Environment
eDirectory 9
eDirectory 8.8 SP8
Open Enterprise Server 2015 SP1 (OES 2015 SP1) LinuxOpen Enterprise Server 2018 (OES 2018 SP1) Linux
Situation
Many products rely on a secure LDAP connection to an eDirectory server. Problems with LDAP may need to be ruled out before further troubleshooting.
Using the OpenLDAP client that comes with eDirectory there is one simple command that will test eDir, LDAP, the user's password and the certificate used by LDAP.
Resolution
If eDirectory has been installed as root and is in the default location the following command can be run. This assumes the default eDirectory certificates, not 3rd party certificates, are in use. If a 3rd party certificate is being used the commands below would be modified to point to their RootCA's pem or der file.
Standalone eDirectory 9:
LDAPTLS_CACERT=/var/opt/novell/eDirectory/data/SSCert.pem
/opt/novell/eDirectory/bin/ldapsearch -H ldaps://10.1.10.101:636 -D
cn=admin,o=emg -w novell -b o=emg -x cn=admin cn
Standalone eDirectory 8.8 SP8:
/opt/novell/eDirectory/bin/ldapsearch -x -h 10.1.10.102 -p 636 -D cn=admin,o=emg -w novell -e /var/opt/novell/eDirectory/data/SSCert.der "cn=admin" cn
NOTE: on OES certificate files are kept in /etc/opt/novell/certs.
Examples:
OES 2015 SP1:
/opt/novell/eDirectory/bin/ldapsearch -x -h 10.1.10.115 -p 636 -D cn=admin,o=emg -w novell -e /etc/opt/novell/certs/SSCert.der "cn=admin" cn
OES 2018 SP1:
LDAPTLS_CACERT=/etc/opt/novell/certs/SSCert.pem /opt/novell/eDirectory/bin/ldapsearch -H ldaps://10.1.10.117:636 -D cn=admin,o=emg -w novell -b o=emg -x cn=admin cn
This command will have to be modified for your environment: specifically the IP address and the location of the admin object. This command is basic but tests many things at once. It is bypassing DNS, binding via LDAPS, logging into eDirectory with its known password, checking the user's rights, then looks for its user object and returns the value of its CN attribute.
The return should look something like below:
# extended LDIF
#
# LDAPv3
# base <o=emg> with scope subtree
# filter: cn=admin
# requesting: cn
#
# admin, emg
dn: cn=admin,o=emg
cn: admin
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
#
# LDAPv3
# base <o=emg> with scope subtree
# filter: cn=admin
# requesting: cn
#
# admin, emg
dn: cn=admin,o=emg
cn: admin
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This command will perform the following:
1. Bypass DNS and test the server's certificate and local RootCA key file to encrypt the connection. This rules out certificate issues.
2. Test the LDAP service itself.
3. The ldapsearch request will enter the eDirectory tree and walk the tree to locate its user object.
4. Logs in using either NDS or NMAS with its known password. This tests if authentication (password) is good.
Additional Information
Certificate Expiration
The default lifetime of a certificate is 2 years. The following command will extract the expiration date of the server certificate used by LDAPS:
echo | openssl s_client -servername NAME -connect <ip address>:636 2>/dev/null | openssl x509 -noout -dates
Returns:
notBefore=Apr 23 18:51:51 2020 GMT
notAfter=Apr 23 18:51:51 2022 GMT
notAfter=Apr 23 18:51:51 2022 GMT
The following can be used to check the RootCA's expiration using its public certificate on the file system:
openssl x509 -in /var/opt/novell/eDirectory/data/SSCert.pem -text -noout |grep After
Returns:
Not After : Jan 12 22:47:06 2026 GMT
This file can easily be recreated using KB 7021067.