Trying to ger HP Service Manager v7.01 to use secure LDAP to authenticate to eDir

Hello:
We use secure LDAP to authenticate many clients in our env so we know 
our certs work.

We are trying to get HP Service Manager v 7.01 to authenticate against 
eDir. without much success.
Any ideas as to what the problem might be would help.
If secure LDAP was not working many things in our env would have stopped 
working.


Results from DSTRACE on LDAP Server (eDir 8.8 SP2 on NW 6.5 Sp7
14:11:14 96625540 00000000 LDAP: New cleartext connection 0x9b0151c0 
from 127.0.0.1:29414, monitor = 0x921, index = 46
14:11:14 9150E600 00000000 LDAP: Connection 0x9b0151c0 closed
14:12:01 96625540 00000000 LDAP: New TLS connection 0x9b0151c0 from 
172.25.130.106:3880, monitor = 0x921, index = 46
14:12:01 A0705180 00000000 LDAP: Monitor 0x921 initiating TLS handshake 
on connection 0x9b0151c0
14:12:01 9150E600 00000000 LDAP: DoTLSHandshake on connection 0x9b0151c0
14:12:01 9150E600 00000000 LDAP: TLS accept failure 1 on connection 
0x9b0151c0, setting err = -5875. Error stack:
    error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca - 
SSL alert number 48
14:12:01 9150E600 00000000 LDAP: TLS handshake failed on connection 
0x9b0151c0, err = -5875
14:12:01 9150E600 00000000 LDAP: BIO ctrl called with unknown cmd 7
14:12:01 9150E600 00000000 LDAP: Server closing connection 0x9b0151c0, 
socket error = -5875
14:12:01 9150E600 00000000 LDAP: Connection 0x9b0151c0 closed
14:12:16 96625540 00000000 LDAP: New TLS connection 0x9b0151c0 from 
198.89.18.141:1552, monitor = 0x921, index = 46
14:12:16 A0705180 00000000 LDAP: Monitor 0x921 initiating TLS handshake 
on connection 0x9b0151c0
14:12:16 9150E600 00000000 LDAP: DoTLSHandshake on connection 0x9b0151c0
14:12:16 9150E600 00000000 LDAP: BIO ctrl called with unknown cmd 7
14:12:16 9150E600 00000000 LDAP: Completed TLS handshake on connection 
0x9b0151c0
14:13:03 96625540 00000000 LDAP: New TLS connection 0x9b015320 from 
172.25.130.106:3917, monitor = 0x921, index = 47
14:13:03 A0705180 00000000 LDAP: Monitor 0x921 initiating TLS handshake 
on connection 0x9b015320
14:13:03 9150E600 00000000 LDAP: DoTLSHandshake on connection 0x9b015320
14:13:03 9150E600 00000000 LDAP: TLS accept failure 1 on connection 
0x9b015320, setting err = -5875. Error stack:
    error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca - 
SSL alert number 48
14:13:03 9150E600 00000000 LDAP: TLS handshake failed on connection 
0x9b015320, err = -5875
14:13:03 9150E600 00000000 LDAP: BIO ctrl called with unknown cmd 7
14:13:03 9150E600 00000000 LDAP: Server closing connection 0x9b015320, 
socket error = -5875
14:13:03 9150E600 00000000 LDAP: Connection 0x9b015320 closed
14:13:10 96625540 00000000 LDAP: New TLS connection 0x9b015320 from 
172.25.130.106:3922, monitor = 0x921, index = 47
14:13:10 A0705180 00000000 LDAP: Monitor 0x921 initiating TLS handshake 
on connection 0x9b015320
14:13:10 9150E600 00000000 LDAP: DoTLSHandshake on connection 0x9b015320
14:13:10 9150E600 00000000 LDAP: TLS accept failure 1 on connection 
0x9b015320, setting err = -5875. Error stack:
    error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca - 
SSL alert number 48
14:13:10 9150E600 00000000 LDAP: TLS handshake failed on connection 
0x9b015320, err = -5875
14:13:10 9150E600 00000000 LDAP: BIO ctrl called with unknown cmd 7
14:13:10 9150E600 00000000 LDAP: Server closing connection 0x9b015320, 
socket error = -5875
14:13:10 9150E600 00000000 LDAP: Connection 0x9b015320 closed
0
Richard
1/29/2009 9:11:22 PM
novell.edirectory.netware 7858 articles. 0 followers. Follow

