AD Password Filter Setup - ldapbindssl.exe Fails yet Oracle SSL ldapbind works - SSL Hand Shake failed (NZerr 28862) (Doc ID 430907.1)

Last updated on JULY 01, 2016

Applies to:

Oracle Internet Directory - Version 10.1.4 to 10.1.4 [Release 10gR3]
Information in this document applies to any platform.

Symptoms

Reference:  Oracle Identity Management Integration Guide 10g (10.1.4.0.1)
Part Number B15995-01 

Chapter 20 Deploying the Oracle Password Filter for Microsoft Active Directory
Configuring and Testing Oracle Internet Directory with SSL Server-Side Authentication

In preparation for AD Password Filter setup, the ldapbindssl.exe tool fails,  even though the Oracle ldapbind -U2 ssl bind succeeds.

The following may or may not be seen in the oidldapd01sXXXX.log (server log).

 

ERROR * gslsflnNegotiateSSL * SSL Hand Shake failed Source address: <IP address>(myclienthostname.mycompany.com) * (NZerr 29048)

 

 

 

Changes

When the ldabindssl.exe is run on the AD host, an ssl handshake occurs during which the OID host presents his Server Certificate. The AD host then looks at the ISSUER of this certificate and checks to see if that issuer is listed in the Certificates Store under TRUSTED ROOT CERTIFICATION AUTHORITES.  

 Therefore, you should have loaded your OID Trusted Root Certificate into the AD Host certificate store using the mmc command.

You should have used the Oracle Wallet Manager to EXPORT Trusted Certificate, then followed the documentation at the link below when loading it into the Active Directory host:

http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/odip_adpasswordsync.htm#CHDHABAE

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms