Skip to Content
0

Error while provisioning to AD over SSL

Feb 08 at 06:51 AM

73

avatar image

Hello Everyone,

I am trying to provision the user/set password from SAP IDM 8.0 to Microsoft AD over the SSL, however, received the below error.

Steps performed -

1) Set the 636 as LDAP SSL port in the AD repository

2) Install the AD certificate in the IDM runtime server and verified that its exists in the certificate store.

3) ensured that SSL port and SSL is selected as Security options in To LDAP pass.

Please let me know If I missed anything. Please note that telnet over 636 port to AD server is working fine from my SAP IDM server and user provisioning over 389 port is also working fine.

MessageTypeMessageErrorToDSADirect.init got exception, returning false. - URL:ldap://<AD_SERVER_IP>:636
java.lang.Throwable: <AD_SERVER_IP>:636 ErrorInit failed

Regards,

C Kumar

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Deva Prakash B Feb 08 at 01:03 PM
1

Hi Kumar,

As per the below post, i believe you need to use LDAPS in the URL and hope the certificate is available in the java key stroke

https://archive.sap.com/discussions/message/16770714#16770714

Regards,

Deva

Show 4 Share
10 |10000 characters needed characters left characters exceeded

Hello Deva,

Thanks for the comments!

Any idea how to change it to LDAPS. As per my knowledge, LDAP URL is gets auto-formed based on the %$rep.LDAP_HOST% and %$rep.LDAP_HOST% field.

I have also added the certificate to the JAVA keystore but still received the same error.

Regards,

C Kumar

0

can you please provide screenshot of your ToLDAP destination pass

0

What value are you passing under Directory LDAP Port field in ToLDAP Pass. As you mentioned above Is it %$rep.LDAP_PORT_SSL%.?

What values are you passing to the LDAP attributes? Can you please provide screenshot?

which LDAP attribute are you using to set password in AD and what value are you passing to it?

for example, if you are passing as below, it should work.

Attribute Value

dn %dnvalue%

changetype modify

unicodePWD {HEX}passwordinhexadecimal format

Regards,

Deva

0
Deva Prakash B

Hello Deva,

Yes, I am passing %$rep.LDAP_PORT_SSL% in LDAP port field.

Attached the destination screenshot for attribute details and value passed.

Regards,

C Kumar

0
Chenyang Xiong Feb 12 at 03:47 AM
0

Hi Kumar,

You may use LDAP for read access, but for change operation, you may need to change the protocol from LDAP to LDAPS manually here.

Security Option can be SSL or simple authentication.

Cheers

Chenyang


ad-ssl.png (18.4 kB)
Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello Chenyang,

It seems you have provided the screenshot from SAP IDM 7.2

In IDM 7.2, we had the provision to provide the full LDAP URL but it seems this feature has been omitted in IDM 8.0

Do refer the screenshot provided in the comments earlier.

Regards,

C Kumar

0