4 Replies
983 Views

Similar Articles

[PageSpeed] 12

Has it ever worked? Or this is a new install. The issue is the
application does not have the ssl cert. Do you you need to import it in
the application.

rdseepaul;1725429 Wrote: 
> Hello:
> We use secure LDAP to authenticate many clients in our env so we know
> our certs work.
> 
> We are trying to get HP Service Manager v 7.01 to authenticate against
> eDir. without much success.
> Any ideas as to what the problem might be would help.
> If secure LDAP was not working many things in our env would have
> stopped
> working.
> 
> 
> Results from DSTRACE on LDAP Server (eDir 8.8 SP2 on NW 6.5 Sp7
> 14:11:14 96625540 00000000 LDAP: New cleartext connection 0x9b0151c0
> from 127.0.0.1:29414, monitor = 0x921, index = 46
> 14:11:14 9150E600 00000000 LDAP: Connection 0x9b0151c0 closed
> 14:12:01 96625540 00000000 LDAP: New TLS connection 0x9b0151c0 from
> 172.25.130.106:3880, monitor = 0x921, index = 46
> 14:12:01 A0705180 00000000 LDAP: Monitor 0x921 initiating TLS
> handshake
> on connection 0x9b0151c0
> 14:12:01 9150E600 00000000 LDAP: DoTLSHandshake on connection
> 0x9b0151c0
> 14:12:01 9150E600 00000000 LDAP: TLS accept failure 1 on connection
> 0x9b0151c0, setting err = -5875. Error stack:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -
> SSL alert number 48
> 14:12:01 9150E600 00000000 LDAP: TLS handshake failed on connection
> 0x9b0151c0, err = -5875
> 14:12:01 9150E600 00000000 LDAP: BIO ctrl called with unknown cmd 7
> 14:12:01 9150E600 00000000 LDAP: Server closing connection 0x9b0151c0,
> socket error = -5875
> 14:12:01 9150E600 00000000 LDAP: Connection 0x9b0151c0 closed
> 14:12:16 96625540 00000000 LDAP: New TLS connection 0x9b0151c0 from
> 198.89.18.141:1552, monitor = 0x921, index = 46
> 14:12:16 A0705180 00000000 LDAP: Monitor 0x921 initiating TLS
> handshake
> on connection 0x9b0151c0
> 14:12:16 9150E600 00000000 LDAP: DoTLSHandshake on connection
> 0x9b0151c0
> 14:12:16 9150E600 00000000 LDAP: BIO ctrl called with unknown cmd 7
> 14:12:16 9150E600 00000000 LDAP: Completed TLS handshake on connection
> 0x9b0151c0
> 14:13:03 96625540 00000000 LDAP: New TLS connection 0x9b015320 from
> 172.25.130.106:3917, monitor = 0x921, index = 47
> 14:13:03 A0705180 00000000 LDAP: Monitor 0x921 initiating TLS
> handshake
> on connection 0x9b015320
> 14:13:03 9150E600 00000000 LDAP: DoTLSHandshake on connection
> 0x9b015320
> 14:13:03 9150E600 00000000 LDAP: TLS accept failure 1 on connection
> 0x9b015320, setting err = -5875. Error stack:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -
> SSL alert number 48
> 14:13:03 9150E600 00000000 LDAP: TLS handshake failed on connection
> 0x9b015320, err = -5875
> 14:13:03 9150E600 00000000 LDAP: BIO ctrl called with unknown cmd 7
> 14:13:03 9150E600 00000000 LDAP: Server closing connection 0x9b015320,
> socket error = -5875
> 14:13:03 9150E600 00000000 LDAP: Connection 0x9b015320 closed
> 14:13:10 96625540 00000000 LDAP: New TLS connection 0x9b015320 from
> 172.25.130.106:3922, monitor = 0x921, index = 47
> 14:13:10 A0705180 00000000 LDAP: Monitor 0x921 initiating TLS
> handshake
> on connection 0x9b015320
> 14:13:10 9150E600 00000000 LDAP: DoTLSHandshake on connection
> 0x9b015320
> 14:13:10 9150E600 00000000 LDAP: TLS accept failure 1 on connection
> 0x9b015320, setting err = -5875. Error stack:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -
> SSL alert number 48
> 14:13:10 9150E600 00000000 LDAP: TLS handshake failed on connection
> 0x9b015320, err = -5875
> 14:13:10 9150E600 00000000 LDAP: BIO ctrl called with unknown cmd 7
> 14:13:10 9150E600 00000000 LDAP: Server closing connection 0x9b015320,
> socket error = -5875
> 14:13:10 9150E600 00000000 LDAP: Connection 0x9b015320 closed


