values that I entered are as below:
    C20 =   2007001 - Source value
    C21 =   2007002 - Target values
    C22 =   2007003
    C23 =   2007004
    C24 =   2007005.
    The problem that Im facing is the system is unable to identify the multiple values that I enter for Target Fiscper and it displays as :#VALUE!
    How to enter multiple single values and reference them accordingly?
    Rgds,
    Shyam

    Hi,
    I have tried to enter multiple single values as below:
    VAR_VALUE_1     0     000  - Source
    VAR_VALUE_1     1     003  -  Target
    VAR_VALUE_2     1     010
    VAR_VALUE_3     1     080
    VAR_VALUE_4     1     099
    When I tried to execute the planning function, the system copies the data from version 000 to ALL versions irrespective of values entered above.ie:
    1
    2
    3
    10
    80
    99
    100
    110
    Rgds
    Shyam

  • Createrow() with some null values for attributes errors out

    I am trying to insert rows from one table to another table.
    I get all the values from source table to be inserted into the destination table and set the row attributes as required.
                  Row newrow = (Row)MAToolingVO.createRow();
                  MAToolingVO.insertRow(newrow);
                  newrow.setAttribute("InventoryItemId", new Number(InvItemId));
                  newrow.setAttribute("OrganizationId", new Number(102));
                  newrow.setAttribute("Machine", new Number(Machine));
                  newrow.setAttribute("SetNumber", new Number(SetNumber));
                  newrow.setAttribute("ToolSequence", tseqNum);  
                  newrow.setAttribute("FamilyCode", Family);                
                  newrow.setAttribute("ClassCode", Class1);                              
                  newrow.setAttribute("ToolingItem", ToolingItem);                                            
                  newrow.setAttribute("ToolingItemId", ToolingItemId);                                                          
                  newrow.setAttribute("Description", ToolingDesc);
    ///added these rows because it was throwing NPE , --these are user inputs, they should be null at the time of row creation  and user can save them null too.                                                          
                  newrow.setAttribute("InsertDesc", "-");    
                  newrow.setAttribute("Grade", "-");                                                                                      
                  newrow.setAttribute("ExtraLength", new Number(0));                                                                        
                  newrow.setAttribute("ToolLength", new Number(0));               
    //after adding these rows, NPE is gone, but it still doesnt commit to the database. WHY ?
                  newrow.setNewRowState(Row.STATUS_INITIALIZED);
                   poRow.setAttribute("CheckBox", Boolean.TRUE);
    If user enters values in all the fields : InsertDesc, grade, ExtraLength, ToolLength , then row gets commited to db, else not.
    Also none of the fields are mandatory and can be null.
    please suggest.
    thanks

    any one on this please ?
    when i create new row, columns for primary keys and other values get set correctly, but if user doesnt input some value in text fields of newly created row, they dont get saved to the db.
    I even tried defaulting some values to the optional attributes, but still doesnt work.

  • Apex_item select list to be displayed with multiple default values

    I am using APEX 4.2.
    For one of our requirements , we are displaying a report which uses "apex_item.select_list_from_query" multiselect field.
    The above function accepts a parameter, 'p_value' using which we can specify the default value to be highlighted.
    Is there any way to highlight multiple values on the select list by default, when the page is loaded, based on a sql output.
    Sample Scenario:
    Say colour is a multiselect field. Full list of values available : R, B, G, Y, O
    On day1, for record1 i am choosing R and B. which I am saving in the backend when the page is submitted.
    On day2 : I login again to see the report. When the report is loaded, I should see the values 'R' and 'B' highlighted or in a different font format , differentiated from the rest.
    Thanks in advance for your replies.
    Regards,
    Raasi
    Edited by: 878815 on Mar 11, 2013 10:23 PM

    878815 wrote:
    I am using apex_item.select_list_from query. and then a piece of javascript to concatenate as a colon delimited string. This is the function I am using in the report sql,
    apex_item.hidden(20,null)||apex_item.select_list_from_query(6,null,'<sql>','multiple size = "6" onChange="Multi(this)"','NO' ) as col_1I think 'multiple size' is a custom attribute and APEX have no clue about it.
    javascript code:
    function Multi(p_this)
    var l_selected=html_SelectValue(p_this);
    if (l_selected.constructor == Array) l_selected=l_selected.join(':');
    p_this.parentNode.firstChild.value = l_selected;
    return l_selected;
    };What is this apex_item.hidden used for.. placeholder?
    May be populate the hidden item with default value as colon delimited string and on page load use some JavaScript to read that string and set/highlight the select list.
    It would be easy if you can replicate the issue on apex.oracle.com

  • Secure LDAP with Multiple DPS's on Single Physical Server

    I am having an issue connecting to the directory server over SSL via the directory proxy server. I have enabled SSL and tested successfully in some situations, however this situation is unique.
    DPS 5.2 patch 4
    Directory Server patch 4
    I have applied the neccessary hotfixes from sun to resolve the SSL issues.
    There are 3 physical servers. 2 of those servers each have 2 instances of directory proxy server running. The 3rd server has 2 separate Directory Server instances running (1 for enterprise authentication, 1 for Access Manager). Each physical proxy server has 1 instance running for each Directory server instance (1 enterprise LDAP, 1 AM LDAP). All 4 proxy instances can connect successfully to the Directory Masters over the unsecure ports (389 for enterprise LDAP, 55389 for AM LDAP). On the proxy servers, only the initial proxy instance can connect to the secure port successfully. For instance, on server 1 first the DPS for enterprise LDAP was installed then a DPS for AM LDAP was added. Only the enterprise proxy instance can connect successfully over SSL. On server 2 initially the AM LDAP instance was installed and then an enterprise LDAP instance was added. In this case only the AM LDAP instance can connect successfully.
    For both instances of the proxy the appropriate certificates have been installed and verified. I can use the dps-instance-cert8.db for the working and non working DPS instances and successfully connect to the Directory Master using ldapsearch from the directory proxy server.
    When I do ldapsearch I receive the following error on the second instances:
    ldap_simple_bind: Can't contact LDAP server
    SSL error -12271 (SSL peer cannot verify your certificate.)
    Certificates:
    bash-2.05$ /jes/ds52/shared/bin/certutil -L -d /jes/ds52/alias -P dps-instance1-
    LDAP Development Pu,u,u
    CMS SUN CERTIFICATE AUTH 2023 CT,,
    bash-2.05$ /jes/ds52/shared/bin/certutil -L -d /jes/ds52/alias -P dps-instance2-
    LDAP Development Pu,u,u
    CMS SUN CERTIFICATE AUTH 2023 CT,,
    Each use the same server cert, the host is �*.test.com�, using the asterisk so the hostname shouldn�t matter.
    DPS INSTANCE 1 � Success
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385609] TCP_NODELAY was set on socket 3
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   310200] Success with enabling socket 16 for blocking
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   323705] ( xxx.xx.xxx.xx+ 636) syncConnection success.
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385609] TCP_NODELAY was set on socket 16
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [TRACE] [   520503] Connection established to condo101.cms.hhs.gov
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300771] Promoting socket 16 via socket 1.
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300751] Socket 16, success with SSL_HANDSHAKE_AS_CLIENT
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385701] Success with sessionPromote to SSL for socket 16.
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385704] Success with setting SSL_AuthCertificateHook callback
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385705] Success with setting SSL_BadCertHook callback
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385706] Success with setting SSL_HandshakeCallBack
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   302019] Success with SSL_SetPKCS11PinArg (socket 16)
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385748] SSL_SetURL skipped on socket 16 (null url)
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385803] Success with SSL_ResetHandshake as client (socket 16)
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385739] Certificate possesses valid times on socket 16
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385745] For socket 16, pinArg does possess a value.
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   302024] Success with CERT_VerifyCertNow (checking signature, usage: "certUsageSSLServer").
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385725] Certificate accepted on socket 16
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300754] Success with handshake on socket 16
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385746] SSL_ForceHandshake success on socket 16
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [TRACE] [   171210] [client(       xxx.xxx.xxx.xxx,   3)] [server(  xxx.xx.xxx.xx+  636,  16)] Connection via SSL session
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [STAT/CONN] [   171211] [client(       xxx.xxx.xxx.xxx,   3)] Accepting connection via network-group-1
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   310200] Success with enabling socket 3 for blocking
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300771] Promoting socket 3 via socket 0.
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300750] Socket 3, success with SSL_HANDSHAKE_AS_SERVER
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385701] Success with sessionPromote to SSL for socket 3.
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385704] Success with setting SSL_AuthCertificateHook callback
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385705] Success with setting SSL_BadCertHook callback
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385706] Success with setting SSL_HandshakeCallBack
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300801] Success with setting SSL_REQUEST_CERTIFICATE (1)
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300802] Success with setting SSL_REQUIRE_CERTIFICATE (0)
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300405] Success with SSL configuration on socket 3
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385803] Success with SSL_ResetHandshake as server (socket 3)
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300406] Success with SSL promotion on socket 3
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [TRACE] [   390307] [client(       xxx.xxx.xxx.xxx,   3)] [server(  xxx.xx.xxx.xx+  636,  16)] Success with OnSSLEstablished rule... continuing
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   300754] Success with handshake on socket 3
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385713] Read on socket 3. Received 42 byte(s)
    May 10 2007 09:44:18 server123 SunONEDPS[ 24710]: [DETAIL_TRACE] [   385716] ber_get_next (socket 3) returned complete PDU
    DPS INSTANCE 2 � FAILING
    ldapsearch -h server123 -p 55636 -P /<serverroot>/alias/dps-server123-cert8.db -D "cn=directory manager" -s base -w adminjes -b dc=cms,dc=hhs,dc=gov objectclass=*
    ldap_simple_bind: Can't contact LDAP server
    SSL error -12271 (SSL peer cannot verify your certificate.)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [TRACE] [   300901] Successful match of xxx.xxx.xxx.xxx+36383 against ALL
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [TRACE] [   110999] In permit_connection_from_ip(), The counter for IP:xxx.xxx.xxx.xxx is now 2 and the limit is 0
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385609] TCP_NODELAY was set on socket 15
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   310200] Success with enabling socket 16 for blocking
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   323705] ( xxx.xx.xxx.xx+55636) syncConnection success.
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385609] TCP_NODELAY was set on socket 16
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [TRACE] [   520503] Connection established to condo101.cms.hhs.gov
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300771] Promoting socket 16 via socket 1.
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300751] Socket 16, success with SSL_HANDSHAKE_AS_CLIENT
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385701] Success with sessionPromote to SSL for socket 16.
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385704] Success with setting SSL_AuthCertificateHook callback
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385705] Success with setting SSL_BadCertHook callback
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385706] Success with setting SSL_HandshakeCallBack
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   302019] Success with SSL_SetPKCS11PinArg (socket 16)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385748] SSL_SetURL skipped on socket 16 (null url)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385803] Success with SSL_ResetHandshake as client (socket 16)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385739] Certificate possesses valid times on socket 16
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385745] For socket 16, pinArg does possess a value.
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   302024] Success with CERT_VerifyCertNow (checking signature, usage: "certUsageSSLServer").
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385725] Certificate accepted on socket 16
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300754] Success with handshake on socket 16
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385746] SSL_ForceHandshake success on socket 16
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [TRACE] [   171210] [client(       xxx.xxx.xxx.xxx,  15)] [server(  xxx.xx.xxx.xx+55636,  16)] Connection via SSL session
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   310200] Success with enabling socket 15 for blocking
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300771] Promoting socket 15 via socket 0.
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300750] Socket 15, success with SSL_HANDSHAKE_AS_SERVER
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385701] Success with sessionPromote to SSL for socket 15.
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385704] Success with setting SSL_AuthCertificateHook callback
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385705] Success with setting SSL_BadCertHook callback
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385706] Success with setting SSL_HandshakeCallBack
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300801] Success with setting SSL_REQUEST_CERTIFICATE (1)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300802] Success with setting SSL_REQUIRE_CERTIFICATE (1)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300405] Success with SSL configuration on socket 15
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385803] Success with SSL_ResetHandshake as server (socket 15)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   300406] Success with SSL promotion on socket 15
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [TRACE] [   390307] [client(       xxx.xxx.xxx.xxx,  15)] [server(  xxx.xx.xxx.xx+55636,  16)] Success with OnSSLEstablished rule... continuing
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [NOTICE] [   385721] Read on socket 15 failed.
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [NOTICE] [   385721] SSL_ERROR_BASE + 3, NSPR error: -12285 (0xffffd003). Native errno is: 11
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385714] ber_get_next (socket 15) returned LBER_DEFAULT
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   385714] SSL_ERROR_BASE + 3, NSPR error: -12285 (0xffffd003). Native errno is: 11
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [EXCEPTION] [   301006] Unexpected error on socket 15. (Error: -12285).
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [TRACE] [   190401] [server(  xxx.xx.xxx.xx+55636,  16)] Input was not a BER encoding or connection closed: source( xxx.xxx.xxx.xxx, 15)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [TRACE] [   190401] [server(  xxx.xx.xxx.xx+55636,  16)] SSL_ERROR_BASE + 3, NSPR error: -12285 (0xffffd003). Native errno is: 11
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   171505] [server(  xxx.xx.xxx.xx+55636,  16)] Entering recycle_inner_connection
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   301201] Closing connection to: xxx.xx.xxx.xx+55636 (socket 16)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [DETAIL_TRACE] [   301201] Closing connection to: xxx.xxx.xxx.xxx (socket 15)
    May 10 2007 10:05:17 server123 SunONEDPS[ 26275]: [TRACE] [   110998] In done_connection_from_ip(), The counter for IP:xxx.xxx.xxx.xxx is now 1 and the limit is 0

    In these situations it's important to separate SSL level issues from LDAP issues. I've had good results using "openssl s_client" to investigate and debug SSL/TLS level issues. I point it at the LDAP server and it sets up a connection handling the SSL layers and giving lots of diagnostics about SSL and the X.509 certificates in use.
    Try looking for things like whether the SubjectAltName and/or Issuer's CN contain the same hostname you are using to connect.
    After giving you the diagnostics it will be waiting with your stdin/stdout connected to the application via SSL (which could make you think it's hanging). Since you're probably not going to be typing the LDAP protocol by hand you want to abort s_client at this point (or type something that Directory Server will reject as a LDAP protocol error).
    You can get openssl from the usual places: blastwave.org & sunfreeware.com.
    Hopefuly this will help,
    -Scott-

Maybe you are looking for