Saturday, June 23, 2012

LDAP Error 53: The LDAP server is unable to perform the specific operation

I was trying to configure a AD Data Store. 

It was pretty straight-forward to get the AD Data Store configured. If configured properly, all AD users will be displayed according in the Subjects tab.

So, I went ahead to create a new user. (OK, just for testing purpose. I have never used OpenAM to provision users in production before. There are far better tools in doing the same.)


BOMB! I received "LDAP Error 53: The LDAP server is unable to perform the specific operation" when I clicked OK.



What could have gone wrong?



LDAPv3Repo: Create called on IdType: user: forgerocker attrMap = {uid=[forgerocker], unicodePwd=xxx..., sn=[Rocker], inetuserstatus=[Active], givenname=[], cn=[Forge Rocker]}
:
:
LDAPv3Repo:06/18/2012 09:51:10:065 PM SGT: Thread[http-apr-8180-exec-1,5,main]
    : before ld.add: eDN=cn=forgerocker,cn=users,DC=az-ex,DC=sg
LDAPv3Repo:06/18/2012 09:51:10:207 PM SGT: Thread[http-apr-8180-exec-1,5,main]
ERROR: LDAPv3Repo.create failed. errorCode=53  0000001F: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0

LDAPv3Repo:06/18/2012 09:51:10:207 PM SGT: Thread[http-apr-8180-exec-1,5,main]
LDAPv3Repo.create failed
com.sun.identity.shared.ldap.LDAPException: error result (53); 0000001F: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0

at com.sun.identity.shared.ldap.LDAPConnection.checkMsg(LDAPConnection.java:5523)
at com.sun.identity.shared.ldap.LDAPConnection.add(LDAPConnection.java:3234)
at com.sun.identity.shared.ldap.LDAPConnection.add(LDAPConnection.java:3255)
at com.sun.identity.shared.ldap.LDAPConnection.add(LDAPConnection.java:3181)
at com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo.create(LDAPv3Repo.java:2100)
at com.sun.identity.idm.server.IdServicesImpl.create(IdServicesImpl.java:442)
at com.sun.identity.idm.AMIdentityRepository.createIdentity(AMIdentityRepository.java:384)



A google search solves the issue.. the connection from OpenAM to AD must be in SSL mode. Read here and here for detailed explanation. This is due to the attribute unicodePwd in AD. 


So I went ahead to enable my AD for SSL and re-configure the AD Data Store in OpenAM to connect via SSL.


Well, the following error is ever so common ... "PKIX path building failed: .... unable to find valid certification path to requested target"




Always happen without fail if self-signed certificate is used. :) Well, importing the Root CA cert of the self-signed certificate into the cacerts store in JDK will resolve the issue.

.





No comments:

Post a Comment