Environment
Novell GroupWise 2014 R2 Support Pack 1
Novell GroupWise 2014 R2 Support Pack 1 Hot Patch 1
Novell GroupWise 2014 R2 Support Pack 1 Hot Patch 2
Novell GroupWise 2014 R2 Support Pack 2
GroupWise 18
Novell GroupWise 2014 R2 Support Pack 1 Hot Patch 1
Novell GroupWise 2014 R2 Support Pack 1 Hot Patch 2
Novell GroupWise 2014 R2 Support Pack 2
GroupWise 18
Situation
Our online documentation speaks:
https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_admin/data/adm_secadm_cert_trusted_root.html
"LDAP authentication, relies on the presence of a trusted root
certificate (often named rootcert.der) located on your LDAP server.
For more information, see Section 15.3.4, Providing LDAP
Authentication for GroupWise Users.
A trusted root certificate is automatically created for a
server when you install an LDAP directory such as NetIQ eDirectory
or Microsoft Active Directory on that server."
In this case, a different host was used (10.2.77.42) for LDAP
than where GroupWise runs (10.2.76.231).
On the LDAp server I went to /etc/ssl/certs and got from there
RSA_Certificate_1.pem (there is no der file).
The System LDAP server was defined - 10.2.77.42.
Next enabled SSL and uploaded "RSA_Certificate_1.pem" to my GW
server.
No complaints, I can select the imported certificated and all
seems to be fine.
If I now run Directory sync, MTA lists following error:
12:00:06 B68D Synchronizing Directory eDir-42
12:00:06 B68D Connecting to LDAP server at 10.2.77.42 for
Directory eDir-42
12:00:06 B68D LDAP Error connecting to LDAP server at address
10.2.77.42, port 636: 00000051
12:00:06 B68D Synchronization complete for Directory
eDir-42
This is exactly the error customer received in the
system.
What works for me:
1. start iManager
2. Directory Administration -> modify object. Here select
desired LDAP server. Go into Connections tab and check what
certificate is used, in my case SSL DNS one.
3. Directory Administration -> modify object. Here now
select SSL DNS object.
4. Go in Certificates tab.
5. Select SSL DNS certificate and click on Validate, then
again highlight and click on Export.
6. Select Trusted Root Certificate tab
7. Certificates - > organizational CA version, deselect
Export private key, leave DER file format and click on Next.
8. Save certificate file.
If I used that manually exported DER file format in the LDAP
SSL config, all works:
12:19:37 B695 Synchronizing Directory eDir-42
12:19:37 B695 Connecting to LDAP server at 10.2.77.42 for
Directory eDir-42
12:19:37 B695 Checking Dom1.PO2.another-user
12:19:37 B695 Checking Dom1.PO2.imanager1-r2
12:19:37 B695 Checking Dom1.PO2.imanager2-r2
12:19:37 B695 Checking Dom2.PO3.user1-r2
12:19:37 B695 Checking Dom2.PO3.user2-R2
12:19:37 B695 Checking Dom2.PO3.user3-r2
12:19:37 B695 Checking group Dom2.PO3.C1
12:19:37 B695 Disconnecting from LDAP server for Directory
eDir-42
12:19:37 B695 Synchronization complete for Directory
eDir-42
Resolution
This has been reported to engineering
Additional Information
This occurs in GW18.1 also, in the above Step # 7, if you choose "SSL CertificateDNS" in the Certificates drop down list, then the error will occur. If you follow Step # 7 then the error will not occur.
The certificate assigned to my LDAP server object was listed in iManager as , LDAP, LDAP Options, expand LDAP Group object, then Click on LDAP Server, Connections, Server Certificate, mine listed was "SSL Certificate DNS". I believe this is how you can tell what certificate is assigned to your eDirectory LDAP server object, as touch upon in Step # 2 above.