Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
919293949596979899100
Chapter 8 Troubleshooting LDAP Servers and the AMC Known configuration problems
Advanced Technical Reference Guide 4.1 June 2000 86
2. Confirm the administrator’s name and password. This establishes communications between the LDAP and
administration server.
Do not change the administrator’s name or password. The previous step is done to establish communications
between the LDAP Server and the Administration Server.
Problem: What are the restrictions for the LDAP parameters in the VPN-1/FireWall-1
properties?
Answer: There are two configurable parameters in the properties, the defaults are in parentheses:
Time-out on LDAP requests – this cannot be larger then the TCP timeout (20)
Time out on cached Users (900)
User Cache Size (1000)
Password expiration in days (90)
Allowed number of Entries which the Account Units returns (10000)
Except for the Time-Out on LDAP requests, there are no restrictions on these values.
You should note that:
During installation of policy, the system cleans the cached memory.
Most of the servers allow similar definitions on the server side. E.g. size limit could be configured to 100
on the server’s side and 10000 on VPN-1/FireWall-1. The actual size would be the minimum (100) in this
case.
There was a bug which caused the ‘time out on cached users’ to be ignored, while the value was larger then
900 seconds, and the user authenticated with certificates, this bug has been fixed in VPN-1 4.1 SP2 and
VPN-14.0SP6.(formoreinformationseePKIIssuesrelatedtoLDAPonpage91).
AMC Configuration problem
Problem: If the AMC cannot connect to the LDAP server from within VPN-1/FireWall-1, then
check one of the following:
Account Unit definitions in VPN-1/FireWall-1 are not correct. Check the login and password fields in the
Account Unit window.
LDAP server is not up, check that the ‘service’ is running.
LDAP server is not configured correctly.
Check that the “login DN” you have configured has root permission or at least write permission in the
access control configuration of the server.
Check that there are no special configurations to block the AMC from whom you are working in the access
control configuration of the server.
When you create a new user on the LDAP Server using the AMC, the name you enter in the “Login Name”
field will be the login name to use when authenticating to VPN-1/FireWall-1.
Make sure there is no other user with the same login name.