Environment
Novell ZENworks 10 Configuration Management with Support Pack 1 - 10.1
Situation
ERROR: "Failure to query the user source because of a failed referral. This is most often occurs when DNS is not properly configured for an Active Directory server.
See the ZENworks Control Center log file (zcc.log) for the full stack trace ."
See the ZENworks Control Center log file (zcc.log) for the full stack trace ."
ERROR (from zcc.log):
"28 Oct 2008 09:11:48 ============== Exception (begin) ===========================
28 Oct 2008 09:11:48 Exception occured
com.novell.zenworks.datamodel.exceptions.ReferralFailedException: javax.naming.PartialResultException [Root exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: DomainDnsZones.organization.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]]"
28 Oct 2008 09:11:48 Exception occured
com.novell.zenworks.datamodel.exceptions.ReferralFailedException: javax.naming.PartialResultException [Root exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: DomainDnsZones.organization.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]]"
...
Caused by: javax.naming.CommunicationException: simple bind failed: DomainDnsZones.organization.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:74)
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:74)
Resolution
Test the user source setup using port 389. If it also fails or randomly fails, check that all of the referrals returned from the user source are setup properly:
- All fully qualified names in referrals need to be resolved via DNS. (use nslookup and ping from the ZEN server to verify).
- If nslookup on the fully qualified name returns more than one IP address, then each or any of those may be used to chase the referral, so each must conform to 3 and 4 below.
- All servers returned in referrals need to be ping-able (check access from ZEN server to the referred server).
- LDAP or LDAPS port on the referred server must be open to ZEN server to access.
Note: The error above is confusing and is likely not a problem with ZEN server certificates. The User Source setup stores the AD server certificates in its java store as part of the configuration process. In this case the certificate failure is a result of the inability to lookup the DNS name returned in the referral.
Additional Information
Additional troubleshooting:
Note the name of the server in the zcc.log (in this example DomainDnsZones.organization.com ). This is the DNS name that fails to resolve. Additionally, a LAN trace using cleartext setup will list the referrals returned from the Active Directory server in the search response.
If possible, set to cleartext and get a lan trace. Search the trace packets for referral servers. For example:
Each of these DNS names must be resolvable by the ZENworks server and each must be listening on the ldap or ldaps port specified in ZCC.
Another test:
Set the base of the search (ZCC/Configuration/Users/Root Context) to something lower in the tree, for example cn=users,dc=domain,dc=com. If this works then it can be a workaround if all users are at this level or below. Otherwise it helps isolate where the referrals are happening.
Additionally, use ldapsearch with -C option to list the referrals.