0 Replies Latest reply on Feb 29, 2012 6:51 PM by Gigibigi-Oracle

    Oracle iPlanet Web Server 7 - need to debug client authentication

      Hello to all, we have an Oracle iPlanet Web Server 7.0.11 B03/11/2011 08:38 that is configured as a Proxy with native proxy plugin.
      Client side uses client authentication to access the proxied URI.
      iPlanet is configured with an LDAP repository based on Oracle DSEE and with the following certmap.conf
      certmap default default
      default:FilterComps cn
      default:CmapLdapAttr description
      default:verifycert on
      See the last line: in our case if "verifycert" is ON than client auth fails. If "verifycert" is OFF client auth works fine.

      iPlanet's errors log does not help too much in case of failure even if it is FINEST because it says for example:
      [28/Feb/2012:17:24:05] fine ( 9056): acl: getter for (attr=cert; method=ssl, dbt
      ype=ldap) returns -1
      [28/Feb/2012:17:24:05] security ( 9056): HTTP4189: get_auth_user_ssl: unable to
      map cert to LDAP entry. Reason: ldap search returned empty result, Issuer: "CN=V
      eriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.veri
      sign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US", User: "CN
      =www.eservices.gemalto.com,OU="Member, VeriSign Trust Network",OU=Authenticated
      by VeriSign,OU=Terms of use at www.verisign.fr/rpa (c)05,OU=eservices,O=Gemalto
      [28/Feb/2012:17:24:05] fine ( 9056): acl: getter for (attr=user; method=ssl, dbt
      ype=ldap) returns -2

      Apparently "*ldap search returned empty result*" but from the LDAP access log we see that LDAP search did not fail:
      [28/Feb/2012:17:24:05 +0100] conn=72875 op=6 msgId=7 - BIND dn="cn=Directory Man
      ager" method=128 version=3
      [28/Feb/2012:17:24:05 +0100] conn=72875 op=6 msgId=7 - RESULT err=0 tag=97 nentr
      ies=0 etime=0 dn="cn=directory manager"
      [28/Feb/2012:17:24:05 +0100] conn=72875 op=7 msgId=8 - SRCH base="c=it" scope=2
      filter="(description=CN=www.eservices.gemalto.com,OU=\22Member, VeriSign Trust N
      etwork\22,OU=Authenticated by VeriSign,OU=Terms of use at www.verisign.fr/rpa \2
      8c\2905,OU=eservices,O=Gemalto SA,L=Tours,ST=Tours,C=FR)" attrs="uid userCertifi
      [28/Feb/2012:17:24:05 +0100] conn=72875 op=7 msgId=8 - RESULT err=0 tag=101 nent
      ries=1 etime=0

      This is the reason why we need more detail... is it possible to enable a trace/debug flag ?
      What do you suggest ?

      Many thanks in advance.