NetIQ LDAP Proxy 1.5.2

October 2016

NetIQ LDAP Proxy 1.5.2 includes new features and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the LDAP Proxy Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups

For a full list of all issues resolved in LDAP Proxy 1.5, refer to TID 7016328, “History of Issues Resolved in LDAP Proxy 1.5”.

For information about what’s new in previous releases, see the “Previous Releases” section in the LDAP Proxy Documentation Web site.

To download this product, see the NetIQ Downloads Web site. For more information about LDAP Proxy, see the LDAP Proxy Documentation Web site.

For information about services and components bundled with LDAP Proxy 1.5.2, see Section 4.0, Additional Documentation.

1.0 What’s New

LDAP Proxy 1.5.2 provides the following key features, enhancements, and fixes in this release:

1.1 New Features

This release introduces the following new features:

New Utility for Certificate Management

LDAP Proxy 1.5.2 introduces nlpcert as the new certificate management utility. This utility is bundled with the LDAP Proxy package and does not require any additional configuration. nlpcert utility uses a PKCS#12 certificate file with a private key information and convert it to PEM format. It also decrypts the private key information and store it in the local secret store. For more information, see in the LDAP Proxy Administration Guide.

NOTE:nlpexportcert utility will be not be available any more with LDAP Proxy 1.5.2 onwards. Certificate files created by this utility should be converted using the nlpcert.

Support for New Operating Systems

This release extends support for the following operating systems:

  • Suse Linux Enterprise Server (SLES) 12 at a minimum, and later service packs.

  • Red Hat Enterprise Linux (RHEL) 7 at a minimum, and later service packs.

1.2 Fixed Issues

This release includes software fixes for the following components:

LDAP Proxy Displays Error When Active Directory Backend Is Configured With External Certificate Authority (CA)

Issue: LDAP Proxy displays an error when Active Directory backend is configured with an external CA.

Fix: This release updates LDAP Proxy to function properly when the Active Directory backend is configured with external CA.

2.0 Installation

2.1 System Requirements

Ensure that you have the following operating system and hardware requirements for installing the LDAP Proxy:

Operating Systems Requirements

Install the LDAP Proxy Server and NLPManager on the following 64-bit operating systems:

  • SLES 11 at a minimum, and later service packs

  • SLES 12 at a minimum, and later service packs

  • RHEL 6 at a minimum, and later service packs

  • RHEL 7 at a minimum, and later service packs

Hardware Requirements

Ensure that you have the following resource requirements to install and configure the LDAP Proxy Server and the NLPManager:

  • For LDAP Proxy Server:

    • A minimum of 128 MB of RAM

    • A minimum of 30 MB of disk space

  • For NLPManager:

    • A minimum of 1 GB RAM

    • A minimum of 256 MB disk space

    IMPORTANT:You must install the and libraries on your system before installing LDAP Proxy.

2.2 Installing the LDAP Proxy

Use the nlp-install command in the ldapproxy directory for installing the NetIQ LDAP Proxy:


For more information about how to install NetIQ LDAP Proxy, refer to the NetIQ LDAP Proxy 1.5 Installation Guide.

2.3 Installing NLPManager

You can download NetIQ NLPManager from the NetIQ Downloads.

For more information about how to install NLPManager, refer to the NetIQ LDAP Proxy 1.5 Administration Guide.

3.0 Known Issues

3.1 LDAP Proxy Crashes on SLES 12 SP2 and SP3

LDAP Proxy is crashing while starting on SLES 12 SP and SP3. NetIQ recommends to avoid installing LDAP Proxy on these two platforms.

3.2 Unable to Block Search Selection Attribute

If you have configured the proxy to allow a specific search selection attribute, and if this attribute is concatenated with restricted attributes, the search results also contain the restricted attributes. For example, the following policy node is configured to allow only cn as a search selection attribute. In such a case, a search request with the selection attribute sn is rejected. However, a search request with the search selection attribute list as cn sn returns the values with sn.

<policy-connection-route id-policy="multi-value RDNs">
     <if-bind-dn op="equal">cn=john+uid=3517,ou=eng_dept1,o=my_company</if-bind-dn>
   <if-bind-dn op="equal">uid=3517+cn=john,ou=eng_dept1,o=my_company</if-bind-dn>

<policy-search-request id-policy="testing738911" disabled="false"> <description>search restriction operation to test if-srch-selection-attrcase-ignore equals cn</description> <rule> <conditions> <if-srch-selection-attr op="not-equal"match="case-ignore">cn</if-srch-selection-attr> </conditions> <actions> <do-deny /></actions> <actions-default> <do-allow /></actions-default> </rule> </policy-search-request>

3.3 Using SSL Clients When There are Many Incoming Connections

If the connection between the proxy and the backend server is configured for SSL, the performance of the proxy server could potentially degrade if the number of incoming connections is high.