-- 
jeff@linux1:~> glxgears
120308 frames in 5.0 seconds = 24061.553 FPS
------------------------------------------------------------------------
jedijeff's Profile: http://forums.novell.com/member.php?userid=4732
View this thread: http://forums.novell.com/showthread.php?t=358560

0
jedijeff
1/29/2009 9:46:02 PM
Richard Seepaul wrote:

> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -
> SSL alert number 48

I think this is suggestive:  does the client app have the trusted cert for 
your CA?


-- 


Peter
eDirectory Rules!
http://www.DreamLAN.com
0
Peter
1/30/2009 2:59:13 AM
Peter Kuo wrote:
> Richard Seepaul wrote:
> 
>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -
>> SSL alert number 48
> 
> I think this is suggestive:  does the client app have the trusted cert 
> for your CA?
> 
> 
I agree that this appears to be a failure of trust.
i.e. their app does not trust a self signed cert.

This is one of those "scheduled by mgmt" type engagements.
We have at the HP end an HP "resource" for the product Service Manager.
It is a new install.
My problem is that the HP resource does not really know how his 
application works and neither does the guy just above him in the food chain.
e.g. they are unable to explain if the app (it is a java app) makes use 
of the cacerts keystore file common to JRE apps, OR does it not.

We have exported the public key cert that our LDAP servers expect to see 
and convereted it to pem format.
We follow their instructions and configure their app with the path to 
the cert.
The messages I have posted are the results we see after following HP 
instructions.

The question now becomes 1) How do we get their app to trust a self 
signed cert OR
2) does OPEN LDAP a la HP work with a self signed cert  ? OR does OPEN 
LDAP work with self signed certs at all.
i.e. are shares in THWATE or VeriSign required  when you purchase an app. ?
We have difficulty with the concept of us not trusting our own signature 
i.e. why should I have to get someone to certify I am me to me ( 
Identity crisis). I can see why, with an unknown 3 rd party in the loop.

We know LDAP and SSL works in our env (eDir 8.8 SP2 (NLDAP 20216.51 June 
10 2008)and have been working for quite some time.
In our env many things would not work if LDAP over SSL did not work.
Users, Administrators would not be able to login. IDM drivers would get 
unhappy too.
We already have Lexmark MFP (Multifunction Scanners Fax Printers) setup 
to use LDAP with SSL to authenticate our uesrs for controlled access to 
the MFP functions like scan to email etc etc.
This works with two generations of Lexmark MFP devices.
1st generation Lexmarks used a JRE based LDAP client.
We imported our public cert into the MFPs cacerts keystore.
The second generation Lexmarks can grab the cert from the server.
We also control access to our HP Blade Center Servers administration 
consoles with LDAP & SSL.  The same applies to KVMs.

Hopefully we are not the only ones trying to do this and some fish will 
bite !





0
Richard
2/12/2009 2:58:26 PM
Richard Seepaul wrote:

> We have exported the public key cert that our LDAP servers expect to see 
and convereted it to pem format.

I think what you need is to export the tree's trusted root cert instead of 
the public key cert.


-- 


Peter
eDirectory Rules!
http://www.DreamLAN.com
0
Peter
2/13/2009 1:58:21 AM
Reply:

Similar Artilces:

Secured LDAP authentication using vbscript
Hi, How do I use vbscript to authenticate Netware users via LDAP? Sample code would be much appreciated. Thanks. , > How do I use vbscript to authenticate Netware users via LDAP? > > Sample code would be much appreciated. Thanks. > Look in the developer forums and developer site. Developer.novell.com - Anders Gustafsson, Engineer, CNE6, ASE NSC Volunteer Sysop Pedago, The Aaland Islands (N60 E20) Novell does not monitor these forums officially. Enhancement requests for all Novell products may be made at http://support.novell.com/enhancement Using VA...

