My Oracle Support Banner

After Removing Second LDAP Server From OVD Adapter, OVD Attempts To Connect To It Using Non-SSL Which Fails With Log Errors: [LDAP: error code 10 - Referral] / simple bind failed: [secondhost:nonsslport] / Unrecognized SSL message, plaintext connection? (Doc ID 1540700.1)

Last updated on JUNE 20, 2018

Applies to:

Oracle Virtual Directory - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Virtual Directory (OVD) 11g, e.g., 11.1.1.5.0 integrated with Oracle Identity Manager (OIM).

Scenario:
Originally only had Oracle Virtual Directory (OVD) configured to communicate with one LDAP server (i.e., Oracle Directory Server Enterprise Edition or ODSEE 11GR1) via SSL, which had been working fine.  Recently added a second ODSEE LDAP server, and also configured them for Master/Master replication.  Added the second ODSEE LDAP server to the OVD Adapter as a second host, and set a weight value of 50 on the 1st LDAP and a weight value of 50 on the 2nd LDAP.  The failover mode was set to distributed.


This worked fine until attempted to create user objects in OIM, which failed with OIM log error:

[2013-03-21T15:04:01.510-04:00] [oim_server1] [ERROR] [IAM-0042002] [oracle.iam.platform.entitymgr.provider.ldap] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: <ecid string>] [APP: oim#11.1.1.3.0] An error occurred while creating the entity in LDAP, and the corresponding error is - {0}[[^M
javax.naming.NameNotFoundException: [LDAP: error code 32 - LDAP Error 32 : [LDAP: error code 32 - No Such Object]]; remaining name 'uid=myusername,ou=people,ou=myou,dc=example,dc=com'^M

 

Tried to remove the second LDAP from the OVD Adapter, but when trying to bring the second LDAP server up, OVD keeps attempting to connect to it over non-SSL, which fails with the OVD diagnostic.log error below (the error is expected because the non-ssl port is not open):

[2013-03-25T11:03:23.703-04:00] [octetstring] [WARNING] [OVD-40081] [com.octetstring.vde.backend.jndi.ConnectionHandle] [tid: 17] [ecid: <ecid string>] Error from modify.[[
com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 - Referral]; remaining name 'uid=myusername,ou=people,ou=myou,dc=example,dc=com'

Followed by:

[2013-03-25T11:03:23.706-04:00] [octetstring] [WARNING] [OVD-40082] [com.octetstring.vde.backend.jndi.ConnectionHandle] [tid: 17] [ecid: <ecid string>] Could not modify entry.[[
javax.naming.CommunicationException: simple bind failed: secondodseehost.example.com:1389 [Root exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?]

This also causes OIM to become unresponsive and the whole integration becomes unusable.

Tried:
- Restarting the OVD Server and the entire WLS stack.
- Checked that no open connections returned from issuing commands: netstat -an | grep secondodseehost, netstat -an | grep <secondodseehost's IP address>, netstat -an | grep 1389.
- Verified there was no occurrence of the second hostname, IP address or port number 1389 in any of the OVD config files.
- Also verified that no occurrence of the hostname, IP or port returned by traversing the entire FMW_Home directories, i.e., grep -R secondodseehost *, and only log entries returned.

Workaround:
Leave the second LDAP instance, however this is not acceptable as it is needed for HA/failover purposes.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.