Setting Universal Password through iManager is throwing "NMAS LDAP Transport Error "

  • Document ID:7014457
  • Creation Date:27-Jan-2014
  • Modified Date:23-Dec-2017
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

iManager 2.7 SP7
eDirectory 8.8 SP8

Situation

Upgraded from 8.8.7.5 to eDirectory 8.8.8.  When setting a user's Universal Password (UP) through iManager the error "NMAS LDAP Transport Error " is returned.  The issue is seen in StandAlone iManager and Workstation versions of iManager.
 
Running "ldapconfig get" shows there are no IP addresses for ldapInterfaces:
ldapInterfaces: ldap://:389,ldaps://:636
 
Note: this affects other operations besides setting a user's Universal Password.  Other tasks affected:
- Groups plugin (865164/893994)
- Radius plugin extending schema (914006)
 

Resolution

1. Run ldapconfig get ldapInterfaces -a admin.novell  (change the user and context to your environment) to verify that the addresses are not shown for ldapInterfaces.

2. Change the ldapInterface to reflect the IP address on the server for each ldap port.
 
For example, on an eDirectory server with the address 192.168.0.10 configured for both LDAP standard ports the following commands can be used to correctly populate the configuration:

ldapconfig set "ldapInterfaces=ldap://192.168.0.10:389" -a admin.novell
ldapconfig set "ldapInterfaces=ldaps://192.168.0.10:636" -a admin.novell

Cause

eDirectory 8.8.8 adds ldapInterfaces of:

ldaps://636
ldap://389

Previously no interface was listed.  The Password Plugin is unable to locate the server when the interface is specified with no IP address

Additional Information

Note: there are three other conditions in which this error can be observed:

  1. If non-standard LDAP ports are being used on the server.
  2. The option 'Use Secure LDAP for auto-connection' under Configure iManager > Authentication has been unchecked. 
    By default this is checked.  The screen also warns some plugins may not work if this is unchecked.
  3. Use of a certificate signed by an external CA that is not trusted by the iManager/tomcat.
    Therefore, when iManager/tomcat goes to make a secure connection, it cannot.  To remedy, the CA needs to be imported into cacerts with the keytool utility.  For further information, look for tomcat documentation on "keytool -import -trustcacerts ...."