Authenticate Linux to a NetWare eDirectory via LDAP
We have some Linux boxes and NetWare boxes. The Linux boxes don't have Novell eDirectory installed on them. We would like to use the LDAP to authenticate a Linux box but use the NetWare eDir information to authenticate the user. I have found a Novell TID (10081706) that explains how to do this but accessing a Linux eDir. Does anyone know how we could do this with a NetWare eDir. josee.pronovost@nrc-cnrc.gc.ca wrote: > We have some Linux boxes and NetWare boxes. The Linux boxes don't > have Novell eDirectory installed on them. We would like to use the > LDAP ...

authenticate into OS X using eDir LDAP
We have Mac users who currently authenticate locally onto their Macs. Is it possible to point the Macs to eDir via LDAP to authenticate the users? I haven't had any success with the OS X "Directory Access" utility, maybe because my approach or understanding is wrong. I don't need to map any drives or use eDir resources, only authentication to allow login to their Macs. Is this possible? Does my question make sense? HB Can it be done? Yes. The post previous to yours describes it very nicely. You may want to hook up with 'Andy' to see what all he...

Managing Linux Users from Edir using LDAP ?
I've setup a SUSE 9.1 test server, and have sucessfully logged in to the server through LDAP. My question is, how do/can i add an attribute value in eDirectory that would add my LDAP users to the existing local group(s) on the SUSE box? example: most default installs of SUSE have default local groups with the following names: sound, video, users etc., and the gid of those groups is aways the same. when my users login through LDAP, i want to be able to define what local groups they will be a part of by using eDirectory. I don't have Zen works, which i would think would ...

Login page with ldap authentication using edirectory
I have to create a login page with user id and password field and authenticate with ldap server in IIs . totally new to ldap using eDirectory. I searched a lot but nothing fruitful outcome. If somebody can shed some light. Thanks in Advance Neena Singh -- sneena ------------------------------------------------------------------------ sneena <sneena@no-mx.forums.novell.com> wrote in news:sneena.3bbybb@no- mx.forums.novell.com: > > I have to create a login page with user id and password field and > authenticate with ldap server in IIs . totally new to ...

Login in to a NetWare FTP Server using eDirectory to Authenticate
--____TJZRKVYLWUYMPFUAUGVI____ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; modification-date="Tue, 23 Jan 2006 23:52:31 -0800" I have posed this message in other forms because I do not know just where = it belongs. I have a NetWare 6.5 server with FTP and A tree called BBB and a context = within the tree called LA The FTP Server has a default FTP Context as blank and a context search = list of BBB A user in the LA Context can Authenticate but a use in BBB or a user in = BBB.Customer can n...

Authenticating web service using Azman (Authorization Manager)
hi,recently i had a go at Azman(Authorization Manager).  I was wondering if we could use Azman Roles to secure the web service itself.  If we use windows group, below is how we would secure the web service. <location path="priceboardmini.asmx"> <system.web> <authorization> <allow roles="PYSINGAPORE\pbmini users"/> <deny users="*"/> </authorization> </system.web> </location> In my case, would it possible to replace the roles with roles i have defined in Azman?  If yes, how do i do it? Thanks for any replies.   &nbs...

LDAP authentication problems : Keywords: LDAP, NDS, eDirectory, authentication ldap_search, bind, error -217, loginMaximumSimultaneous
Hi, We have NDS servers running LDAP that we are using to authenticate users from various applications. We have struck a rather bizarre problem: If the user has loginMaximumSimultaneous=1, then *some* servers (there are several) respond with an error: ldap_bind DSA is unwilling to perform maximum logins exceeded or Q stn not server (-217) It's basically counting the user's Windows login as one and then saying that the user can't exceed this. However, it works fine on some servers on some days. In fact, I'm pretty sure it worked on the SSL access on one machin...

Trying to authenticate Cisco VPN 3005 users using LDAP
I would like to use LDAP to authenticate users to my Cisco VPN 3005. Appendix A of the VNP 3000 Series Concentrator Reference Voume 1 (http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/ldapapp.pdf) explains that I define my own schema in an ldif file that is made up entries similar to the entry below and import it. This entry is specific to Active Directory LDAP. How different is eDirectory LDAP? Where can I go for information on how to do this in eDirectory. dn: CN=cVPN3000-Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com changetype: ad...

web service
Hi guys, I would like to create a web service that has basic username and password authentication.  I've created a call to this web service and added credentials to the call as show below (VB .net 2.0)Dim ws As New localhost.Service() Dim retVal As String Dim credentials As New CredentialCache()credentials.Add(New Uri(ws.Url), "Negotiate", New NetworkCredential(txtUsername.Text, txtPassword.Text)) ws.Credentials = credentials retVal = ws.SubmitMessage(txtMessage.Text, txtVersionID.Text, txtSourceGUID.Text) I can't seem to find the Credential...

