Environment
NetIQ eDirectory 8.8.SP8
NetIQ Identity Manager iManager Plug-ins
NetIQ iManager 2.7.4.4
NetIQ Identity Manager iManager Plug-ins
NetIQ iManager 2.7.4.4
Situation
When editing an entitlement policy with iManager workstation, an error is displayed indicating that it was not possible to establish an SSL connection.
To reproduce the problem, use iManager 2.7.7.4 workstation, go thru the Identity Manager Administration page (latest plugins, 4.5.1), Features | Role-Based Entitlements Category | Role-Based entitlement, select a driver set, select a Rule in the driver, click Edit, and the following error is displayed:
---
Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server if for a tree other than the one iManager was originally set up to, and SSL has not been setup between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate.
---
Resolution
This problem is only seen after an upgrade due to a change in the way eDirectory stores information about what interfaces it is listening on. This plugin checks explicitly the content of the ldapInterfaces attribute in the LDAP Server object of the server iManager is connecting to. If this attribute has the default value of ldap://389 and ldaps://636 (which indicates that LDAP will listen on all bound interfaces), the plugin believes that the list is empty and attempts to establish the connection with localhost. This is not a problem if the plugin is running on the same eDirectory server but it won't work with iManager workstation (or with iManager running on a different tree).
To work around the problem, the ldapInterfaces attribute can be changed to contain the actual IP address of the server. To do so, go with iManager to LDAP | Ldap Options | View LDAP Servers tab | Select the LDAP server corresponding to the server you use to connect, go to the connections tab and edit the LDAP Interfaces. For example, if the IP address of the server is 10.10.10.1, then the parameters should become ldap://10.10.10.1:389 and ldaps://10.10.10.1:636. Save the changes, and from the Information tab, click on the upper "Refresh" button to restart the LDAP server and make the change effective.
After refreshing the LDAP server, restart iManager workstation and attempt to modify the RBE configuration again, the error message should not be displayed.