Identity Server cannot communicate with LDAP User Store fronted by LDAP Proxy server

  • 7016725
  • 04-Aug-2015
  • 04-Aug-2015

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server talking to LDAP user store located behind NetIQ LDAP proxy server
NetIQ LDAP proxy server 1.5

Situation

A NetIQ LDAP Proxy server is set up in front of an eDirectory, and it seems to work fine with an LDAP Client, and from the Access Manager Administration Console (imports the Root CA fine and validates). However, when a user tried to authenticate to this LDAP server from the Access Manager Identity (IDP) Server, it fails.

 The LDAP Proxy is fronted the with the same cert that eDirectory is using (which had no issues).

 Based on LDAP Proxy logs it appears that the LDAP proxy cannot verify CA, which it should not need to do. Taking a LAN trace of the session on the LDAP user store, the LDAP Proxy looks to be sending the correct CA in the chain, but appears to be asking the IDP server for it's client certificate before failing. Since there are no mutual x509 authentication settings on the LDAP proxy server, one cannot disable this.

Resolution

A bug exists on the LDAP proxy server that is known to engineering, and planned to be fixed in next release of the LDAP proxy server.

To workaround the issue

- export the Admin Console root CA and import it on the LDAP Proxy’s trusted cert directory
- restarted the LDAP proxy service


Cause

The LDAP proxy server always requests the client certificate during the SSL handshake, despite it not being enabled. The Identity server actually returns the Admin Console root cert, in response to this client cert request. The LDAP proxy cannot validate it and fails. By adding the Admin Console root cert to the LDAP proxy trust store, the validation process completes.