Troubleshooting Common LDAP Errors
Novell Cool Solutions: Tip
Digg This -
Posted: 1 Dec 2004
Here are some common LDAP Errors reported by the GroupWise POA, along with recommended solutions. See also TID 10067376.
LDAP Error 4 - Size limit exceeded
Cause/Fix: The POA is pointing to an LDAP server in a different Tree or directory than the one where GroupWise is installed. In this situation, the POA must know the full distinguished name of the user in the LDAP directory it is querying. If the GroupWise user object does not have this value defined in the user properties, then the POA will do an LDAP lookup on the user's e-mail address.
This error is caused by the LDAP server returning two entries for the e-mail address searched on by the POA. For example, suppose there were two accounts in the LDAP directory that had an e-mail address of firstname.lastname@example.org. The POA would search for this address and would get two results, not knowing which account represented the user trying to log in.
To fix this problem, go to the properties of the GroupWise user and define the full LDAP Distinguised name in the "LDAP Authentication" field. This field is found on the GroupWise tab when accessing the properties of the GroupWise user in Console One. The fully distinguished name must be in LDAP notation, such as cn=user1,ou=users,o=company. You may also need to check for duplicate e-mail addresses in the LDAP directory that the GroupWise POA is pointing to and resolve that.
LDAP Error 12 - Criticial extension is unavailable
Cause/Fix: GroupWise requires eDirectory LDAP Services version 85.12 or greater when using the LDAP Username and Password options. Don't confuse this with NDS/eDirectory version 8.77 which is older than 85.x This can be checked from the file server by typing "Version". If you need to use the LDAP Username, then you will need to patch to LDAP Services/NDS version 85.20 or greater. If you do not use the LDAP Username then NDS 8 is sufficient.
LDAP Error 13 - Confidentiality required
Cause/Fix: This error will occur when SSL is not being used, and the LDAP Group Object is not configured to use Clear Text Passwords. This can be resolved by either enabling SSL or by editing the LDAP Group Object and checking the "Allow Clear Text Passwords" box.
LDAP Error 32 - No such object
Cause/Fix: This error is caused when a user cannot be found. The user's e-mail address field may not match the internet addressing domain name (e.g., the user's e-mail address field = email@example.com and the internet domain name = anythingelse.com. You can find this in the user's properties on the General Tab.
This has also been seen when the LDAP User Name is incorrectly referring to the wrong OU (where the user doesn't exist). Make sure the full path to the user is accurate. You can find this in the Post Office properties | GroupWise Tab | Security. In GroupWise 6.5 this can be caused by incorrectly defined GroupWise LDAP Servers found in Tools | System Operations | LDAP Servers. Edit the ldap servers listed looking for invalid IP addresses.
LDAP Error 34 - Invalid DN syntax
Cause/Fix: This error occurs when you use the LDAP User Name Option, and the User Name has been entered with an invalid Syntax. The correct Name syntax is: ?cn=userid,ou=group,ou=division,o=organization". Refer to the POA startup file for more details on this specific error.
LDAP Error 49 - Invalid credentials
Cause/Fix: The user has input the incorrect password. This will also be reported if the GroupWise object is not associated with the eDirectory object.
LDAP Error 53 - DSA is unwilling to perform
Cause/Fix: The NDS user account has expired.
LDAP Error 81 - Can't contact LDAP server
Cause/Fix: The POA can't contact the LDAP Server. Check the IP number listed in the Post Office Object for the LDAP Server. Make sure the LDAP server is running and the servers are communicating correctly, etc.
LDAP Error 65535 - Unknown error
Cause/Fix: Make sure your Post Office Properties | Security | SSL Key File is entered correctly and that the POA has access to the path. This can also be a problem with the key file - try regenerating a new one. If the above two issues have been handled, you may need to rebuild the Post Office database.This problem can also be caused by using the utility GWCSRGEN.EXE. We require the LDAP server's SSL Key File (for example: sys:\public\rootcert.der). However, gwcsrgen does not generate this type of certificate. Putting the key file in the post office directory rather than in the sys:\public\rootcert.dir directory can resolve this error in some cases.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com