search cancel

Error: Can't contact LDAP server in User Directory LDAP SSL certutil

book

Article ID: 190016

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server, this one cannot connect in SSL to the LDAP User Directory and it reports the error:

[79525/139743374337792][Sun Apr 19 2020 10:10:48]
[SmDsLdapConnMgr.cpp:917][ERROR][sm-Ldap-01370]
SmDsLdapConnMgr Bind. Server
myldap.mydomain.com : 636. Error
81-Can't contact LDAP server

 

Environment

 

Policy Server 12.8SP3 on RedHat 7;

 

Cause

 

The LDAP User Store certificate is tagged as a CA Certificate (Root) as it has C, not P:

[[email protected] bin]$ certutil -L -d /opt/CA/siteminder/certs

  Certificate Nickname                                         Trust Attributes
                                                               SSL,S/MIME,JAR/XPI

  myldapserver                                                 C,C,C
  RootCA                                                       P,,

The certificate should be set as P and not C as per documentation (1).

 

Resolution

 

Make the myldapserver as P,, and not as C,C,C:

  Certificate Nickname                                         Trust Attributes
                                                               SSL,S/MIME,JAR/XPI

  myldapserver                                                 C,C,C
  RootCA                                                       P,,

  # certutil -D -n myldapserver -d /opt/CA/siteminder/certs
  # certutil -A -n myldapserver -t P,, -i myldapserver.crt -d /opt/CA/siteminder/certs
  # certutil -L -d /opt/CA/siteminder/certs

should show as something like:

Certificate Nickname                                         Trust Attributes
                                                               SSL,S/MIME,JAR/XPI

myldapserver                                                 P,,

 

Make also RootCA as C,, and not as P,,

 

Additional Information

 

(1)

    Configure an SSL Connection to an LDAP Data Store


       -t trust_arguments

       Specifies the trust attributes to apply to the certificate. The
       three available trust categories are expressed in this order:
       "SSL, email, object signing". In each category position, you can
       use zero or more of the following attribute arguments.

       p

       Valid peer.

       P

       Trusted peer. This argument implies p.

       c

       Valid CA.