Saviynt Forums

rajsin · ‎05/20/2024

I am trying to configure RACF connector and using the following document.

Understanding the Integration between EIC and RACF Interfaces (saviyntcloud.com)

Installed LDAP Gateway on one of internal server but not able to make a successful connection. Getting naming Exception.

ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url
F javax.naming.NamingException: LDAP connection has been closed
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133)"
at com.sun.jndi.ldap.Connection.readReply(Connection.java:469)"
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365)"
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)"
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2897)"
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)"
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)"
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)"
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)"
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)"
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)"
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)"
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)"

rushikeshvartak · ‎05/20/2024

Does DNS Resolver is enabled ?
Did you tried with IP address ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

rajsin · ‎05/21/2024

Hi

I tried with IP address also but same result. I am also not able to create a binding when I try to access LDAP Gateway server from my local ldap browser.

rushikeshvartak · ‎05/21/2024

Check with application team about connectivity issue

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

rajsin · ‎06/24/2024

Hi

We decided to use already working LDAP Gateway which works with Oracle Identity manager(OIG) and we are trying to use same gateway with Saviynt. After working through internal networking and firewall issues, i am receiving a new error:-

server, managedn ldap://tloridm101.thrivent.com:6589cn=idfRacfAdmin,dc=racf,dc=com

Checking for url = ldap://tloridm101.thrivent.com:6589

Exception.. try next url

javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Invalid parentBaseDn [cn=idfRacfAdmin,dc=racf,dc=com] for this context!]; remaining name 'cn=idfRacfAdmin,dc=racf,dc=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3292) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2998) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1874) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at com.saviynt.ldap.SaviyntGroovyLdapService.verifyDN(SaviyntGroovyLdapService.groovy:9740) at com.saviynt.ldap.SaviyntGroovyLdapService.getConnection(SaviyntGroovyLdapService.groovy:3886) at com.saviynt.ldap.SaviyntGroovyLdapService.testADConnection(SaviyntGroovyLdapService.groovy:5183) at com.saviynt.ecm.integration.ExternalConnectionCallService.testExternalConnection(ExternalConnectionCallService.groovy:1030) at com.saviynt.ecm.utility.domain.EcmConfigController$_closure21.doCall(EcmConfigController.groovy:776) at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53) at com.saviynt.webservice.SaviyntRestAuthenticationFilter.doFilter(SaviyntRestAuthenticationFilter.groovy:158) at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62) at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59) at com.mrhaki.grails.plugin.xframeoptions.web.XFrameOptionsFilter.doFilterInternal(XFrameOptionsFilter.java:69) at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82) at java.lang.Thread.run(Thread.java:750)

connectionsuccessful-1 = false

connectionsuccessful-2 = false

Import Json -

Enter getTimeOutConfig

connectionType: AD

connectionTimeoutConfig before guardRail validation: [retryWait:2, connectionTimeout:10, retryCount:3, readTimeout:55]

Final connectionTimeoutConfig after guardRail validation: [connectionTimeout:10, readTimeout:55, retryCount:3, retryWait:2]

Inside validateErrorResponse

Inside validateCommonErrorResponse

Error while saving the Connection: [Target Error Message: [SchemaViolationException: [LDAP: error code 65 - Invalid parentBaseDn [cn=idfRacfAdmin,dc=racf,dc=com] for this context!]]]

ErrorMessage res : [Target Error Message: [SchemaViolationException: [LDAP: error code 65 - Invalid parentBaseDn [cn=idfRacfAdmin,dc=racf,dc=com] for this context!]]]

Can you please suggest on this?

rajsin · ‎06/24/2024

"javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Invalid parentBaseDn [cn=idfRacfAdmin,dc=racf,dc=com] for this context!]; remaining name 'cn=idfRacfAdmin,dc=racf,dc=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3292) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)

rushikeshvartak · ‎06/24/2024

The SchemaViolationException you're encountering, with LDAP error code 65, indicates that there is a problem with the directory structure or the data not conforming to the directory schema. Specifically, the error message suggests that the parentBaseDn value cn=idfRacfAdmin,dc=racf,dc=com is invalid for the context where you're trying to add or modify the LDAP entry.

Here are a few possible reasons and troubleshooting steps for this issue:

Invalid Parent DN:

Ensure that the parent DN (dc=racf,dc=com) exists in the directory. If this parent entry does not exist, you need to create it before adding the child entry cn=idfRacfAdmin.

Schema Constraints:

Verify that the object classes and attributes of cn=idfRacfAdmin conform to the schema definitions for the parent context dc=racf,dc=com. Check if there are any schema constraints that prevent adding cn=idfRacfAdmin under dc=racf,dc=com.

Correct Object Classes:

Ensure that the object classes defined for cn=idfRacfAdmin are correct and allowed under the parent DN dc=racf,dc=com. Sometimes, certain object classes can only exist under specific parent object classes.

Permissions:

Check if the user account performing the operation has the necessary permissions to add or modify entries under dc=racf,dc=com.

Attribute Values:

Verify that all mandatory attributes for the object classes are provided and correctly populated in the entry cn=idfRacfAdmin.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

rajsin · ‎06/25/2024

Thanks Rushikesh.

I totally understand the suggestions you posted above and when I try to use a user which is already present in LDAPGateway, i got a different error "authentication exception" which means i need to work on password to start with.

But just wondering why the current setup is working fine with OIG where LDAPGateway is configured inside the OIG server.

rushikeshvartak · ‎06/25/2024

It seems you have issue with authentication. Please validate credentials entered in connector.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

rajsin · ‎06/26/2024

If i create a user cn=idfRacfAdmin as per initial suggestion, will that user needs to be created in LDAPGateway only or in Mainframe application also?

rushikeshvartak · ‎06/26/2024

Creating the user cn=idfRacfAdmin in LDAP is one part of the process. Whether you also need to create this user in the Mainframe application depends on how the Mainframe and LDAP systems are integrated and what the user's role will be.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

rajsin · ‎06/28/2024

We took a packet trace on the ldap gatewaty to see what Saviynt is attempting to do when connecting. The packet trace shows an attempted bind, which succeeds. Immediately after the bind Saviynt attempts to do a search against the Bind id with a filter of objectclass=*.

For example.

Search request:
baseObject: cn=idfRacfAdmin,dc=racf,dc=com
scope: base
filter: (objectclass=*)

This request fails with an “objectclassViolation (Invalid parentDN [cn=idfRacfAdmin,dc=racf,dc=com] for this context!” error.

We suspect the error is being thrown because the id in question doesn’t have any attributes associated with it, including objectclass.

Why is this search request being performed, and is there a way to prevent it from occurring?

rushikeshvartak · ‎06/28/2024

Before creating account it will validate if account exists or not and there is no ways to avoid it

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

rajsin · ‎07/10/2024

Hi Rushikesh

We created a service account in RACF and I can see the newly created account using LDAP browser, but the password which the admin used in RACF is not working through saviynt and/or LDAP browser. looks like saviynt is trying to authenticate and takes around 5-6 second before giving authentication exception.

Do you have any suggestions?

rushikeshvartak · ‎07/10/2024

sounds like there might be an issue with the password synchronization between Saviynt and RACF. Here are a few steps to troubleshoot and potentially resolve the issue:

Verify Password:
- Confirm that the password being used is correct and has been set properly in RACF.
- Double-check that there are no typographical errors.
Check Account Lockout:
- Ensure that the account hasn't been locked out due to multiple failed login attempts.
LDAP Configuration:
- Confirm that the LDAP configuration in Saviynt is correctly pointing to the RACF LDAP server.
- Ensure that the bind DN and credentials are correct and have sufficient permissions.
Password Policy:
- Verify that the password policy in RACF and Saviynt match and that the password meets the required criteria.
Connection and Bind Issues:
- Check the connection settings in Saviynt for the RACF LDAP server.
- Ensure that the LDAP URL, port, and protocol (LDAP/LDAPS) are correctly configured.
- Verify the bind DN and password being used to connect to LDAP are correct and have the necessary access.
Logs and Error Messages:
- Review the logs in Saviynt for detailed error messages related to the authentication exception.
- Check the RACF and LDAP server logs for any errors or warnings that might give additional clues.
Synchronization Delay:
- There might be a delay in password synchronization between RACF and LDAP. Try resetting the password again and see if it works after a short wait.
Network Issues:
- Ensure there are no network issues affecting the communication between Saviynt and RACF LDAP server.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saviynt Forums

RACF Integration connection to LDAP Gateway failing.