Case of the Broken Novell LDAP over SSL + Querying eDirectory via PowerShell

With a legacy Novell Netware environment I wanted to eliminate some manual tasks, to do this I planned to use PowerShell. First I needed to identify a Novell Netware LDAP server to connect to.

To identify a server name I logged onto a machine with Novell Client and right clicked the N icon in System Notification area and selected “Novell Connections…”

image

I then looked for the server with the * and authentication state eDirectory Services

image

I then tried some quick & dirty PowerShell to test LDAP connectivity:

#netware server to query – port 636 for SSL
$NetWareServer=New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("nw-1",636)

# top level place to start
$SearchStart="o=home"

# if username specified must be in DN format cn=chentiangemalc,ou=drouin,ou=aus,ou=global,o=home
$NetwareUser="cn=chentiangemalc,ou=drouin,ou=aus,ou=global,o=home"

# storing passwords in scripts is a bad idea
$NetwarePassword="NCC-1701-d"

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")

$netcred=New-Object System.Net.NetworkCredential($NetwareUser,$NetwarePassword)
$ldap=New-Object System.DirectoryServices.Protocols.LdapConnection($NetwareServer)

# basic auth for novell
$ldap.AuthType=[System.DirectoryServices.Protocols.AuthType]::Basic

if ($NetwarePassword –eq "")
{
    # No Auth
    $ldap.Bind()
}
else
{
    $SessionOptions=$ldap.SessionOptions
    # enables SSL – required if using password in default eDirectory config
    $SessionOptions.SecureSocketLayer=$true

    #accept invalid certs – only uncomment if required
    # $SessionOptions.VerifyServerCertificate = {
    # $MyCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $args[1]
    ## Get the date of cert in case you want to do something with it

    #  $DCCertDate = $MyCert.NotAfter
    # $true
    #}
    $ldap.Bind($netcred)
}

$request=New-Object System.DirectoryServices.Protocols.SearchRequest(
    $SearchStart,
    "(objectClass=Group)",
    [System.DirectoryServices.Protocols.SearchScope]::Subtree,
    "*")

# wait for up to one minute – as this server is slow to respond

$WaitTime=New-Object System.TimeSpan(0,1,0)
$response=$ldap.SendRequest($request,$WaitTime)

"Found $($response.Entries.count) groups under $($SearchStart)"
$response.Entries

 

However this resulted in the following error:

Exception calling “Bind” with “1” argument(s): “The LDAP server is unavailable.”
At c:\support\NetWareScript.ps1:30 char:11
+ $ldap.Bind <<<< ($netcred)
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling “SendRequest” with “1” argument(s): “The LDAP server returned an unknown error.”
At c:\support\NetWareScript.ps1:39 char:28
+ $response=$ldap.SendRequest <<<< ($request)
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException

 

So I tried running the code without SSL. I changed the value of NetWareServer and NetwarePassword variables:

# use default port (non-SSL)

$NetWareServer=New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("nw-1")

$NetwarePassword=""

 

And everything worked fine..so we worked out issue was related to SSL connection to the LDAP server.

In ConsoleOne I also tried to export LDIF configuration by clicking Wizards | NDS Import/Export Wizard

I selected “Export LDIF File” then clicked Next, filled out other details as necessary, but when export started we got a failure:

ldap_simple_bind failed: 81(Can’t contact LDAP server),

So to diagnose this I searched for the server in ConsoleOne to find the management page, I used the Find button and ensured Search subcontainers was ticked

image

We found our server

image

From here on the General Tab under Network Addresses we could find the ldap and ldaps IP addresses. But today I wanted the portal address…

image

From the portal web page I loaded NDS iMonitor and enabled LDAP and Secure Sockets trace then clicked Trace On

image

I then replicated the issue and clicked “Trace Off”

I then clicked “Trace History” and looked for a trace with the date/time matching my trace and loaded it and we could see a more useful error message:

12:54:10 A69AC440 LDAP: TLS handle allocation failed on connection 0xa66d25c0, setting err = -5873. Error stack:
error:140BA0C3:SSL routines:SSL_new:null ssl ctx

 

This error suggested SSL cert was not configured on the server, so I searched eDirectory again for *ldap*servername and clicked the Server object to open the properties:

image

Looking at server properties we could the Host Server property was blank:

image

The reason for this was because it had pointed to a server that no longer existed. (NW-1a) I hit the browse icon and selected the server we were using for LDAP queries as the Host Server and clicked Apply

Immediately after this change PowerShell was happy with SSL and LDIF Export was working once again in ConsoleOne.

(Note: The SSL/TLS Configuration Page in the LDAP Server Properties may also need to be checked for correct configuration)

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in eDirectory, LDAP, Novell, Power, PowerShell. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s