NMAS LDAP Transport Error in iManager 3

  • 7024428
  • 12-Feb-2020
  • 14-May-2021

Environment

iManager 3.x
eDirectory 9.x

Situation

Attempts to set a universal password or use the simple object selector in iManager result in the following error message:

"NMAS LDAP Transport Error"

Other plugins may throw this error as well. Another error that may be thrown is:

"Error: System Error Creating secure SSL LDAP context failed"

Resolution

  1. Identify the certificate being used by the LDAP server. By default, this will be the 'SSL CertificateDNS'. If unsure of what certificate is assigned, use iManager to navigate to the LDAP Server object and look in the 'Connections' tab.
  1. Identify the value of the 'CN' attribute in the 'Subject name' of the certificate. In iManager, navigate to the certificate assigned to the LDAP server:
iManager -> Roles and Tasks -> NetIQ Certificate Access -> Server Certificates
Using the object selector, navigate to the server object. Click on the LDAP certificate. Look for the "Subject name" field. It should be similar to the following:
Subject name:    O=Provo.CN=linux-zeyh.my.org
Take note of the value of 'CN' (as highlighted above: linux-zeyh.my.org). This will be used to sign-in to iManager in the next step.
  1. Sign out of iManager. Enter the username and password as normal. In the 'Tree' field, enter the value of 'CN' from the certificate. For example:
admin
s0op3Rs3cR3t
linux-zeyh.my.org
Take note that the value entered into the 'Tree' field must be DNS-resolvable. The 'NMAS LDAP Transport Error' should no longer appear.

Cause

The eDirectory 9 LDAP server enforces stricter rules for secure LDAP connections. When a client requests to bind using LDAPS, the server expects the connection information passed by the client to match what is on the certificate. It rejects any mismatched info with a -5875 error in ndstrace (with the LDAP flag enabled).