NetIQ LDAP Proxy 1.5.2 includes new features and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the LDAP Proxy Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups
For a full list of all issues resolved in LDAP Proxy 1.5, refer to TID 7016328, “History of Issues Resolved in LDAP Proxy 1.5”.
For information about what’s new in previous releases, see the “Previous Releases” section in the LDAP Proxy Documentation Web site.
To download this product, see the NetIQ Downloads Web site. For more information about LDAP Proxy, see the LDAP Proxy Documentation Web site.
For information about services and components bundled with LDAP Proxy 1.5.2, see Section 4.0, Additional Documentation.
LDAP Proxy 1.5.2 provides the following key features, enhancements, and fixes in this release:
This release introduces the following new features:
LDAP Proxy 1.5.2 introduces nlpcert as the new certificate management utility. This utility is bundled with the LDAP Proxy package and does not require any additional configuration. nlpcert utility uses a PKCS#12 certificate file with a private key information and convert it to PEM format. It also decrypts the private key information and store it in the local secret store. For more information, see in the LDAP Proxy Administration Guide.
NOTE:nlpexportcert utility will be not be available any more with LDAP Proxy 1.5.2 onwards. Certificate files created by this utility should be converted using the nlpcert.
This release extends support for the following operating systems:
Suse Linux Enterprise Server (SLES) 12 at a minimum, and later service packs.
Red Hat Enterprise Linux (RHEL) 7 at a minimum, and later service packs.
This release includes software fixes for the following components:
Issue: LDAP Proxy displays an error when Active Directory backend is configured with an external CA.
Fix: This release updates LDAP Proxy to function properly when the Active Directory backend is configured with external CA.
Ensure that you have the following operating system and hardware requirements for installing the LDAP Proxy:
Install the LDAP Proxy Server and NLPManager on the following 64-bit operating systems:
SLES 11 at a minimum, and later service packs
SLES 12 at a minimum, and later service packs
RHEL 6 at a minimum, and later service packs
RHEL 7 at a minimum, and later service packs
Ensure that you have the following resource requirements to install and configure the LDAP Proxy Server and the NLPManager:
For LDAP Proxy Server:
A minimum of 128 MB of RAM
A minimum of 30 MB of disk space
For NLPManager:
A minimum of 1 GB RAM
A minimum of 256 MB disk space
IMPORTANT:You must install the libstdc++.so.5 and libstdc++.so.6 libraries on your system before installing LDAP Proxy.
Use the nlp-install command in the ldapproxy directory for installing the NetIQ LDAP Proxy:
./nlp-install
For more information about how to install NetIQ LDAP Proxy, refer to the NetIQ LDAP Proxy 1.5 Installation Guide.
You can download NetIQ NLPManager from the NetIQ Downloads.
For more information about how to install NLPManager, refer to the NetIQ LDAP Proxy 1.5 Administration Guide.
LDAP Proxy is crashing while starting on SLES 12 SP and SP3. NetIQ recommends to avoid installing LDAP Proxy on these two platforms.
If you have configured the proxy to allow a specific search selection attribute, and if this attribute is concatenated with restricted attributes, the search results also contain the restricted attributes. For example, the following policy node is configured to allow only cn as a search selection attribute. In such a case, a search request with the selection attribute sn is rejected. However, a search request with the search selection attribute list as cn sn returns the values with sn.
<policy-connection-route id-policy="multi-value RDNs">
<rule>
<conditions>
<or>
<if-bind-dn op="equal">cn=john+uid=3517,ou=eng_dept1,o=my_company</if-bind-dn>
<if-bind-dn op="equal">uid=3517+cn=john,ou=eng_dept1,o=my_company</if-bind-dn>
</or>
</conditions>
<actions>
<do-deny/>
</actions>
<actions-default>
<do-nothing/>
</actions-default>
</rule>
</policy-connection-route>
<policy-search-request id-policy="testing738911" disabled="false"> <description>search restriction operation to test if-srch-selection-attrcase-ignore equals cn</description> <rule> <conditions> <if-srch-selection-attr op="not-equal"match="case-ignore">cn</if-srch-selection-attr> </conditions> <actions> <do-deny /></actions> <actions-default> <do-allow /></actions-default> </rule> </policy-search-request>
If the connection between the proxy and the backend server is configured for SSL, the performance of the proxy server could potentially degrade if the number of incoming connections is high.
