12 Replies Latest reply: Mar 24, 2015 1:28 AM by Mark Hoskins RSS

    LDAP over SSL

      Ok Qlik Community, noob here and hopefully will not embarrass myself.

       

      I am trying to get Qlikview to use an LDAP server (Oracle LDAP) for the DSP. I am using the Configurable LDAP option, and I enter the LDAP URL as:

       

      ldaps://{ldapserver}:636/{basedn}

       

      I have tried many iterations of this, but I am not getting anywhere other than the following in the DSC logs:

       

      20/05/2014 13:54:42.7930216Information(GenericLDAP.GenericLDAPProvider) Setting domainname to SMIND
      20/05/2014 13:54:42.8086219Warning(GenericLDAP.GenericLDAPProvider+CachedDirectoryEntryHolder) Fetching directoryentry LDAP://{server}:636/{basedn} failed: The server is not operational.

       

      20/05/2014 13:54:42.8086219Error(DSC.DirectoryFramework) setup path not successful for user '{bind dn user}' at 'LDAPS://{server}:636/{basdn}': System.Exception: Setting up connection failed; The server is not operational.

      ---> System.Runtime.InteropServices.COMException: The server is not operational.

       

       

         at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

         at System.DirectoryServices.DirectoryEntry.Bind()

         at System.DirectoryServices.DirectoryEntry.get_NativeObject()

         at GenericLDAP.GenericLDAPProvider.CachedDirectoryEntryHolder.get_Entry()

         --- End of inner exception stack trace ---

         at GenericLDAP.GenericLDAPProvider.CachedDirectoryEntryHolder.get_Entry()

         at GenericLDAP.GenericLDAPProvider.SetupPath(String path, String username, String password)

         at DSC.DirectoryFramework.SetupResource(Guid id, String type, String path, String username, String password, IDictionary`2 newSettings)

      20/05/2014 13:54:42.8086219Warning(DSC.DirectoryFramework) Setting up ldapDSP 'LDAPS://{server}:636/{basedn}' wasn't successful: Setting up connection failed; The server is not operational.

       

       

      20/05/2014 13:54:42.8710231InformationInitializing done

       

       

      The LDAP server is up and running, and I install an LDAP browsing tool on the same server to validate I can connect/bind/browse the LDAP server using the details I enter in the Qlik Admin console.

       

      Does anyone have any experience of running LDAP over SSL? I have searched and found nothing relevant, so thought I would post in the hope that someone has a working configuration or can suggest what else I need to do.

       

      Many thanks

        • Re: LDAP over SSL
          Magnus Larsson

          the ldap URL looks correct and I can't see why that shouldn't work.

           

          But one thing to try would be to take out the port. It should not be needed since port 636 is the default when using ldaps.

           

          So worth trying:

          ldaps://{ldapserver}/{basedn}


          Or even just:

          ldaps://{ldapserver}



            • Re: LDAP over SSL

              Indeed, I agree it should just work but it is not currently.

               

              I should have added that I have tried what you suggest without success. I have also tried:

               

              - using IP address instead of FQDN

              - deleting/recreating the configuration profile

              - restarting the services

               

              I am sure it is something silly, but it is odd that I can connect/bind/browse using LDAP browser, yet DSC does not.

                • Re: LDAP over SSL
                  Magnus Larsson

                  Do you have the QlikView Services spread out over several machines? If so, did you do the test with the LDAP browser from the machine where the DSC is running? The test was also over SSL?

                   

                  Do you have a recent version of QlikView - there were some improvements to the configurable LDAP connector especially around version 11.20 SR2.

                   

                  You may wish to contact support for this one unless anyone else can think of something.

                    • Re: LDAP over SSL

                      No, this is a single box install (just for testing purposes) and we are running 11.20.12235.0 so I am not sure if that is the latest version, but feel it is confident that it is at least a reasonably recent version.

                       

                      Thanks for responding Magnus - I will see if support services can resolve.

                       

                      I am beginning to think that everything I touch Qlik is doomed - I cannot seem to get anything working the way it is supposed to :-)

                • Re: LDAP over SSL
                  Bill Britt

                  Hi,

                  Does it work without SSL?

                   

                  Bill

                  • Re: LDAP over SSL

                    We do not allow binds against LDAP, only LDAPS so I am not able to validate/test.

                     

                    As an aside, even though I see the error in the log file, I am not getting any errors in the Event Viewer (all happy) and it does appear to let me authenticate although the directory searching/lookup are not working - which is kind of what I expected.

                    • Re: LDAP over SSL

                      Thanks Bill for pointing me in the right direction.

                       

                      It appears that the problem was not that the certificate authority needed added (it was a standard Verisign certificate) but that the name I was using to connect was not the same as the value in the LDAP servers DN settings of the cert. Whilst it appears other applications are less fussy, you have to explicitly state the details as per the certificate.

                       

                      This is actually quite common as we have a VIP behind which real IPs and LDAP hosts are load balanced. Each (VIP and RIPs) will all have their own unique names, as will the service friendly name.

                       

                      Once I changed the connection string to this, everything worked.

                      • Re: LDAP over SSL

                        Hi Ricardo,

                         

                        Your posts have been very helpful. I just have a few questions regarding your last post, as I am facing a similar issue.

                         

                        - When you say 'the name you are using to connect', are you refering the Qlikview path or a config value?

                        - When you refer to the connection string, are you talking about the path? If so, which aspect of the path? Are you able to provide a generic example?

                         

                        Any response is much appreciated.

                         

                        Cheers,

                         

                        Mark.