3.4 Using a Connection Pool

When a connection pool is enabled, the LDAP Proxy sends an anonymous bind request to the backend server to nullify the connection identity. If the backend server is not configured for anonymous bind, the connection pool feature does not work.

For the connection pool feature to work, anonymous bind must be enabled on the backend server.

3.5 NLPManager Throws a NullPointerException Error

In certain cases, in NLPManager, when you try to close multiple instances of the Listeners, Backend servers, or Backend Server Groups tabs in the editor pane, the application throws the NullPointerException error. It is safe to ignore this exception because it does not cause any loss of functionality.

3.6 NLPManager Throws an Application Error

In certain cases, NLPManager throws an application error when you launch and close the application for the first time. This error is displayed in the Error Log tab when you launch the application again. The error does not occur subsequently and does not affect the functionality of the application. You can either delete the error from the error log or ignore it.

3.7 Launching NLPManager on Another Linux System

NLPManager throws an application error message indicating Error Line : org.eclipse.swt.SWTError: No more handles [gtk_init_check() failed]when you try to log in to another Linux system and launch NLPManager without the -X option. This is an informational error that can be ignored.

However, you must always use the -X option while logging in to another Linux system where NLPManager is installed.

3.8 Handling a Start TLS Extended Request

When the LDAP Proxy receives a Start TLS extended request, it forwards the request to the backend server. Any Start TLS error from the backend server is ignored.

3.9 Starting NLPManager on RHEL

When you try to start NLPManager on RHEL, an error message indicating “Cannot restore segment prot after reloc: Permission denied. appears.

This is caused by the SeLinux security extension. SeLinux is active in the newer distributions of Linux with 2.6. kernels. It changes some default system behavior, including the shared library loading.

To temporarily disable enforcement on a running system, run the following command:

/usr/sbin/setenforce 0

To permanently disable enforcement during a system startup:

Set SELINUX=disabled at /etc/selinux/config and reboot the machine.

3.10 Disabled Policies Are Processed

The LDAP Proxy processes disabled policies without checking their disabled status.

3.11 The Search Base Is Not Modified in the LDAPSearch Response

The Search Request policy does not change the requested search base in the LDAP search response.

To modify the search base, use the Replace String policy.

3.12 The Schema Map Policy Does Not Map the Attribute Values

The Schema Map policy maps only the DN and the attribute names of the attributes it is mapping.

3.13 The String Replacement Policy Does Not Replace the Object Identifiers by the Attribute Types

The String Replacement policy does not map the object identifiers with the corresponding attribute types.

To resolve this issue, configure a different replacement pattern in the String Replacement policy.

To replace o=organization with o=example, you can add an extra pattern with object identifiers. For example, you can change to


3.14 Configuring a Search Policy for op="show-only" Containers

The filter is not replaced if a search policy is configured for op="show-only" containers. The Replace String policy does not use the filter that is internally created by the Restrict View to query the LDAP server. The attribute values in the filter created by the Restrict View policy are not replaced.

To work around this issue, configure the Restrict View policy to use the actual DNs present in the LDAP server.

3.15 Listener Issues

Using the Same Listener Name in the NLPManager

In the NLPManager, the LDAP Proxy does not check for the existing listener names. It allows users to use the same name for more than one listener.

Using an Empty Listener Name

The LDAP Proxy allows empty listener names. If you specify a name for a listener that was saved earlier with an empty name, the new value is not accepted. The listener name field remains empty.

To work around this issue, manually add the listener name value in the configuration file.

3.16 LDAP Proxy Binds to the Same Server Again After Receiving Server Information from modDNcache

While performing a search operation, if the URL of the server returned by modDNcache and the URL of the server on which the bind occurred are the same, LDAP proxy rebinds to the same server.

3.17 The ldapsearch Operation on Proxy Hangs if the Backend Server is Configured on Clear Text Port

The startTLS request fails and causes LDAP proxy to hang when you configure an LDAP Proxy listener on a clear text port with a certificate and a backend server on a non-SSL port, and then do not include the server certificate in the /etc/opt/novell/ldapproxy/conf/ssl/trustedcert folder.

4.0 Additional Documentation

4.1 NLP Manager

For information about NLP Manager, refer to the NetIQ LDAP Proxy 1.5 Administration Guide.

4.2 Certificate Server

For Certificate Server information, refer to the Certificate Server online documentation.

4.3 NICI 2.7.7

For NICI information, refer to the NICI online documentation.

5.0 Legal Notices

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see

Copyright © 2016 NetIQ Corporation, a Micro Focus company. All Rights Reserved.