When a connection pool is enabled, the LDAP Proxy sends an anonymous bind request to the backend server to nullify the connection identity. If the backend server is not configured for anonymous bind, the connection pool feature does not work.
For the connection pool feature to work, anonymous bind must be enabled on the backend server.
In certain cases, in NLPManager, when you try to close multiple instances of the Listeners, Backend servers, or Backend Server Groups tabs in the editor pane, the application throws the NullPointerException error. It is safe to ignore this exception because it does not cause any loss of functionality.
In certain cases, NLPManager throws an application error when you launch and close the application for the first time. This error is displayed in the Error Log tab when you launch the application again. The error does not occur subsequently and does not affect the functionality of the application. You can either delete the error from the error log or ignore it.
NLPManager throws an application error message indicating Error Line : org.eclipse.swt.SWTError: No more handles [gtk_init_check() failed]when you try to log in to another Linux system and launch NLPManager without the -X option. This is an informational error that can be ignored.
However, you must always use the -X option while logging in to another Linux system where NLPManager is installed.
When the LDAP Proxy receives a Start TLS extended request, it forwards the request to the backend server. Any Start TLS error from the backend server is ignored.
When you try to start NLPManager on RHEL, an error message indicating “Cannot restore segment prot after reloc: Permission denied. appears.
This is caused by the SeLinux security extension. SeLinux is active in the newer distributions of Linux with 2.6. kernels. It changes some default system behavior, including the shared library loading.
To temporarily disable enforcement on a running system, run the following command:
/usr/sbin/setenforce 0
To permanently disable enforcement during a system startup:
Set SELINUX=disabled at /etc/selinux/config and reboot the machine.
The LDAP Proxy processes disabled policies without checking their disabled status.
The Search Request policy does not change the requested search base in the LDAP search response.
To modify the search base, use the Replace String policy.
The Schema Map policy maps only the DN and the attribute names of the attributes it is mapping.
The String Replacement policy does not map the object identifiers with the corresponding attribute types.
To resolve this issue, configure a different replacement pattern in the String Replacement policy.
To replace o=organization with o=example, you can add an extra pattern with object identifiers. For example, you can change 2.5.4.10=organization to 2.5.4.10=example.
<replace>
<from>o=organization</from>
<to>o=example</to>
</replace>
<replace>
<from>2.5.4.10=organization</from>
<to>2.5.4.10=example</to>
</replace>
The filter is not replaced if a search policy is configured for op="show-only" containers. The Replace String policy does not use the filter that is internally created by the Restrict View to query the LDAP server. The attribute values in the filter created by the Restrict View policy are not replaced.
To work around this issue, configure the Restrict View policy to use the actual DNs present in the LDAP server.
In the NLPManager, the LDAP Proxy does not check for the existing listener names. It allows users to use the same name for more than one listener.
The LDAP Proxy allows empty listener names. If you specify a name for a listener that was saved earlier with an empty name, the new value is not accepted. The listener name field remains empty.
To work around this issue, manually add the listener name value in the configuration file.
While performing a search operation, if the URL of the server returned by modDNcache and the URL of the server on which the bind occurred are the same, LDAP proxy rebinds to the same server.
The startTLS request fails and causes LDAP proxy to hang when you configure an LDAP Proxy listener on a clear text port with a certificate and a backend server on a non-SSL port, and then do not include the server certificate in the /etc/opt/novell/ldapproxy/conf/ssl/trustedcert folder.
For information about NLP Manager, refer to the NetIQ LDAP Proxy 1.5 Administration Guide.
For Certificate Server information, refer to the Certificate Server online documentation.
For NICI information, refer to the NICI online documentation.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2016 NetIQ Corporation, a Micro Focus company. All Rights Reserved.