Tag Archives: LDAP

Invalid DN syntax (34)

The following error message is prompted when checking that the LDAP service is working
ekanet@ESB-02:/tmp$ ldapsearch -x -LLL -b dc=esb,dc=com
Invalid DN syntax (34)
Additional information: invalid DN
Check the original Dapsearch-x-ll-b dc= ESB, DC = COM statement after an extra space

Command line inside more than a space, delete the space, query normal
ekanet@ESB-02:/tmp$ ldapsearch -x -LLL -b dc=esb,dc=com
dn: dc=esb,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: china
dc: esb

dn: cn=admin,dc=esb,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

dn: ou=Groups,dc=esb,dc=com
objectClass: organizationalUnit
ou: Groups
description: Container for Groups entries

dn: ou=Users,dc=esb,dc=com
objectClass: organizationalUnit
ou: Users
description: Container for Users entries

dn: uid=Michael,ou=Groups,dc=esb,dc=com
uid: Michael
objectClass: inetOrgPerson
mail: [email protected]
labeledURI: http://www.esb.com
sn: Sun
cn: Michael Sun

dn: uid=Test,ou=Users,dc=esb,dc=com
uid: Test
objectClass: inetOrgPerson
labeledURI: http://www.esb.com
sn: ESB
cn: Test ESB

LDAP: error code 32 – No Such Object

Ldap: error code 32-no Such Object
ldap: error code 32-no Such Object
is calling
this. ldaptemplate. create(ldapUser);
was reported wrong. After searching for a long time, I did not find the reason. Finally, I saw a blog and realized that the configured base in the ldap context should not be added to the dn of the node

<ldap:context-source id="contextSource"
                  password="${ldap.password}"
                  url="${ldap.url}"
                  username="${ldap.username}"
                  base="${ldap.base}" />

 @Entry(objectClasses = { "person", "inetOrgPerson", "organizationalPerson", "top" }, base="o=sf")
public class LdapUser {

For example, dn is o=sf,dc=aa,dc=com
ldap: base of contin-source is configured as dc=aa, base of dc=com
Entry is configured as o=sf, and can no longer be configured as o=sf,dc=aa,dc=com

Certificate chaining error in sphere

When trying to connect to the LDAP server via SSL in Websphere, I encountered the following error:

used by:com.ibm.jsse2.util:KIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

java.security.cert.CertPathValidatorException: The certificate issued by CN=VeriSign class 3 xxxxxxx [color=red]is not trusted[/color]; internal cause is:

java.security.cert.CertPathValidatorException: [color=red]Certificate chaining error[/color]

at com.ibm.jsse2.util.h.b(h.java:86)

at com.ibm.jsse2.util.h.b(h.java:2)

at com.ibm.jsse2.util.g.a(g.java:27)

check the data, it should be in the default trust store list did not add the address I connected to.

specific method

operates on the IBM Websphere console interface as follows:

[b]1# [/b] Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates > Retrieve from port

fill in the form entry: Host\Post\Alias

click: Retrieve signer information > Apply

[b]2# [/b] Security > SSL certificate and key management > Manage endpoint security configurations > Inbound(CellDefaultSSLSettings) > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port

fill in the form entry: Host\Post\Alias

click: Retrieve signer information > Apply

——————————————-
Note: if the CA certificate has already been imported into the keystore. If there is no import, search for import methods.

“reference” [url] http://stackoverflow.com/questions/27701181/certificate-chaining-error-in-websphere [/ url]

error code 11 – Administrative Limit Exceeded

The problem is ldap server has limitation for the user about numbers of entries searched.

Open your directory server (name), Configuration Folder, Performance. On right panel check Client Control folder. You may see:

Size limit

Look-through limit

Time limit

Idle timeout

The look-through limit specifies the maximum number of entries that will be examined for a search operation.

The size limit specifies the maximum number of entries the server returns to the client application in response to a search operation.

The time limit specifies the maximum time the server spends processing a search operation.

The idle timeout specifies the time a client connection to the server can be idle before the server drops the connection.

Change these options to “unlimited” can resolve this problem.

