Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

LDAP over SSL

Ok Qlik Community, noob here and hopefully will not embarrass myself.

I am trying to get Qlikview to use an LDAP server (Oracle LDAP) for the DSP. I am using the Configurable LDAP option, and I enter the LDAP URL as:

ldaps://{ldapserver}:636/{basedn}

I have tried many iterations of this, but I am not getting anywhere other than the following in the DSC logs:

20/05/2014 13:54:42.7930216Information(GenericLDAP.GenericLDAPProvider) Setting domainname to SMIND
20/05/2014 13:54:42.8086219Warning(GenericLDAP.GenericLDAPProvider+CachedDirectoryEntryHolder) Fetching directoryentry LDAP://{server}:636/{basedn} failed: The server is not operational.

20/05/2014 13:54:42.8086219Error(DSC.DirectoryFramework) setup path not successful for user '{bind dn user}' at 'LDAPS://{server}:636/{basdn}': System.Exception: Setting up connection failed; The server is not operational.

---> System.Runtime.InteropServices.COMException: The server is not operational.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

   at System.DirectoryServices.DirectoryEntry.Bind()

   at System.DirectoryServices.DirectoryEntry.get_NativeObject()

   at GenericLDAP.GenericLDAPProvider.CachedDirectoryEntryHolder.get_Entry()

   --- End of inner exception stack trace ---

   at GenericLDAP.GenericLDAPProvider.CachedDirectoryEntryHolder.get_Entry()

   at GenericLDAP.GenericLDAPProvider.SetupPath(String path, String username, String password)

   at DSC.DirectoryFramework.SetupResource(Guid id, String type, String path, String username, String password, IDictionary`2 newSettings)

20/05/2014 13:54:42.8086219Warning(DSC.DirectoryFramework) Setting up ldapDSP 'LDAPS://{server}:636/{basedn}' wasn't successful: Setting up connection failed; The server is not operational.

20/05/2014 13:54:42.8710231InformationInitializing done

The LDAP server is up and running, and I install an LDAP browsing tool on the same server to validate I can connect/bind/browse the LDAP server using the details I enter in the Qlik Admin console.

Does anyone have any experience of running LDAP over SSL? I have searched and found nothing relevant, so thought I would post in the hope that someone has a working configuration or can suggest what else I need to do.

Many thanks

1 Solution

Accepted Solutions
Not applicable
Author

Thanks Bill for pointing me in the right direction.

It appears that the problem was not that the certificate authority needed added (it was a standard Verisign certificate) but that the name I was using to connect was not the same as the value in the LDAP servers DN settings of the cert. Whilst it appears other applications are less fussy, you have to explicitly state the details as per the certificate.

This is actually quite common as we have a VIP behind which real IPs and LDAP hosts are load balanced. Each (VIP and RIPs) will all have their own unique names, as will the service friendly name.

Once I changed the connection string to this, everything worked.

View solution in original post

12 Replies
mls
Former Employee
Former Employee

the ldap URL looks correct and I can't see why that shouldn't work.

But one thing to try would be to take out the port. It should not be needed since port 636 is the default when using ldaps.

So worth trying:

ldaps://{ldapserver}/{basedn}


Or even just:

ldaps://{ldapserver}



Not applicable
Author

Indeed, I agree it should just work but it is not currently.

I should have added that I have tried what you suggest without success. I have also tried:

- using IP address instead of FQDN

- deleting/recreating the configuration profile

- restarting the services

I am sure it is something silly, but it is odd that I can connect/bind/browse using LDAP browser, yet DSC does not.

mls
Former Employee
Former Employee

Do you have the QlikView Services spread out over several machines? If so, did you do the test with the LDAP browser from the machine where the DSC is running? The test was also over SSL?

Do you have a recent version of QlikView - there were some improvements to the configurable LDAP connector especially around version 11.20 SR2.

You may wish to contact support for this one unless anyone else can think of something.

Not applicable
Author

No, this is a single box install (just for testing purposes) and we are running 11.20.12235.0 so I am not sure if that is the latest version, but feel it is confident that it is at least a reasonably recent version.

Thanks for responding Magnus - I will see if support services can resolve.

I am beginning to think that everything I touch Qlik is doomed - I cannot seem to get anything working the way it is supposed to 🙂

Bill_Britt
Former Employee
Former Employee

Hi,

Does it work without SSL?

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
Not applicable
Author

We do not allow binds against LDAP, only LDAPS so I am not able to validate/test.

As an aside, even though I see the error in the log file, I am not getting any errors in the Event Viewer (all happy) and it does appear to let me authenticate although the directory searching/lookup are not working - which is kind of what I expected.

Bill_Britt
Former Employee
Former Employee

Hi,

I am not sure that the directory service supports an SSL connection. I will see what I can find out.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
Not applicable
Author

Bill - thanks, much obliged if you could look into this.

Bill_Britt
Former Employee
Former Employee

Hi Ricardo,

The below is what I got back.


LDAPS is supported since v11.20sr1

You probably have to import first the SSL Public Certificate into the KeyStore of the Service Account that the DSC is running as using certmgr.msc


Let me know if that works so I can write up an article for support. I have no way to test this to see if it is correct, but it does make sense.


Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.