Environment
Open Enterprise Server 2018 SP1 (OES 2018 SP1) Linux
Open Enterprise Server 2015 SP1 (OES 2015 SP1) Linux
iManager 3.1.3
eDirectory 9.1.3
Situation
Multiple problems using certain plugins (those that use LDAPS) after upgrading from OES2015SP1 to OES2018SP1:
- NMAS error -1681 changing a user's UP
- Groups plugin reports it is unable to obtain a valid LDAP context.
- Changing the simple password results in:
Simple password could not be set. Unable to create a LDAP connection usng SSL to eDirectory server.
Creating secure SSL LDAP context failed.
Creating secure SSL LDAP context failed.
Resolution
1. Recreate iMKS keystore:
systemctl stop novell-tomcat
mv /var/opt/novell/tomcat/webapps/nps/WEB-INF/iMKS /tmp
systemctl start novell-tomcat
Other causes:
2. Ensure TreeName provided during login is:
- not 127.0.0.1 or localhost
- resolvable to CN of LDAP server certificate
Note: if treename is not resolvable via DNS or SLP create DNS server A record or a local /etc/hosts.nds file pointing to a copy of root.
Example:
MYTREE. 192.168.1.170
systemctl stop novell-tomcat
mv /var/opt/novell/tomcat/webapps/nps/WEB-INF/iMKS /tmp
systemctl start novell-tomcat
Other causes:
2. Ensure TreeName provided during login is:
- not 127.0.0.1 or localhost
- resolvable to CN of LDAP server certificate
Note: if treename is not resolvable via DNS or SLP create DNS server A record or a local /etc/hosts.nds file pointing to a copy of root.
Example:
MYTREE. 192.168.1.170
The appended period is important so the domain is not appended.
3. Symptoms like this can also result from not having the IP address in the Subject Alternative Name - only DNS in subject.
Cause
This failure is caused by novell-imanager.rpm not deleting old iMKS file which contains the keystore type values as JKS. This was fixed in iMgr 3.1.3 standalone by deleting the old JKS file. Once someone logs into iManager it will import the certificate automatically into the trust store as well as validate it against the server certificate during LDAP secure connections.