000020947 - RSA ClearTrust fails with Sun ONE Directory Proxy Server 5.2

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020947
Applies ToRSA ClearTrust 5.0.1 Authorization Server (AServer)
RSA ClearTrust 5.0.1 Entitlements Server (EServer)
Sun ONE Directory Proxy Server 5.2
IssueRSA ClearTrust fails with Sun ONE Directory Proxy Server 5.2
RSA ClearTrust Entitlements Server (EServer) does not start after applying RSA ClearTrust hot fix 5.0.1.56
RSA ClearTrust Entitlements Server (EServer) fails to start with the following debug error:

Initializing sirrus.da.ldap.admin.factory.LDAPFactory data source:
Starting connection(s) to LDAP:
 iplanet ... started.
aux-store ... 10:21:47:754 [*] [Thread-0] - Attempting to validate connection
10:21:47:774 [*] [Thread-0] - LDAPConnectionManager.isConnectionValid - false
10:21:47:774 [*] [Thread-0] - LDAPConnectionManager.isConnectionValid - Got LDAPException: netscape.ldap.LDAPException: error result (50); Search not permitted for any attribute; Insufficient access

The corresponding error from the SunONE Directory Proxy Server is as follows:

<Date/Time> <ldap-host> SunONEDPS[ 4668]: [TRACE] [330203] Attribute type name cannot be NULL or empty
<Date/Time> <ldap-host> SunONEDPS[ 4668]: [TRACE] [190101] [client(<IP>, 1164)][server( <IP-port>, 1296)]fail_request fd=1164 tag=0x63 msgid=0xc errcode=50


Using RSA ClearTrust Servers hot fix prior to version 5.0.1.56 does not exhibit this problem


Using Sun ONE Directory Server instead of Sun ONE Directory Proxy Server does not exhibit this problem
Cause
Sun ONE Directory Proxy Server has not been qualified against RSA ClearTrust 5.0.1

RSA ClearTrust hot fix 5.0.1.56 introduced an LDAP read operation (LDAPConnection.read) to ClearTrust LDAP store as the PING action. This read specifies an empty ldap attribute. This ldap search is returned as an error by iPlanet Proxy Server.
ResolutionThis issue has been resolved in RSA ClearTrust hot fix 5.0.1.82. Contact RSA Customer Support and request the ClearTrust hot fix 5.0.1.82 or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). The following two new configurable parameters have been introduced in ldap.conf:

    cleartrust.data.ldap.directory.iplanet.connection.ping           : false
    cleartrust.data.ldap.directory.iplanet.connection.ping_attribute : cn

The first parameter "ping" defaults to true. If it is set to false, ClearTrust will not issue "ping" at all. The second parameter "ping_attribute" defaults to "" (empty). If it is specified, it will be used in "ping" operation. These parameters allow to tune the "ping" attribute to be compatible to the LDAP product being used.

In the specific scenario above (using SunONE Directory Proxy Server), either disabling the ping function or defining some ping attribute resolves the issue.
Workaround
Applied RSA ClearTrust Servers hot fix 5.0.1.75

Modified RSA ClearTrust Servers ldap.conf file to point to Sun ONE Directory Proxy Server 5.2
Legacy Article IDa19621

Attachments

    Outcomes