RSA SecurID^® Access Discussions

MarkEvans · ‎2020-06-26

Identity Source Name: LDAP

Type: Open LDAP

Directory URL: ldaps://10.35.0.xxx

Directory User ID: cn=iDRAC,dc=fwldap,dc=local

Directory Password: ******

Clicked [Test Connection]. Returns "Directory test:Test failed. Unable to establish a connection to the directory"

Is there a way to get more detail on what I'm doing wrong?

EricaChalfin · ‎2020-06-26

Mark Evans‌,

I've moved your question to the RSA SecurID Access" data-type="space space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.

Alternatively, from the RSA Customer Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA SecurID Access" data-type="space‌‌ and click Ask A Question. That way your question will appear in the correct space.

Regards,

Erica

EdwardDavis · ‎2020-06-26

/opt/rsa/am/server/logs/imsTrace.log

here I have a bad bind userid, it logged this when I hit test connection

2020-06-26 12:33:10,294, [[ACTIVE] ExecuteThread: '11' for queue: 'weblogic.kernel.Default (self-tuning)'], (LDAPConnectionTesterImpl.java:231), trace.com.rsa.ims.ldapslotmgt.impl.LDAPConnectionTesterImpl, ERROR, edavis-vm150.na.rsa.net,,,,LDAP Server connection test failed
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

You may or may not need to set imsTrace.log to verbose mode in Security Console, setup, system, logging

to see certain system errors in the imsTrace.log. Just don't leave in verbose forever as it can make massive

logs on busy systems.

StevenSpicer · ‎2020-06-26

Quick and dirty: Have you tried connecting to it with an ldap browser? If you can connect from your desktop but not from the primary, then you might have a routing or firewall issue. If you can't connect from your desktop either, maybe the credentials are bad, or the port is wrong, or something else. Ed's suggestion is the most thorough, but with an ldap browser you can do some rough tests without access to the server logs or log settings.

In the operations console, try going into the network tools page and ping that address to make sure you can connect to that server from the primary.

Oh, and have you tried different formats for the userid?

MarkEvans · ‎2020-06-26

Looks like it doesn't like self-signed certs:

2020-06-26 13:24:54,816, [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'], (LDAPConnectionTesterImpl.java:231), trace.com.rsa.ims.ldapslotmgt.impl.LDAPConnectionTesterImpl, ERROR, idrac-rsa-dev.aus.amer.dell.com,,,,LDAP Server connection test failed
javax.naming.CommunicationException: 10.35.0.185:636 [Root exception is javax.net.ssl.SSLException: Certificate not verified.]

How do I tell it to ignore the cert?

StevenSpicer · ‎2020-06-26

Did you add the LDAP certificate to the deployment, in the Operations Console?

Deployment Configuration > Identity Sources > Identity Source Certificates > Add New

HELP search on "ldap certificate", or check here https://community.rsa.com/docs/DOC-77356

MarkEvans · ‎2020-06-26

I did miss that step. I uploaded the ssl cert. Now, I'm getting the following error:

2020-06-26 14:01:44,077, [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'], (LDAPConnectionTesterImpl.java:231), trace.com.rsa.ims.ldapslotmgt.impl.LDAPConnectionTesterImpl, ERROR, idrac-rsa-dev.aus.amer.dell.com,,,,LDAP Server connection test failed
javax.naming.CommunicationException: 10.35.0.185:636 [Root exception is javax.net.ssl.SSLException: Error creating premaster secret. ]

Are we getting any closer?

EdwardDavis · ‎2020-06-26

It doesn't care about self-signed or not. Home-spun certs will work. We cannot ignore the cert and still use ldaps, but you can use ldap not ldaps and that doesn't use certs at all.

-----

If ldaps is correctly set up on openldap, this procedure can usually fetch the right server cert and you can install it:

echo -n | openssl s_client -connect 10.101.99.154:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.cer

where 10.101.99.154 is your ldap server, and ldapserver.cer can be installed in the Operations Console to allow ldaps.

EdwardDavis · ‎2020-06-26

[in the log there is more to the error message we cannot see which is needed]

what version and build of AM server ?

8.4 and up can only use TLS1.2

Can your openldap work with TLS1.2 ?

----------

About the error, in general

Cause: a cryptographic failure that is preventing the premaster secret from being generated.
Effect: the current cryptographic operation cannot be completed (fails)
Recovery: check for unsupported configuration settings, such as unsupported cryptographic suites, obsolete certificate standards, missing or incorrect unlimited strength JCE files, or...

MarkEvans · ‎2020-06-26

I'm running RSA Authentication Manager Version 8.4

Openldap is version slapd 2.4.44. Looks like it does support TLS 1.2

I'm a bit new with openldap. So, I'll need to research on how to set it up to use it.

RSA SecurID® Access Discussions

Add Identity Source - openldap fails when testing connection

RSA SecurID^® Access Discussions