Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> E-Mail, Calendar, & Collaboration >> Sun Java System Messaging Server

SSL only: could not get server configuration in ldap

Hi,

when I try to set up encrypted connections from MS to LDAP I get the following error message in the default log:

[19/Jul/2007:10:17:00 +0200] mail msprobe[22813]: General Warning: could not get server configuration in ldap, using cached configuration information

I know that it means, that MS cant get the configuration for some reason, but I dont understand why. This is what I did:

1. Added certificate to /opt/SUNWmsgsr/config/cert8.db

2. testing connection:

bash-3.00# ldapsearch -v -h ldapserver -p 636 -Z -P /opt/SUNWmsgsr/config/cert8.db -b "" -s base "objectclass=*" supportedSASLMechanisms

ldapsearch: started Thu Jul 19 10:49:26 2007

ldap_init( ldapserver, 636 )

filter pattern: objectclass=*

returning: supportedSASLMechanisms

filter is: (objectclass=*)

version: 1

dn:

supportedSASLMechanisms: EXTERNAL

supportedSASLMechanisms: GSSAPI

supportedSASLMechanisms: DIGEST-MD5

1 matches

3. changed configuration:

bash-3.00# configutil -o local.ldapport -v 636

OK SET

bash-3.00# configutil -o local.ldapusessl -v 1

OK SET

after changing these values a "configutil" takes a few minutes till giving any output!? I suppose this is because it tries to connect to get the configuration from ldap..

And of course if I change everything back to non ssl its working fine.

4. imsimta cnbuild

takes very long and then displays:

[19/Jul/2007:10:53:20 +0200] mail [22862]: General Warning: could not get server configuration in ldap, using cached configuration information

since this is the production environment, I didnt try to "stop-msg" and "start-msg". In the Testenvironment it worked exactly that way. The only difference is, that I have the latest version of MS (6.3) in Testenvironment. In production we have:

Sun Java(tm) System Messaging Server 6.2-7.05 (built Sep 5 2006)

libimta.so 6.2-7.05 (built 12:18:44, Sep 5 2006)

SunOS mail 5.10 Generic sun4u sparc SUNW,UltraAX-i2

This is the log on the LDAP side:

[19/Jul/2007:11:03:02 +0200] conn=12769 op=-1 msgId=-1 - fd=135 slot=135 LDAPS connection from 123.456.789.101 to 192.168.123.456

[19/Jul/2007:11:04:02 +0200] conn=12769 op=-1 msgId=-1 - closing - B1

[19/Jul/2007:11:04:02 +0200] conn=12769 op=-1 msgId=-1 - closed.

any hints greatly appreciated

David

[2444 byte] By [DavidSchulza] at [2007-11-27 11:02:47]
«« how to add Jscrollpane without header
»» Error in JDOM
# 1

Hi David,

By the look of the directory access log, messaging server is attempting to establish an LDAPS connection but the connection is unsuccessful, most likely due to certificate trust issues or something along those lines. Debugging these can be a real pain.

>> since this is the production environment, I didnt try to "stop-msg" and "start-msg". In the

>> Testenvironment it worked exactly that way. The only difference is, that I have the latest

>> version of MS (6.3) in Testenvironment. In production we have:

Messaging server 6.3 stores all configuration data in the msg.conf & msg.conf.defaults files (finally) and not in the directory. So in-fact local.ldapport doesn't even exist on a 6.3 system as it is no longer needed.

bash-3.00# ./configutil -H -o local.ldapport

Configuration option: local.ldapport

WARNING: Could not find a description for option; option=local.ldapport

local.ldapport is currently unset

NB: the -H option is a very useful addition to configutil with 6.3 - I use it all the time now to find out what each configutil variable does, defaults, current setting and what-not.

I don't suppose you are planning on updating production to 6.3 anytime soon :)

Shane.

shane_hjortha at 2007-7-29 12:45:34 > top of Java-index,E-Mail, Calendar, & Collaboration,Sun Java System Messaging Server...
# 2

Hi Shane,

> most likely due to certificate trust issues or something along those lines.

Yes, but have you seen the ldapsearch I tried? I'm using /opt/SUNWmsgsr/config/cert8.db - the db which MS is using. And the query works. Could it be that MS 6.2 is not storing the ldap certificate in that database? Also the MS 6.2 admin guide is not saying anything about where to store the certificate, just which configutil params to change..

>So in-fact local.ldapport doesn't even exist on a 6.3 system as it is no longer needed.

Yup, I noticed that, but there are still the ugldap- and pab.ldap-queries which are now encrypted. And for these latter queries I can see that everything is sent through the ssl connection (in test environment).

The -H option sounds good, I will keep that in mind :) but as you noticed, theres no need to update MS now. Maybe together with the introduction of calendar server during the next few month..

thanks and regards

David

DavidSchulza at 2007-7-29 12:45:34 > top of Java-index,E-Mail, Calendar, & Collaboration,Sun Java System Messaging Server...
E-Mail, Calendar, & Collaboration
Sun Java System Messaging Server

E-Mail, Calendar, & Collaboration Hot Topic

E-Mail, Calendar, & Collaboration

All Classified