NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server talking to LDAP user store located behind NetIQ LDAP proxy server
NetIQ LDAP proxy server 1.5
The LDAP Proxy is fronted the with the same cert that eDirectory is using (which had no issues).
Based on LDAP Proxy logs it appears that the LDAP proxy cannot verify CA, which it should not need to do. Taking a LAN trace of the session on the LDAP user store, the LDAP Proxy looks to
be sending the correct CA in the chain, but appears to be asking the IDP server for it's client certificate before failing. Since there are no mutual x509 authentication settings on the LDAP proxy server, one cannot disable this.
To workaround the issue
- export the Admin Console root CA and import it on the LDAP Proxyâs trusted cert directory
- restarted the LDAP proxy service