Environment
Novell iManager 2.7.5
Novell Open Enterprise Server 2 SP 3
Novell Open Enterprise Server 2 SP 3
Situation
After restarting novell-tomcat (on OES2SP3), users were unable to perform particular functions (like change/reset passwords). The iManager error observed was:
Error: Simple bind failed. You may need to import the certificate from the server.
Creating LDAP context failed:
[LDAP: error code 13 - Confidentiality Required]
The /var/opt/novell/tomcat5/logs/catalina.out file contained the following error:
com.novell.emframe.dev.AuthBrokerException: Creating LDAP context failed:
[LDAP: error code 13 - Confidentiality Required]
at com.novell.emframe.fw.ldap.JndiLdapAuthenticator.authenticate(JndiLdapAuthenticator.java:186)
at com.novell.emframe.dev.AuthenticationBroker.getAPIObject(AuthenticationBroker.java:1318)
at com.novell.admin.pwdpolicy.AdvancedSetPassword.verifyUserObjectEntry(Unknown Source)
at com.novell.admin.pwdpolicy.AdvancedSetPassword.execute(Unknown Source)
at com.novell.nps.gadgetManager.BaseGadgetInstance.processRequest(BaseGadgetInstance.java:858)
at com.novell.nps.gadgetManager.BaseGadgetInstance.handleAction(BaseGadgetInstance.java:2384)
at com.novell.nps.gadgetManager.GadgetManager.processInstanceRequest(GadgetManager.java:1606)
Finally, ndstrace with +TAGS +TIME +LDAP showed the following:
1105291584 LDAP: [2012/11/13 14:00:32.77] Rejecting unencrypted bind on cleartext port in nds_back_bind, err = 13
Error: Simple bind failed. You may need to import the certificate from the server.
Creating LDAP context failed:
[LDAP: error code 13 - Confidentiality Required]
The /var/opt/novell/tomcat5/logs/catalina.out file contained the following error:
com.novell.emframe.dev.AuthBrokerException: Creating LDAP context failed:
[LDAP: error code 13 - Confidentiality Required]
at com.novell.emframe.fw.ldap.JndiLdapAuthenticator.authenticate(JndiLdapAuthenticator.java:186)
at com.novell.emframe.dev.AuthenticationBroker.getAPIObject(AuthenticationBroker.java:1318)
at com.novell.admin.pwdpolicy.AdvancedSetPassword.verifyUserObjectEntry(Unknown Source)
at com.novell.admin.pwdpolicy.AdvancedSetPassword.execute(Unknown Source)
at com.novell.nps.gadgetManager.BaseGadgetInstance.processRequest(BaseGadgetInstance.java:858)
at com.novell.nps.gadgetManager.BaseGadgetInstance.handleAction(BaseGadgetInstance.java:2384)
at com.novell.nps.gadgetManager.GadgetManager.processInstanceRequest(GadgetManager.java:1606)
Finally, ndstrace with +TAGS +TIME +LDAP showed the following:
1105291584 LDAP: [2012/11/13 14:00:32.77] Rejecting unencrypted bind on cleartext port in nds_back_bind, err = 13
Resolution
To resolve:
- Click on "Configure" icon in iManager.
- iManager server.
- Configure iManager server.
- Click on Authentication tab.
- Check the option which says "Use Secure LDAP for auto-connection".
Note: you may need to restart novell-tomcat in order to activate this setting - however logging out & back in should be sufficient.
Additional Information
Changing passwords is an NMAS function. As identified in the iManager 2.7 documentation - section 6.4.6 - NMAS-related plugins can be affected if "Use Secure LDAP for auto-connection" is disabled.