Skip to main content

Troubleshooting

Errors

If you experience any errors, verify that:

  • You can log into the LDAP directory server from the Bravura Security Fabric server and from any LDAP client software using the administrator ID and password you created.

  • You can reset user passwords with any LDAP directory management software.

    Some flavors of LDAP can have difficulty creating user IDs that include special characters.

If the LDAP password agent reports the error message:

  • Can’t connect to LDAP server the possible reasons for this error are:

    • Invalid server address: check the address you defined, using the rules set out above.

    • Invalid server port: check the address you defined, using the rules set out above.

    • The hostname of the LDAP server is not resolving on the Bravura Security Fabric server. This is likely a DNS problem, and you can bypass it by using an IP address for the LDAP server, rather than its name.

  • No such object this means that the administrator or user ID can not be found on the server. Make sure that administrator login ID is a fully-qualified LDAP name and the context in the server address is correct.

  • Invalid credentials the administrator’s (or user’s) password is wrong.

Listing accounts

The agtldap program, which runs during auto discovery to automatically discover LDAP accounts, may be limited by the LDAP server configuration.

If your target system does not support paging and you find that agtldap does not return a complete list, increase the search size or "lookthrough" limit. Consult your LDAP administrator or documentation for more information.

Most LDAP severs such as IBM Directory Server and OpenLDAP use paging; however, some servers such as Netscape and Sun One Directory server do not. To determine whether your LDAP server uses paging, check if 1.2.840.113556.1.4.319 is included as a supported control. For details, visit: http://www.ietf.org/rfc/rfc2696.txt .

Creating groups

Some LDAP schemas, such as OpenLDAP, require that a groupOfUniqueNames MUST have a uniqueMember (RFC2256). This means that it is mandatory for all groups to contain at least one member.

By default, when creating a group, Bravura Security Fabric does not enforce this rule. To enable group creation in LDAP schemas that require a uniqueMember, create the following registry entry:

Entry name ldapDefaultUniqueMember

Value name of unique member

Data type REG_SZ

in this key:

HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\

If this entry is present, the uniqueMember attribute is replaced with the string value when a group is created in Bravura Identity . This value does not have to be a real user.

SSL certificates

When connecting or binding over SSL, the following error in the logs may indicate an SSL certificate issue:

Failed to bind to server [Server Down]

To identify the cause of this error:

  1. Open the Windows event viewer and navigate to Windows Logs > System.

  2. Confirm that SCHANNEL logging has been enabled. For more information, see Windows documentation on enabling and configuring SCHANNEL logging.

  3. Look for recent Schannel errors. For example, a common error is:

      The certificate received from the remote server was issued by an 
  untrusted certificate authority. Because of this, none of the data 
  contained in the certificate can be validated. The SSL connection 
  request has failed. The attached data contains the server 
  certificate.

    This error indicates the certificate was not loaded as a trusted root certificate.

You can also try disabling certificate validation via the address option sslNoCertValidation. When this option is disabled and you are able to successfully bind, then the certificate is not trusted.

Note

Only use the sslNoCertValidation set to true for troubleshooting purposes as it does not provide strong security.

In this section: