Error "Could not update master user list" while saving the LDAP Configuration on XenMobile server

book

Article ID: CTX228258

calendar_today

Updated On:

Description

Unable to save LDAP configuration and getting Error "Could not update master user list"

 

For sample logs:
2017-08-21T09:21:30.411-0700 | 3811F15F6AE686BC | INFO | http-nio-14443-exec-11 | com.citrix.cg.identity.ldap.LdapManager | Given baseDN 'dc=domain,dc=example,dc=com'is valid:true 
2017-08-21T09:21:30.921-0700 | 3811F15F6AE686BC | ERROR | http-nio-14443-exec-11 | com.citrix.xms.oca.imil.service.impl.MasterUserListServiceImpl | Could not update Master User List. 
com.citrix.xms.oca.imil.exception.IMILException: Invalid input data in Group base DN 

or

Error:User '' bind failed with domain 'example.domain.com' Reason:Xxx.yyy.zzz.ddd
From the :3269 - We can see the global catalog is rejecting the configuration.

or

In XenMobile Server logs you will come across the following error messages:

2015-12-30T13:20:27.476+0100 | BFEA67E3D920C0B3 | ERROR | http-nio-14443-exec-1 | com.citrix.xms.oca.imil.service.util.LDAPUtils | Check LDAP details validation fails:
javax.naming.CommunicationException: simple bind failed: example.domain.com [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)

2015-12-30T13:20:27.478+0100 | BFEA67E3D920C0B3 | ERROR | http-nio-14443-exec-1 | com.citrix.xms.oca.imil.service.util.LDAPUtils | Error in inputvalidation:
com.citrix.xms.oca.imil.exception.InputDataValidationException: simple bind failed: example.domain.com:636
at com.citrix.xms.oca.imil.service.util.LDAPUtils.checkMasterUserList(LDAPUtils.java:424)

2015-12-30T13:20:27.479+0100 | BFEA67E3D920C0B3 | ERROR | http-nio-14443-exec-1 | com.citrix.cg.bo.spring.impl.InternalUserListServiceImpl | Input Data validation Failed in updateMasterUserList: Please upload the certificate before enable secure connection for LDAP
2015-12-30T13:20:27.482+0100 | BFEA67E3D920C0B3 | ERROR | http-nio-14443-exec-1 | com.citrix.xms.oca.imil.service.impl.MasterUserListServiceImpl | Failed to update Master User List to ZDM
com.citrix.xms.oca.imil.exception.IMILException: Please upload the certificate before enable secure connection for LDAP

Environment

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

Resolution

1.This issue usually happens when there is invalid LDAP config.
To verify the LDAP server, run the following command on any user's windows machine:
For finding the user details of the user: dsquery user -name <known username>
For finding the group name: dsquery group -name <known group name>
Once you get the details of the Group DN, add the same on the XenMobile LDAP server settings and you should see it go through.
 
2.Collected logs from the error:User '' bind failed with domain 'example.domain.com' Reason:Xxx.yyy.zzz.ddd
From the :3269 - We can see the global catalog is rejecting the configuration.
Remove the global catalog (No need in this new LDAP configuration) XenMobile Server is able to configure an LDAP connector successfully

3. Complete the following steps to resolve this issue:

  1. Upload the root certificate that signed the DC's certificate. This lets XenMobile trust the DC certificate.

  2. LDAPS certificate should be exported from the DC and imported on the XenMobile. Verify that the correct certificate has been imported to the XenMobile server before configuring LDAP.

Problem Cause

This issue usually happens due to following reasons

  1. When there is invalid LDAP configuration.
  2. Global catalog is rejecting the configuration.
  3. XenMobile is unable to trust to Active directory because the Root (AD) cert was not uploaded on XM Server. 


 

Issue/Introduction

This article summarizes the steps to follow if in case you receiving "Could not update master user list" while saving the LDAP configuration on XenMobile web console.
Powered by Wolken Software