ldapbind error

Sort:
You are not authorized to post a reply.
Author
Messages
DavidV
Veteran Member
Posts: 101
Veteran Member

    I've created a new ADAM instance that has pass-thru authentication to AD.  I'm trying to run ldapbind to reference that new ADAM instance and I get the error pasted below.  I've reloaded the lawson user identity as documented on a similar error.  The sso/SSOServlet works fine.  Any help would be greatly appreciated.  HP-UX 11iv1;WAS 60217; LSF 9006 and all current patches; Apps 9 MSP4; java 1.4.2.12; bouncy castle kfd14-135 

    com.lawson.lawsec.authen.SecurityAuthenException:Message:javax.crypto.BadPadding
    Exception: pad block corrupted
    Stack Trace : javax.crypto.BadPaddingException: pad block corrupted
            at org.bouncycastle.jce.provider.JCEBlockCipher.engineDoFinal(Unknown So
    urce)
            at javax.crypto.Cipher.doFinal(DashoA12275)
            at com.lawson.lawsec.authen.LawsonIdentityImpl.decrypt(Unknown Source)
            at com.lawson.lawsec.authen.LawsonIdentityImpl.getCredentialProperty(Unk
    nown Source)
            at com.lawson.lawsec.authen.LdapBind.getUserInfo(Unknown Source)
            at com.lawson.lawsec.authen.LdapBind.main(Unknown Source)

            at com.lawson.lawsec.authen.LawsonIdentityImpl.decrypt(Unknown Source)
            at com.lawson.lawsec.authen.LawsonIdentityImpl.getCredentialProperty(Unk
    nown Source)
            at com.lawson.lawsec.authen.LdapBind.getUserInfo(Unknown Source)
            at com.lawson.lawsec.authen.LdapBind.main(Unknown Source)

    John Henley
    Senior Member
    Posts: 3348
    Senior Member
      Hi David, I remember seeing that error occur when the encryption seed in the LDAP doesn't match what was used when Lawson was installed. Are you trying to replace the LSF9 LDAP container with this new one? Or, are you just trying to bind to this one for authentication?
      Thanks for using the LawsonGuru.com forums!
      John
      DavidV
      Veteran Member
      Posts: 101
      Veteran Member

        I was going to bind to this new ADAM instance for authentication.  I was going to point to change all references to this new instance, but I can't get to that point.  It does the export and then when it switches back to ldap bind I get this error.  Nothing has changed yet to point to this new instance.

        Where would I change the encryption seed?

        DarrenK
        New Member
        Posts: 1
        New Member

          I had the same problem.  It ended up being due to the processflow LDAP account being corrupted.  After removing and re-adding, we we're able to successfully bind.

          DavidV
          Veteran Member
          Posts: 101
          Veteran Member

            You might have something becuase when I go to ssoconfig to delete it, it says it doesn't exist.  When I go to add it, it complains about multiple RMIDs:

            Lawson Service Name ():SSOP
            Lawson Resource ID ():pfadmin
            Please enter the identity properties's values

            Value of identity property USER: ():pfadmin
            Value of property PASSWORD: ():
            Failed to create identity. Detailed Message is Assigning multiple RMIDs to this
            user is not allowed for service SSOP.

            DavidV
            Veteran Member
            Posts: 101
            Veteran Member
              That was it. I had to eventually go into LDAP and remove all references to pfadmin and PFADMIN which showed up on OU=resource; OU=idxref; OU=svcxref / CN=SSOP. Then using security administrator re-add the user using first name: PFADMIN; last name: PFADMIN; and ID:pfadmin. Also setup OS account pfadmin.

              Now when I run ldapbind it does the export and now I'm getting the prompt to enter the LDAP provider url to access.

              Thanks again.

              I'm sure I'm about to create another post for things I'm about to break, but at least I'm past this one.
              Univar
              Posts: 3
                Hello - I'm having the exact same error that DavidV was getting and it appeared to be again due to the pfadmin. I got the error that it didn't exists when I tried to export it. Yet, if I exported everything I could see it.

                However, I only found two entries via LDAP which I removed. Under the idxrref and xvcxref / CN=ssop. I coudn't not find it as a OU=resource.

                Then I added pfadmin again via Lawson Security and tried the ldapbind command again. I'm getting the above 'pad block corrupted' error again but this time it won't even restore the original backup file. See below.

                Any thoughts?
                Thanks, Leslie



                Failed to switch to ldap bind. Deatailed Exception is

                com.lawson.lawsec.authen.SecurityAuthenException:Message:javax.crypto.BadPaddingException: pad block corrupted
                Stack Trace : javax.crypto.BadPaddingException: pad block corrupted
                at org.bouncycastle.jce.provider.JCEBlockCipher.engineDoFinal(Unknown Source)
                at javax.crypto.Cipher.doFinal(Unknown Source)
                at com.lawson.lawsec.authen.LawsonIdentityImpl.decrypt(Unknown Source)
                at com.lawson.lawsec.authen.LawsonIdentityImpl.getCredentialProperty(Unknown Source)
                at com.lawson.lawsec.authen.LdapBind.getUserInfo(Unknown Source)
                at com.lawson.lawsec.authen.LdapBind.main(Unknown Source)

                at com.lawson.lawsec.authen.LawsonIdentityImpl.decrypt(Unknown Source)
                at com.lawson.lawsec.authen.LawsonIdentityImpl.getCredentialProperty(Unknown Source)
                at com.lawson.lawsec.authen.LdapBind.getUserInfo(Unknown Source)
                at com.lawson.lawsec.authen.LdapBind.main(Unknown Source)
                Restore configuration
                ............................................
                ............................................
                Failed to reload original services and identities file saved as /apps/lawson/law/system/SSO_EXPORT_100311130539.xml back to LDAP.
                DavidV
                Veteran Member
                Posts: 101
                Veteran Member
                  Leslie, I feel your pain.

                  The restore was automatic and always worked for me. Note there may be other accounts that may be causing the problem. I basically ended up flushing all the users out and rebuilding all the system accounts. First make sure the system accounts are setup in AD. IE pfadmin,lawson,lsuser, etc. I used ssoconfig to delete and re-added them into lawson. Here is a snip it of my notes:
                  a. It was the pfadmin account. Use ssoconfig option 6-manage Lawson user identity 3-delete SSOP/pfadmin 1-add SSOP/pfadmin/pfadmin/
                  b. Also created OS account pfadmin/
                  c. It was corrupted and had to completely remove from ADAM using ADSI edit –connect to law2 configuration dc=mjh,dc=org using mjh/ /
                  i. O=lwsnrmdata -> OU=resources -> remove pfadmin
                  ii. O=lwsnSecData -> OU=idxref -> remove PFADMIN
                  iii. O=lwsnSecData -> OU=svcxref -> CN=SSOP -> remove pfadmin
                  1. Make absolutely sure all references to pfadmin upper and lower are remove from these 3 places
                  2. restart the adam instance and requirey to make doubly sure
                  iv. could have used Lawson security administrator but I used ssoconfig –c
                  1. add resource first option 8-lawson resources then option 1-add resource
                  a. Firstname: PFADMIN;
                  b. ID: pfadmin – make sure it’s lower case
                  c. Lastname: PFADMIN
                  2. add identity option 6-manage Lawson service identities—Make absolute sure you use the correct case
                  a. Lawson service name: SSOP
                  b. Lawson resource ID: PFADMIN note it is upper case even though the resource ID was lower case—Don’t know why all others are lower and this one is upper but it matters for this account. Most all others are same case
                  c. identity property USER: pfadmin this needs to be lower case
                  d. credential property PASSWORD: -- Make sure the password matches what you have in AD.
                  3. Make ADSI has the proper values for the 3 attributes removed earlier
                  a. O=lwsnrmdata -> OU=resources -> lower case pfadmin
                  b. O=lwsnSecData -> OU=idxref -> upper case PFADMIN
                  c. O=lwsnSecData -> OU=svcxref -> CN=SSOP -> lower case pfadmin
                  d. Make sure all exist and the case is correct
                  4. Had to double check all adam accounts. I used loadusers to rebuild all the employee accounts and used ssoconfig to delete the SSOP and law9 identities and manually re-added all the system accounts. IE mjhelp, tempacct, temphr, volhr, patint, retsen, bcxuser, nightly, faxserv --!!!! Used Lawson security administrator to validate. If viewing the managed identities for each agent was viewable without getting object error then it was clean. If not then I had to rebuild using ssoconfig or loadusers.!!!This is key if you can't view it in managed identities then it needs to be rebuilt. Note be sure to refresh the cache and wait about 15 to 20 minutes for things to flush though the system.
                  Univar
                  Posts: 3
                    Thanks DavidV - I appreciate all your information. I think I might have found a few bad id's besides the pfadmin. Thanks also for the details on the PFADMIN account, in regards to case sensititity.

                    I have another question for you. Sorry - I didn't get to go to any of the LDAP / Unix training, my co-worker went & then quit a month later. Anyway, I'm noticing that when you remove a person out of Lawson security it will remove the 'resource' entry but it never removes the entry under the idxref or the svcxref / CN=SSOP. Could all that garbage be apart of my problems as well? I'd like to remove them. Do you feel I'm safe to do so?

                    Thanks again for all the notes. I will follow them and see what I get.
                    Leslie
                    Bart Conger
                    Advanced Member
                    Posts: 18
                    Advanced Member
                      If you are having an issue with ldapbind and need to find a bad record there is a quick and easy way to find those records. stop your lawson system. Modify the sso_tracing.properties file. Change:
                      TRACING_ON=false
                      SSO_TRACE_TYPES=FSSO,BSSO,API,SSSO

                      To:
                      TRACING_ON=true
                      SSO_TRACE_TYPES=FSSO,BSSO,API,SSSO

                      restart lawson, run the ldapbind. When it dies it will write the last record that it was trying to bind in the log file generated by sso_tracing.properties. This is most likely the culprit. If you have multiple records you may have to perform this several times.
                      Bart Conger
                      Advanced Member
                      Posts: 18
                      Advanced Member
                        p.s. after finding the issues - be sure to turn it off (back to 'false') otherwise $LAWDIR/system will get pretty messy.
                        DavidV
                        Veteran Member
                        Posts: 101
                        Veteran Member
                          Leslie,

                          I remember having to clean up a few things. I would assume it's safe, but I would deffer to someone more knowledgable. Bart had a great idea. That should really help you find the problem accounts. Jxplorer is also a very helpfull tool in viewing the ADAM instance and cleaning things up.
                          Univar
                          Posts: 3
                            Hi All,

                            Your suggestions worked. I got LDAP to bind. I'm have some issue w/LBI etc.. but I have my theories. If I can't figure them out I'll add a new topic next week.

                            Thank you all so much for your help!!
                            Leslie

                            Goober
                            Basic Member
                            Posts: 17
                            Basic Member
                              Hey Folks, They way to find exactly which profiles are causing the isssue is to:
                              launch ssoconfig
                              manage identities
                              export ALL indenties
                              It will fail and create a log of the identities that had issues in the lase_server_x_x.log file.
                              Delete them and all should work
                              You are not authorized to post a reply.