|Applies To||RSA ClearTrust 5.0.1 Authorization Server (AServer)|
RSA ClearTrust 5.0.1 Entitlements Server (EServer)
Sun ONE Directory Proxy Server 5.2
|Issue||RSA ClearTrust fails with Sun ONE Directory Proxy Server 5.2|
RSA ClearTrust Entitlements Server (EServer) does not start after applying RSA ClearTrust hot fix 22.214.171.124
RSA ClearTrust Entitlements Server (EServer) fails to start with the following debug error:
Initializing sirrus.da.ldap.admin.factory.LDAPFactory data source:
Starting connection(s) to LDAP:
iplanet ... started.
aux-store ... 10:21:47:754 [*] [Thread-0] - Attempting to validate connection
10:21:47:774 [*] [Thread-0] - LDAPConnectionManager.isConnectionValid - false
10:21:47:774 [*] [Thread-0] - LDAPConnectionManager.isConnectionValid - Got LDAPException: netscape.ldap.LDAPException: error result (50); Search not permitted for any attribute; Insufficient access
The corresponding error from the SunONE Directory Proxy Server is as follows:
Using RSA ClearTrust Servers hot fix prior to version 126.96.36.199 does not exhibit this problem
Using Sun ONE Directory Server instead of Sun ONE Directory Proxy Server does not exhibit this problem
Sun ONE Directory Proxy Server has not been qualified against RSA ClearTrust 5.0.1
RSA ClearTrust hot fix 188.8.131.52 introduced an LDAP read operation (LDAPConnection.read) to ClearTrust LDAP store as the PING action. This read specifies an empty ldap attribute. This ldap search is returned as an error by iPlanet Proxy Server.
|Resolution||This issue has been resolved in RSA ClearTrust hot fix 184.108.40.206. Contact RSA Customer Support and request the ClearTrust hot fix 220.127.116.11 or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). The following two new configurable parameters have been introduced in ldap.conf:|
cleartrust.data.ldap.directory.iplanet.connection.ping : false
cleartrust.data.ldap.directory.iplanet.connection.ping_attribute : cn
The first parameter "ping" defaults to true. If it is set to false, ClearTrust will not issue "ping" at all. The second parameter "ping_attribute" defaults to "" (empty). If it is specified, it will be used in "ping" operation. These parameters allow to tune the "ping" attribute to be compatible to the LDAP product being used.
In the specific scenario above (using SunONE Directory Proxy Server), either disabling the ping function or defining some ping attribute resolves the issue.
Applied RSA ClearTrust Servers hot fix 18.104.22.168
Modified RSA ClearTrust Servers ldap.conf file to point to Sun ONE Directory Proxy Server 5.2
|Legacy Article ID||a19621|