I've been beating my head against this one for long enough. I'm sure I'm
missing something, probably something obvious, but I cannot get Lothar's
driver to connect over ldaps://.

Engine trace doesn't show much, just the return (fail) from the
ECMAScript:


[03/20/12 14:27:22.129]:Notify PT:Policy returned:
[03/20/12 14:27:22.130]:Notify PT:
<nds dtdversion="3.5">
<source>
<product instance="Notify" version="3.6.10.4747">DirXML Loopback
Driver</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<status level="success" type="notification">Password Expiration
Notification<br/>
<LastRunTime>2010-04-02 00:00:37</LastRunTime>
<ThisRunTime>2012-03-20 14:27:21</ThisRunTime>
<AccountExpires>
<From>2012-03-20 14:27:21</From>
<To..>2012-04-10 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</AccountExpires>
<AccountIdle>
<From>2009-12-30 00:00:37</From>
<To..>2011-12-18 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</AccountIdle>
<Notification1>
<From>2012-03-27 14:27:21</From>
<To..>2012-04-10 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</Notification1>
<Notification2>
<From>2012-03-22 14:27:21</From>
<To..>2012-03-27 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</Notification2>
<Notification3>
<From>2012-03-20 14:27:21</From>
<To..>2012-03-22 14:27:21</To..>
<status level="error">JavaException:
com.novell.ldap.LDAPException: Connect Error</status>
</Notification3>
</status>
</input>
</nds>


eDir / LDAP trace is somewhat more helpful:


14:25:20 B59C1BA0 LDAP: New TLS connection 0x15346a00 from
131.156.218.76:46055, monitor = 0xb69d1ba0, index = 2
14:25:20 B69D1BA0 LDAP: Monitor 0xb69d1ba0 initiating TLS handshake on
connection 0x15346a00
14:25:20 B60C8BA0 LDAP: (192.168.28.76:46055)(0x0000:0x00) DoTLSHandshake
on connection 0x15346a00
14:25:20 B60C8BA0 LDAP: (192.168.28.76:46055)(0x0000:0x00) TLS accept
failure 1 on connection 0x15346a00, setting err = -5875. Error stack:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown - SSL alert number 46
14:25:20 B60C8BA0 LDAP: (131.156.218.76:46055)(0x0000:0x00) TLS handshake
failed on connection 0x15346a00, err = -5875
14:25:20 B60C8BA0 LDAP: BIO ctrl called with unknown cmd 7
14:25:20 B60C8BA0 LDAP: Server closing connection 0x15346a00, socket
error = -5875
14:25:20 B60C8BA0 LDAP: Connection 0x15346a00 closed


clearly showing that it's a certificate fail (oh, yay!), but I've not
been able to figure out what it's complaining about.

The eDir tree is one of several (multi-instance) on this box, which may
or may not be a factor. I don't think it should be.

I can ldap bind using ldapsearch -x ldaps://192.168.28.76 so I'm sure
that it's possible to do so.

The LDAP server is configured to use a cert I created. It's not expired
or anything like that. I've re-created it just to be sure. The only real
change here is that on creating certs, I set the expiration to "max" (10
years), rather than leaving the default (2 years). The CA for this tree
is working fine.

The driver config says that I can leave the keystore blank, in which case
it will use the default keystore. Some research says that the default
keystore for eDirectory is here:
/opt/novell/eDirectory/lib/nds-modules/jre1.6.0_06/lib/security/cacerts

Looking in there with Java keytool, it looks to me like this only
contains a bunch of public CAs (Digikey and etc.). I don't see an entry
for the tree CA. Adding the tree CA self-signed cert to cacerts didn't
produce any change in symptoms.

The driver config also says that I can specify a keystore, which seemed
like a good idea to me. I can create a keystore with keytool, and have
imported the tree CA self-signed and public certs. I have provided the
keystore password in the driver named passwords list as well. Still, all
I can coax out of the LDAP trace is "sslv3 alert certificate unknown".

Does anybody know (or even suspect) which part of this needs to be kicked?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.