Check if use is already authenticated using LDAP
Hi there, I'm looking for a solution how I can make a java program check if a user is already authenticated using LDAP (JNDI and / or NovellLDAPBeans). I have seen that there is something like SecretStore, can the SecretStore be accessed via LDAP to check authentication credentials ?? Thanks in advase, Jacco de Zwart Here's my guess, if that counts for anything. Most of the time when I do an LDAP authentication it is to do an export or import of an LDIF, or some other kind of search. It is not to maintain a persistent connection, so that wouldn't show up. If ...

How can I tell if an ldap account is a user/service account versus a security group using c#
If anyone has a solution to this I am desperate..   I am given a string and I have to be able to tell if the value is a user account or a security group.  Anyone have any idea how I can do this.   Currently I use the following code to tell me if its a valid account...but I dont have any idea how to tell if its a user account or not.    SearchResult result;DirectorySearcher search = new DirectorySearcher(); search.Filter = String.Format("(cn={0})", username);search.PropertiesToLoad.Add("uid"); result = search.FindOne();bool chk = false;i...

eDirectory sync using LDAP
I'm testing OES Linux SLES9 SP2 and have installed GW7 successfully. I'm now going through the GW docs having a look at how to use GW on Linux and came across the section to setup an MTA to sync with eDir. My problem is that when I select 'setup eDirectory Access' the list of available ldap servers is empty. I found one note mentioning that list shows ldap servers that have been made available in ConsoleOne but I've no idea where to set that. Thanks, SteveC On 05/26/2006 Stephen Carter wrote: > I found one note mentioning that list shows ldap servers t...

Authentication in Web Application using Sys.Services.Authentication
New to the site and Aspnet Sys.Services.Authentication Services  trying to make User Profile work with Membership Provider blah blah blah, in iis 5.1 and XP... have read all the articles and have setup Web.Config Security etc...? But something on my part is missing...?  If I have the Authentication Type= Windows the app. etc. performs as per the documentation,  I change the Authentication type to Forms, I can login fine,  but  if i change Forms the Credentials are totally lost and my Profile Data does not appear.. Users, Sessions etc. are the same User.  Its'...

Web resources about - Trying to ger HP Service Manager v7.01 to use secure LDAP to authenticate to eDir - novell.edirectory.netware

HID Global and Botosoft Launch Mobile Student ID System in West Africa to Authenticate Over 2 Million ...
CSO Australia - News, Industry Blogs, Tools and Resources for Data Security Executives

New IBM tech lets apps authenticate you without personal data
Back in January IBM announced Identity Mixer, a new technology for protecting users' personal data during authentication. On Friday, it announced ...

Cable providers still leery of Apple TV, some refuse to authenticate 'HBO Go' app
In an interview on Thursday, HBO's CTO Otto Berkes outlined the troubles in bringing a totally in-house app to the Apple TV, but the bigger challenge ...

Eureka! Sports site authenticates users sans the password hassle
We've all been there at some point—tempted to create a user account on a website that's mildly interesting, but the hassle of creating yet another ...

Cisco Selects Netformx Discovery to Power New Net Authenticate Assessment Service
Cisco Selects Netformx Discovery to Power New Net Authenticate Assessment Service Business Wire (press release) SAN JOSE, Calif.(BUSINESS WIRE)Netformx®, ...

Google makes it easier to authenticate e-mail
... e-mail with just a few clicks in a control panel. Google announced today that it is making it easy for organizations using Google Apps to authenticate ...

CNN.com - CBS' experts say they didn't authenticate Bush memos - Sep 15, 2004
... memos alleging President Bush received special treatment during his service in the Texas Air National Guard told CNN Tuesday they did not authenticate ...

Insert Coin: PIPA Touch fingerprint reader lets phone owners authenticate most anything
In Insert Coin, we look at an exciting new tech project that requires funding before it can hit production. If you'd like to pitch a project, ...

Berkeley researchers authenticate your identity with just your brainwaves, replace passwords with passthoughts ...
In the future, instead of trying to type your mixed-case, numbers-and-punctuation on a painfully small smartphone screen, logging in might be ...

Forget Passwords: This Startup Wants To Authenticate Your Mind
Biocatch detects fraud and identity theft based on your online behaviors. Most online identity security today is based on what you know (like ...

Resources last updated: 12/22/2015 7:59:52 AM