After Removing Second LDAP Server From OVD Adapter, OVD Attempts To Connect To It Using Non-SSL Which Fails With Log Errors: [LDAP: error code 10 - Referral] / simple bind failed: [secondhost:nonsslport] / Unrecognized SSL message, plaintext connection? (Doc ID 1540700.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Virtual Directory - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Virtual Directory (OVD) 11g, e.g., 11.1.1.5.0 integrated with Oracle Identity Manager (OIM).

Scenario:
Originally only had Oracle Virtual Directory (OVD) configured to communicate with one LDAP server (i.e., Oracle Directory Server Enterprise Edition or ODSEE 11GR1) via SSL, which had been working fine.  Recently added a second ODSEE LDAP server, and also configured them for Master/Master replication.  Added the second ODSEE LDAP server to the OVD Adapter as a second host, and set a weight value of 50 on the 1st LDAP and a weight value of 50 on the 2nd LDAP.  The failover mode was set to distributed.


This worked fine until attempted to create user objects in OIM, which failed with OIM log error:

[2013-03-21T15:04:01.510-04:00] [oim_server1] [ERROR] [IAM-0042002] [oracle.iam.platform.entitymgr.provider.ldap] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 0000JqELXeT7u1IMyq6iMG1HHsYX0001KF,0] [APP: oim#11.1.1.3.0] An error occurred while creating the entity in LDAP, and the corresponding error is - {0}[[^M
javax.naming.NameNotFoundException: [LDAP: error code 32 - LDAP Error 32 : [LDAP: error code 32 - No Such Object]]; remaining name 'uid=myusername,ou=people,ou=myou,dc=mycompany,dc=com'^M

 

Tried to remove the second LDAP from the OVD Adapter, but when trying to bring the second LDAP server up, OVD keeps attempting to connect to it over non-SSL, which fails with the OVD diagnostic.log error below (the error is expected because the non-ssl port is not open):

[2013-03-25T11:03:23.703-04:00] [octetstring] [WARNING] [OVD-40081] [com.octetstring.vde.backend.jndi.ConnectionHandle] [tid: 17] [ecid: 0000JqY4o4pCgoc5ljP5iZ1HJ6Gk00DIqv,0] Error from modify.[[
com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 - Referral]; remaining name 'uid=myusername,ou=people,ou=myou,dc=mycompany,dc=com'

Followed by:

[2013-03-25T11:03:23.706-04:00] [octetstring] [WARNING] [OVD-40082] [com.octetstring.vde.backend.jndi.ConnectionHandle] [tid: 17] [ecid: 0000JqY4o4pCgoc5ljP5iZ1HJ6Gk00DIqv,0] Could not modify entry.[[
javax.naming.CommunicationException: simple bind failed: secondodseehost.mycompany.com:1389 [Root exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?]

This also causes OIM to become unresponsive and the whole integration becomes unusable.

Tried:
- Restarting the OVD Server and the entire WLS stack.
- Checked that no open connections returned from issuing commands: netstat -an | grep secondodseehost, netstat -an | grep <secondodseehost's IP address>, netstat -an | grep 1389.
- Verified there was no occurrence of the second hostname, IP address or port number 1389 in any of the OVD config files.
- Also verified that no occurrence of the hostname, IP or port returned by traversing the entire FMW_Home directories, i.e., grep -R secondodseehost *, and only log entries returned.

Workaround:
Leave the second LDAP instance, however this is not acceptable as it is needed for HA/failover purposes.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms