ldapbind error

Hi David, I remember seeing that error occur when the encryption seed in the LDAP doesn't match what was used when Lawson was installed. Are you trying to replace the LSF9 LDAP container with this new one? Or, are you just trying to bind to this one for authentication?

I was going to bind to this new ADAM instance for authentication.  I was going to point to change all references to this new instance, but I can't get to that point.  It does the export and then when it switches back to ldap bind I get this error.  Nothing has changed yet to point to this new instance.

Where would I change the encryption seed?

I had the same problem.  It ended up being due to the processflow LDAP account being corrupted.  After removing and re-adding, we we're able to successfully bind.

You might have something becuase when I go to ssoconfig to delete it, it says it doesn't exist.  When I go to add it, it complains about multiple RMIDs:

Lawson Service Name ():SSOP
Lawson Resource ID ():pfadmin
Please enter the identity properties's values

Value of identity property USER: ():pfadmin
Value of property PASSWORD: ():
Failed to create identity. Detailed Message is Assigning multiple RMIDs to this
user is not allowed for service SSOP.

That was it. I had to eventually go into LDAP and remove all references to pfadmin and PFADMIN which showed up on OU=resource; OU=idxref; OU=svcxref / CN=SSOP. Then using security administrator re-add the user using first name: PFADMIN; last name: PFADMIN; and ID:pfadmin. Also setup OS account pfadmin.

Now when I run ldapbind it does the export and now I'm getting the prompt to enter the LDAP provider url to access.

Thanks again.

I'm sure I'm about to create another post for things I'm about to break, but at least I'm past this one.

Hello - I'm having the exact same error that DavidV was getting and it appeared to be again due to the pfadmin. I got the error that it didn't exists when I tried to export it. Yet, if I exported everything I could see it.

However, I only found two entries via LDAP which I removed. Under the idxrref and xvcxref / CN=ssop. I coudn't not find it as a OU=resource.

Then I added pfadmin again via Lawson Security and tried the ldapbind command again. I'm getting the above 'pad block corrupted' error again but this time it won't even restore the original backup file. See below.

Any thoughts?
Thanks, Leslie



Failed to switch to ldap bind. Deatailed Exception is

com.lawson.lawsec.authen.SecurityAuthenException:Message:javax.crypto.BadPaddingException: pad block corrupted
Stack Trace : javax.crypto.BadPaddingException: pad block corrupted
at org.bouncycastle.jce.provider.JCEBlockCipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Unknown Source)
at com.lawson.lawsec.authen.LawsonIdentityImpl.decrypt(Unknown Source)
at com.lawson.lawsec.authen.LawsonIdentityImpl.getCredentialProperty(Unknown Source)
at com.lawson.lawsec.authen.LdapBind.getUserInfo(Unknown Source)
at com.lawson.lawsec.authen.LdapBind.main(Unknown Source)

at com.lawson.lawsec.authen.LawsonIdentityImpl.decrypt(Unknown Source)
at com.lawson.lawsec.authen.LawsonIdentityImpl.getCredentialProperty(Unknown Source)
at com.lawson.lawsec.authen.LdapBind.getUserInfo(Unknown Source)
at com.lawson.lawsec.authen.LdapBind.main(Unknown Source)
Restore configuration
............................................
............................................
Failed to reload original services and identities file saved as /apps/lawson/law/system/SSO_EXPORT_100311130539.xml back to LDAP.

Leslie, I feel your pain.

The restore was automatic and always worked for me. Note there may be other accounts that may be causing the problem. I basically ended up flushing all the users out and rebuilding all the system accounts. First make sure the system accounts are setup in AD. IE pfadmin,lawson,lsuser, etc. I used ssoconfig to delete and re-added them into lawson. Here is a snip it of my notes:
a. It was the pfadmin account. Use ssoconfig option 6-manage Lawson user identity 3-delete SSOP/pfadmin 1-add SSOP/pfadmin/pfadmin/
b. Also created OS account pfadmin/
c. It was corrupted and had to completely remove from ADAM using ADSI edit –connect to law2 configuration dc=mjh,dc=org using mjh/ /
i. O=lwsnrmdata -> OU=resources -> remove pfadmin
ii. O=lwsnSecData -> OU=idxref -> remove PFADMIN
iii. O=lwsnSecData -> OU=svcxref -> CN=SSOP -> remove pfadmin
1. Make absolutely sure all references to pfadmin upper and lower are remove from these 3 places
2. restart the adam instance and requirey to make doubly sure
iv. could have used Lawson security administrator but I used ssoconfig –c
1. add resource first option 8-lawson resources then option 1-add resource
a. Firstname: PFADMIN;
b. ID: pfadmin – make sure it’s lower case
c. Lastname: PFADMIN
2. add identity option 6-manage Lawson service identities—Make absolute sure you use the correct case
a. Lawson service name: SSOP
b. Lawson resource ID: PFADMIN note it is upper case even though the resource ID was lower case—Don’t know why all others are lower and this one is upper but it matters for this account. Most all others are same case
c. identity property USER: pfadmin this needs to be lower case
d. credential property PASSWORD: -- Make sure the password matches what you have in AD.
3. Make ADSI has the proper values for the 3 attributes removed earlier
a. O=lwsnrmdata -> OU=resources -> lower case pfadmin
b. O=lwsnSecData -> OU=idxref -> upper case PFADMIN
c. O=lwsnSecData -> OU=svcxref -> CN=SSOP -> lower case pfadmin
d. Make sure all exist and the case is correct
4. Had to double check all adam accounts. I used loadusers to rebuild all the employee accounts and used ssoconfig to delete the SSOP and law9 identities and manually re-added all the system accounts. IE mjhelp, tempacct, temphr, volhr, patint, retsen, bcxuser, nightly, faxserv --!!!! Used Lawson security administrator to validate. If viewing the managed identities for each agent was viewable without getting object error then it was clean. If not then I had to rebuild using ssoconfig or loadusers.!!!This is key if you can't view it in managed identities then it needs to be rebuilt. Note be sure to refresh the cache and wait about 15 to 20 minutes for things to flush though the system.

Thanks DavidV - I appreciate all your information. I think I might have found a few bad id's besides the pfadmin. Thanks also for the details on the PFADMIN account, in regards to case sensititity.

I have another question for you. Sorry - I didn't get to go to any of the LDAP / Unix training, my co-worker went & then quit a month later. Anyway, I'm noticing that when you remove a person out of Lawson security it will remove the 'resource' entry but it never removes the entry under the idxref or the svcxref / CN=SSOP. Could all that garbage be apart of my problems as well? I'd like to remove them. Do you feel I'm safe to do so?

Thanks again for all the notes. I will follow them and see what I get.
Leslie

If you are having an issue with ldapbind and need to find a bad record there is a quick and easy way to find those records. stop your lawson system. Modify the sso_tracing.properties file. Change:
TRACING_ON=false
SSO_TRACE_TYPES=FSSO,BSSO,API,SSSO

To:
TRACING_ON=true
SSO_TRACE_TYPES=FSSO,BSSO,API,SSSO

restart lawson, run the ldapbind. When it dies it will write the last record that it was trying to bind in the log file generated by sso_tracing.properties. This is most likely the culprit. If you have multiple records you may have to perform this several times.

p.s. after finding the issues - be sure to turn it off (back to 'false') otherwise $LAWDIR/system will get pretty messy.

Leslie,

I remember having to clean up a few things. I would assume it's safe, but I would deffer to someone more knowledgable. Bart had a great idea. That should really help you find the problem accounts. Jxplorer is also a very helpfull tool in viewing the ADAM instance and cleaning things up.

Hi All,

Your suggestions worked. I got LDAP to bind. I'm have some issue w/LBI etc.. but I have my theories. If I can't figure them out I'll add a new topic next week.

Thank you all so much for your help!!
Leslie

Hey Folks, They way to find exactly which profiles are causing the isssue is to:
launch ssoconfig
manage identities
export ALL indenties
It will fail and create a log of the identities that had issues in the lase_server_x_x.log file.
Delete them and all should work