After Removing Second LDAP Server From OVD Adapter, OVD Attempts To Connect To It Using Non-SSL Which Fails With Log Errors: [LDAP: error code 10 - Referral] / simple bind failed: [secondhost:nonsslport] / Unrecognized SSL message, plaintext connection?
Last updated on MARCH 08, 2017
Applies to:Oracle Virtual Directory - Version 18.104.22.168.0 and later
Information in this document applies to any platform.
Oracle Virtual Directory (OVD) 11g, e.g., 22.214.171.124.0 integrated with Oracle Identity Manager (OIM).
Originally only had Oracle Virtual Directory (OVD) configured to communicate with one LDAP server (i.e., Oracle Directory Server Enterprise Edition or ODSEE 11GR1) via SSL, which had been working fine. Recently added a second ODSEE LDAP server, and also configured them for Master/Master replication. Added the second ODSEE LDAP server to the OVD Adapter as a second host, and set a weight value of 50 on the 1st LDAP and a weight value of 50 on the 2nd LDAP. The failover mode was set to distributed.
This worked fine until attempted to create user objects in OIM, which failed with OIM log error:
javax.naming.NameNotFoundException: [LDAP: error code 32 - LDAP Error 32 : [LDAP: error code 32 - No Such Object]]; remaining name 'uid=myusername,ou=people,ou=myou,dc=mycompany,dc=com'^M
Tried to remove the second LDAP from the OVD Adapter, but when trying to bring the second LDAP server up, OVD keeps attempting to connect to it over non-SSL, which fails with the OVD diagnostic.log error below (the error is expected because the non-ssl port is not open):
com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 - Referral]; remaining name 'uid=myusername,ou=people,ou=myou,dc=mycompany,dc=com'
javax.naming.CommunicationException: simple bind failed: secondodseehost.mycompany.com:1389 [Root exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?]
This also causes OIM to become unresponsive and the whole integration becomes unusable.
- Restarting the OVD Server and the entire WLS stack.
- Checked that no open connections returned from issuing commands: netstat -an | grep secondodseehost, netstat -an | grep <secondodseehost's IP address>, netstat -an | grep 1389.
- Verified there was no occurrence of the second hostname, IP address or port number 1389 in any of the OVD config files.
- Also verified that no occurrence of the hostname, IP or port returned by traversing the entire FMW_Home directories, i.e., grep -R secondodseehost *, and only log entries returned.
Leave the second LDAP instance, however this is not acceptable as it is needed for HA/failover purposes.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms