Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/20/2024 08:44 PM
I am trying to configure RACF connector and using the following document.
Understanding the Integration between EIC and RACF Interfaces (saviyntcloud.com)
Installed LDAP Gateway on one of internal server but not able to make a successful connection. Getting naming Exception.
ERROR ldap.SaviyntGroovyLdapService - Exception.. try next url
F javax.naming.NamingException: LDAP connection has been closed
at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133)"
at com.sun.jndi.ldap.Connection.readReply(Connection.java:469)"
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365)"
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)"
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2897)"
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)"
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:229)"
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)"
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:247)"
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)"
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)"
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)"
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)"
05/20/2024 09:30 PM
05/21/2024 05:23 AM
Hi
I tried with IP address also but same result. I am also not able to create a binding when I try to access LDAP Gateway server from my local ldap browser.
05/21/2024 05:47 AM
Check with application team about connectivity issue
06/24/2024 01:43 PM
Hi
We decided to use already working LDAP Gateway which works with Oracle Identity manager(OIG) and we are trying to use same gateway with Saviynt. After working through internal networking and firewall issues, i am receiving a new error:-
server, managedn ldap://tloridm101.thrivent.com:6589cn=idfRacfAdmin,dc=racf,dc=com |
Checking for url = ldap://tloridm101.thrivent.com:6589 |
Exception.. try next url |
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Invalid parentBaseDn [cn=idfRacfAdmin,dc=racf,dc=com] for this context!]; remaining name 'cn=idfRacfAdmin,dc=racf,dc=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3292) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2998) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1874) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at com.saviynt.ldap.SaviyntGroovyLdapService.verifyDN(SaviyntGroovyLdapService.groovy:9740) at com.saviynt.ldap.SaviyntGroovyLdapService.getConnection(SaviyntGroovyLdapService.groovy:3886) at com.saviynt.ldap.SaviyntGroovyLdapService.testADConnection(SaviyntGroovyLdapService.groovy:5183) at com.saviynt.ecm.integration.ExternalConnectionCallService.testExternalConnection(ExternalConnectionCallService.groovy:1030) at com.saviynt.ecm.utility.domain.EcmConfigController$_closure21.doCall(EcmConfigController.groovy:776) at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53) at com.saviynt.webservice.SaviyntRestAuthenticationFilter.doFilter(SaviyntRestAuthenticationFilter.groovy:158) at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62) at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59) at com.mrhaki.grails.plugin.xframeoptions.web.XFrameOptionsFilter.doFilterInternal(XFrameOptionsFilter.java:69) at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82) at java.lang.Thread.run(Thread.java:750) |
connectionsuccessful-1 = false |
connectionsuccessful-2 = false |
Import Json - |
Enter getTimeOutConfig |
connectionType: AD |
connectionTimeoutConfig before guardRail validation: [retryWait:2, connectionTimeout:10, retryCount:3, readTimeout:55] |
Final connectionTimeoutConfig after guardRail validation: [connectionTimeout:10, readTimeout:55, retryCount:3, retryWait:2] |
Inside validateErrorResponse |
Inside validateCommonErrorResponse |
Error while saving the Connection: [Target Error Message: [SchemaViolationException: [LDAP: error code 65 - Invalid parentBaseDn [cn=idfRacfAdmin,dc=racf,dc=com] for this context!]]] |
ErrorMessage res : [Target Error Message: [SchemaViolationException: [LDAP: error code 65 - Invalid parentBaseDn [cn=idfRacfAdmin,dc=racf,dc=com] for this context!]]] |
Can you please suggest on this?
06/24/2024 01:45 PM
"javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Invalid parentBaseDn [cn=idfRacfAdmin,dc=racf,dc=com] for this context!]; remaining name 'cn=idfRacfAdmin,dc=racf,dc=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3292) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
06/24/2024 07:31 PM
The SchemaViolationException you're encountering, with LDAP error code 65, indicates that there is a problem with the directory structure or the data not conforming to the directory schema. Specifically, the error message suggests that the parentBaseDn value cn=idfRacfAdmin,dc=racf,dc=com is invalid for the context where you're trying to add or modify the LDAP entry.
Here are a few possible reasons and troubleshooting steps for this issue:
06/25/2024 01:02 PM
Thanks Rushikesh.
I totally understand the suggestions you posted above and when I try to use a user which is already present in LDAPGateway, i got a different error "authentication exception" which means i need to work on password to start with.
But just wondering why the current setup is working fine with OIG where LDAPGateway is configured inside the OIG server.
06/25/2024 08:23 PM
It seems you have issue with authentication. Please validate credentials entered in connector.
06/26/2024 05:13 PM
If i create a user cn=idfRacfAdmin as per initial suggestion, will that user needs to be created in LDAPGateway only or in Mainframe application also?
06/26/2024 05:42 PM
Creating the user cn=idfRacfAdmin in LDAP is one part of the process. Whether you also need to create this user in the Mainframe application depends on how the Mainframe and LDAP systems are integrated and what the user's role will be.
06/28/2024 09:22 AM
We took a packet trace on the ldap gatewaty to see what Saviynt is attempting to do when connecting. The packet trace shows an attempted bind, which succeeds. Immediately after the bind Saviynt attempts to do a search against the Bind id with a filter of objectclass=*.
For example.
Search request:
baseObject: cn=idfRacfAdmin,dc=racf,dc=com
scope: base
filter: (objectclass=*)
This request fails with an “objectclassViolation (Invalid parentDN [cn=idfRacfAdmin,dc=racf,dc=com] for this context!” error.
We suspect the error is being thrown because the id in question doesn’t have any attributes associated with it, including objectclass.
Why is this search request being performed, and is there a way to prevent it from occurring?
06/28/2024 10:56 AM
Before creating account it will validate if account exists or not and there is no ways to avoid it
07/10/2024 10:21 AM
Hi Rushikesh
We created a service account in RACF and I can see the newly created account using LDAP browser, but the password which the admin used in RACF is not working through saviynt and/or LDAP browser. looks like saviynt is trying to authenticate and takes around 5-6 second before giving authentication exception.
Do you have any suggestions?
07/10/2024 10:50 AM
sounds like there might be an issue with the password synchronization between Saviynt and RACF. Here are a few steps to troubleshoot and potentially resolve the issue:
Verify Password:
Check Account Lockout:
LDAP Configuration:
Password Policy:
Connection and Bind Issues:
Logs and Error Messages:
Synchronization Delay:
Network Issues: