LDAP Error 34: Invalid dn syntax.

  • 10067272
  • NOVL67878
  • 04-Jan-2002
  • 27-Feb-2006

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Fact

GroupWise Support Pack 2

Novell GroupWise 6

GroupWise LDAP Authentication

Authenticating to a different NDS tree for LDAP

Symptom

LDAP Error 34: Invalid dn syntax.

Cause

GroupWise was building an invalid distinguished name to be passed to LDAP for the other tree

Fix

The reason that the dn is reported as being invalid is due to the manner in which the GroupWise Post Office Agent builds the distinguished name that is passed to the LDAP server. GroupWise takes the typeful distinguished NDS name of the user and converts it to an LDAP typeful distinguished name. Thus, cn=user.ou=org.o=novell.t=novell_tree becomes
cn=user, ou=org, o=novell.tree=novell_tree. Since the authentication is being done to an external tree, the tree name will obviously not match and the authentication will fail.

There are two possible solutions to this problem the first is to populate the LDAP Authnentication field on the properties of the user, GroupWise Account tab. This should be populated with the LDAP distinguished name without the tree name:
cn=user, ou=org, o=novell
This will have to be done for each user.

The other solution requires GroupWise 6 Support Pack 2 or later. If the LDAPX.DLL for Windows or the LDAPX.NLM for NetWare is renamed in the directory where the POA executables are found, then the POA will use the NDS Email Address Attribute to authenticate. This attribute is populated automatically by GroupWise if Internet Addressing is enabled. The POA then passes the mail attribute as well as the password supplied by the user logging in to authenticate against LDAP. The other tree must have an exact match in the email address attribute for the authentication to be successful.

There are three Groupwise LDAP modules:

ldapx.nlm
ldapssl.nlm
ldapsdk.nlm

The modify date on the LDAP modules shipped with Groupwise 6.5 Support Pack 2 is 1/13/2003.

The modify Date on the LDAP modules shipped with Netware 6.5 Support Pack 2 is 11/14/2003.

One customer reported that the problem with LDAP Error 34 was resolved by backrevving the LDAP modules to the Nov 14 version.  They also had to rename the LDAPX.nlm to LDAPX.old.

NOTE:  This method is not supported for authentication via LDAP to Active Directory.
If AD authentication is desired and this does not work for the administrator, then the only other recourse is to input the LDAP authentication credentials into each user's properties.
GWPORT32.exe does not work.  LDIFF does not work to do this either.  DirXML does, but no free version as of 2.27.06 is supported to be able to do this.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.