Execution of LDAP query returns error when the LDAP server is configured to use SSL.

Product:

 

SourceOne Discovery Manager, SourceOne Email Management, SourceOne for Microsoft Exchange, SourceOne for Notes/Domino

 

Description:

 

EMC SourceOne Email Management can use LDAP server to find datasource for activities like historical archive, Audited users etc.

 

The below error are displayed in Test Results when a simple query like (objectClass=person)  is executed against a LDAP server which is configured for SSL (port 636)

 

Connecting...
Connected.
Running Query (objectClass=person)
LDAP Query Failed

 

Below errors are reported in ExMMCAdmin.dll.log file.

 

94|PB88|T588|2013/03/22 14:09:33:995|CoExJDFAPIMgr::GetLDAPServerByID|VERBOSE|   Found <1> LDAP Servers.|CoExJDFAPIMgr.cpp(3756)|Job Id: -1; Activity Name: ES168; Activity Id: -1; Activity Type: -1; ES168
1|PB88|T588|2013/03/22 14:09:34:026|CoExLDAPClient::TestConnection|ERROR|Server Down System call failed. (0x86040100)|CoExLDAPClient.cpp(256)|Job Id: -1; Activity Name: ES168; Activity Id: -1; Activity Type: -1; ES168


After configuring Microsoft ldp.exe with the same LDAP settings as EMC SourceOne EmailManagement Console, the below errors are reported on initial connection.

 

Error <0x51>: Fail to connect to 192.168.2.8.

ld = ldap_sslinit("192.168.2.108", 636, 1);

Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);

Error 81 = ldap_connect(hLdap, NULL);

Server error: <empty>

Error <0x51>: Fail to connect to 192.168.2.108

 

(0x51) error in ldp.exe basically point to certificate issue. Either the certificate issued to LDAP server is not trusted by EMC SourceOne Email Management server or LDAP server is not configured to use the same hostname as the certificate. SSL connection is not stabilized unless the certificate transaction is successful.

 

Resolution:

 

Engage Notes / Active Directory administrator from customer side to determine the certificate being used by the LDAP server. Make sure the certificate is trusted by EMC SourceOne Email Management server and reconfigure the LDAP setting in EMC SourceOne Email Management Console to use the same name as certificate  been issued with by the LDAP server host.

 

For Domino environment, Domino administrator can CertServ.nsf file on the Domino server being used for LDAP. Keyring file will show which certificate is being used by LDAP server. EMC SourceOne EmailManagement Servers have to trust that certificate as well as LDAP configuration in EMC SourceOne EmailManagement Console should be using the name of LDAP server same as the  certificate name.

 

For more information on this, refer primus solution “esg135218”.