Skip to main content
S
stevee43858177
Participant
October 6, 2021
Answered

Issue with ColdFusion 2018 and LDAPS connection via CFLDAP

  • October 6, 2021
  • 2 replies
  • 203 views

I am attempting to migrate a CF10 application to CF2018 that uses a CFLDAP call to an Active Directory server and is experiencing failures. We have already used keytool to import the AD server certificate, and we have verified connectivity by telnet <ip address>:636 and can create a connection via openssl s_client -connect <ip address>:636.

 

We use CFSSL_BASIC, port 636, and are getting this error on the LDAP call:

Detail: One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server.
Operation: query :<ip address>:636


I have noted in the coldfusion-error.log an error that occurs when CF restarts:

INFO: The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [C:\ColdFusion2018\cfusion\lib;C:\ColdFusion2018\cfusion\jintegra\bin;C:\ColdFusion2018\cfusion\jintegra\bin\international;C:\ColdFusion2018\cfusion\lib\oosdk\classes\win;C:\\ColdFusion2018\\jre\bin]


My hypothesis is that I am missing a library and/or don't have the correct directory in the PATH?

 

System details:

  • ColdFusion 2018,0,11,326016 Enterprise
  • WIndows Server 2016
  • Java version 11.0.1
  • Java home: C:\ColdFusion2018\jre
  • Tomcat: 9.0.41.0

 

    This topic has been closed for replies.
    Correct answer stevee43858177

    Update - success!

    After reading the release notes at https://www.oracle.com/java/technologies/javase/11-0-1-relnotes.html,  I added  -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to the java command. In this JVM version, some additional checks were added to LDAPS connections. I'll investigate that and fix the connection issue later so we can enable strict endpoint identification, but the connection works now

    2 replies

    S
    stevee43858177AuthorCorrect answer
    Participant
    October 11, 2021

    Update - success!

    After reading the release notes at https://www.oracle.com/java/technologies/javase/11-0-1-relnotes.html,  I added  -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to the java command. In this JVM version, some additional checks were added to LDAPS connections. I'll investigate that and fix the connection issue later so we can enable strict endpoint identification, but the connection works now

      S
      stevee43858177Author
      Participant
      October 7, 2021

      I got one private reply, thanks for that!

      As an update, I had our network admin do a packet capture for all traffic from my test servers to the two Active Directory servers I was using for testing, and she saw no traffic. There are no firewall rules blocking this outbound traffic, leading me to believe that the ColdFusion servers aren't even attempting to initiate a connection.

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices