7019045: LDAP SSL configuration, cannot get MTA directory sync working with LDAP server root cert

This document (7019045) is provided subject to the disclaimer at the end of this document.

Environment

Novell GroupWise 2014 R2 Support Pack 1

Novell GroupWise 2014 R2 Support Pack 1 Hot Patch 1

Novell GroupWise 2014 R2 Support Pack 1 Hot Patch 2

Novell GroupWise 2014 R2 Support Pack 2

Situation

Our online documentation speaks:
https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/adm_secadm_cert_trusted_root.html
“LDAP authentication, relies on the presence of a trusted rootcertificate (often named rootcert.der) located on your LDAP server.For more information, see Section 15.3.4, Providing LDAPAuthentication for GroupWise Users.
A trusted root certificate is automatically created for aserver when you install an LDAP directory such as NetIQ eDirectoryor Microsoft Active Directory on that server.”
In this case, a different host was used (10.2.77.42) for LDAPthan where GroupWise runs (10.2.76.231).
On the LDAp server I went to /etc/ssl/certs and got from thereRSA_Certificate_1.pem (there is no der file).
The System LDAP server was defined – 10.2.77.42.
Next enabled SSL and uploaded “RSA_Certificate_1.pem” to my GWserver.
No complaints, I can select the imported certificated and allseems to be fine.
If I now run Directory sync, MTA lists following error:
12:00:06 B68D Synchronizing Directory eDir-42
12:00:06 B68D Connecting to LDAP server at 10.2.77.42 forDirectory eDir-42
12:00:06 B68D LDAP Error connecting to LDAP server at address10.2.77.42, port 636: 00000051
12:00:06 B68D Synchronization complete for DirectoryeDir-42
This is exactly the error customer received in thesystem.
What works for me:
1. start iManager
2. Directory Administration -> modify object. Here selectdesired LDAP server. Go into Connections tab and check whatcertificate is used, in my case SSL DNS one.
3. Directory Administration -> modify object. Here nowselect SSL DNS object.
4. Go in Certificates tab.
5. Select SSL DNS certificate and click on Validate, thenagain highlight and click on Export.
6. Select Trusted Root Certificate tab
7. Certificates – > organizational CA version, deselectExport private key, leave DER file format and click on Next.
8. Save certificate file.
If I used that manually exported DER file format in the LDAPSSL config, all works:
12:19:37 B695 Synchronizing Directory eDir-42
12:19:37 B695 Connecting to LDAP server at 10.2.77.42 forDirectory eDir-42
12:19:37 B695 Checking Dom1.PO2.another-user
12:19:37 B695 Checking Dom1.PO2.imanager1-r2
12:19:37 B695 Checking Dom1.PO2.imanager2-r2
12:19:37 B695 Checking Dom2.PO3.user1-r2
12:19:37 B695 Checking Dom2.PO3.user2-R2
12:19:37 B695 Checking Dom2.PO3.user3-r2
12:19:37 B695 Checking group Dom2.PO3.C1
12:19:37 B695 Disconnecting from LDAP server for DirectoryeDir-42
12:19:37 B695 Synchronization complete for DirectoryeDir-42

Resolution

This has been reported to engineering

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply