SecureAuth IdP Version Affected: 9.0+
Description: After an upgrade or migration, realms time out during authentication attempts when the data store is configured to connect to a Novell e-Directory using LDAPS. When looking through debug logs, you see that LDAPMembership calls successfully complete, but the process stops when the appliance tries to pull user attributes and you do NOT see LDAPProvider.GetProperties and LDAPProvider.SetProperties during the login attempt.
Cause: In older versions of the appliance, LDAPS is hard coded to use 636 when Connection Type of Secured or SSL is selected. In newer versions of the appliance, this is no longer the case, and the appliance will default to port 389 unless a port number is explicitly defined in the Profile Provider section (using "Same as Above" for Profile Provider settings is insufficient and may fail).
Resolution: Explicitly define the connection settings to the Novell e-Directory for Profile Provider, and append :636 to the connection string if using the default LDAPS port. If a different port number is being used by the e-Directory, then e-Directory settings take precedence when appending to the connection string.
Original connection string - LDAP://fqdn.com/O=Store
New connection string - LDAP://fqdn.com:636/O=Store
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.