LDAP: error code 21 – objectclass: value ා 0 invalid per syntax

The root cause is that the ObjectClass for manipulating data in LDAP is the same as in the original LDAP when adding, deleting, or altering it.
First, inconsistent ObjectClass type causes the reason for the addition failure
Entry, which is a directory managed object, is the most basic particle in LDAP. Generally, the addition, deletion, change, and retrieval of LDAP are based on entries. Each entry can have many attributes. An ObjectClass (ObjectClass) is a collection of properties.
Object classes make it easy to define entry types. Each entry can inherit directly from multiple object classes, thus inheriting various properties. If two object classes have the same property, only one property will be retained after the entry is inherited. The object class also specifies which attributes are essential information and Must or Required: which attributes are extensibility information and May or Optional.
Each Entry in the LDAP directory tree must belong to its own conditional objectClass, objectClass, then define its Entry attributes and corresponding values, and objectClass corresponds to Java as class. In Java, Class can be roughly divided into Abstract and Concrete, and only concrete Class can generate instance. In LDAP, objectClass is divided into three classes: Abstract, Structural, and Auxiliary. The specific definition is as follows:
Abstract object classes are only intended to be extended by other object classes. An entry must not contain any abstract classes unless it also contains a structure or helper class from which Dervies derive an abstract class (that is, including non-abstract object classes, an inheritance chain of abstract classes). All entries must contain at least a “top” abstract object class and their structural classes in the inheritance chain. They may or may not contain other abstract classes in the inheritance chain in the structural class or in any of their helper classes. **Structural: ** Structured object classes are designed to define the key that an item represents. Each entry must contain a structured object class chain, and the root of the chain must ultimately be a “Top” abstract object class. Changes to the entry’s structural object class are not allowed. **Auxiliary: **Auxiliary object classes are intended to define the additional qualities of items. An entry may contain zero or more helper classes, and the set of helper classes associated with an entry may change over time.
The object classes themselves can inherit from each other, so the root of the object class is the top abstract object class. Take access control devices as an example, their inheritance relationship is shown in the figure below:

DAP entry attributes can be added depending on whether the objectClass inherited by the entry contains this attribute. ObjectClass has an inheritance relationship, that is, the attributes added to the entry ultimately depend on the collection of all objectclasses that it inherits.
The objectClass and attributes are specified by the schema file, which is stored in the /etc/openldap/schema directory. The schema file specifies the composition of the objectClass and the corresponding relationships between attributes and values in the directory tree. You can generate the objectClass by defining a schema file to generate the required attributes. The relationships determined before the ObjectClass, AttributeType and Syntax are shown in the figure below:

so if the added property is not in the scope of objectClass, the directory server is not allowed to add the property. To do so, you must add the schema file to produce the properties corresponding to the objectClass.

To the brothers who encountered simple bind failed 192.168.1.×××: 636

Last time I wrote an article about changing passwords for LDAP users (mainly referring to the other two articles), I noticed a strange phenomenon. The AD server I developed and used is three in one with my own WEB server and certificate server. The password can be successfully changed as described above. The program was packaged into a WAR package and tested on the servers on the 6th floor, 15th floor and 16th floor. They both used a single AD, WEB server and certificate server in one. Both the 6th and 15th floors could normally change the user password of the CONNECTED AD, but the 16th floor did not work. The IP:636 error of simple Bind failed AD was reported all the time, which depressed me very much. Had to search on the net, in the middle because of other task intermittent for a period of time, looked for a few weeks on and off, there is no enable SSL, there is said to be “do not support SSL”, there is said to be your simple binding error (this is nonsense), is not a definite answer. Join several communication groups of LDAP, waffled for a long time, also no solution. During this period, the AD configured by the WEB application on the 15th floor was replaced by another one, but this error also occurred. I found another machine to configure again, but the same error occurred. Xj installed WIN2003 machine, let me test, the same mistake, original WEB applications can be installed on your machine normal change passwords, then even sometimes can’t change, can change sometimes, fifteenth floor originally that one cannot change the password, suddenly can change the password again yesterday afternoon, I asked others, making sure that no one is changed AD or WEB set, same application, the same configuration, perform the same function, can downs about it, that day is my most depressing day. This morning on a sudden impulse, the certificate again guided, the result changed the password successfully. Steps (omit the installation of the certificate service, see the previous section) : 1. Select “Start -& GT; “Run”, enter MMC, enter the console, select “Add Certificate Management Unit” menu item, as before, select “Personal -& GT; After “Certificates”, select the certificate you previously created in the Certificate Services section, and then “All Tasks -& GT; Export “, re-export to a new CER file, and then “start-run-& gt; CMD “into the console, use the CD command to switch to the WEB application under JDK bin directory, enter the command:” the keytool – import – keystore certificate. The keystore file – cer file path “, and to import a new certificate, when we enter the JDK bin directory to be able to see your new name the name extension keystore file, and then set the change password when the certificate path of change to just generate the certificate file path. After restarting the server, test the password change function again, and you’re done. Then I followed suit and did the same on the 14 machine, and the 14 machine was able to change the password successfully. Is too great. I don’t know if this is the exact solution to the simple Bind failure (or did it just happen to cause me to change a setting on my system?). But if any of your brothers have the same problem, try reimporting the certificate and you might be able to fix the problem.