Skip to main content
P
PaulDurrant
Participating Frequently
December 13, 2019
Question

LDAPs (SSL) set up simple bind failed 636

  • December 13, 2019
  • 2 replies
  • 7077 views

Need to switch to LDAPS (LDAP over SSL) before Microsoft turn off LDAP in January 2020 - but cannot get it to work.

  • Created certificate on Cold Fusion server (checked is using ldp.exe).
  • Exported it to a Base64-encoded X.509 format xxx.cer certificate file.
  • Added it to the cacerts file using keytool, this being under the JVM listed in the Cold Fusion Admin page (and checked contents using -v option).
  • Amended the existing cfldap tag to include port="636"  and secure="CFSSL_BASIC"
  • Ran test - and it failed with :

An error has occurred while trying to execute

query :simple bind failed: xxxx.xxxx:636.  

One or more of the required attributes may be missing or incorrect or you do not have

permissions to execute this operation on the server.

 

Has anyone any ideas to fix it?

This topic has been closed for replies.

2 replies

D
Community Expert
Dave WattsCommunity Expert
Community Expert
December 14, 2019

What version of CF are you using? LDAPS uses TLS (aka SSL), and TLS cipher support etc changes frequently. Older versions of CF will have problems with newer versions of TLS.

 

Dave Watts, Eidolon LLC

Dave Watts, Eidolon LLC
P
PaulDurrantAuthor
Participating Frequently
December 16, 2019

We are version 10 (out of support in May 2017), and have plans to upgrade next year.  

(Trouble is Microsoft is turning off unsecured LDAP before then in January - which is why I'm doing this task first). 

D
Community Expert
Dave WattsCommunity Expert
Community Expert
December 17, 2019

This is going to be a pretty vague answer.

 

ColdFusion 10 comes with either Java 6 or 7, I forget which. These are very old versions of Java. You may have to upgrade your JVM. Older JVMs don't support the newer TLS ciphers and so on that you might need. You may have to install updates to ColdFusion 10 before you can upgrade your JVM.

 

You may have to install a server certificate to your JVM keystore. You should be able to fetch the certificate using the openssl command line tool. I expect this would be similar to fetching a TLS certificate from a web server. If there are multiple certificates in the chain, you may have to fetch the server certificate and the intermediate certificate. You'll have to put them together in a single chain to put them in the keystore. There are plenty of tutorials etc describing how to do this for HTTPS web servers, so I won't look for an example now, but let me know if that's a problem later.

 

You may have to change the ciphers and default versions used by TLS within Java, even with a newer JVM. There are various tutorials etc out there about this, too, and I haven't looked for them either. Let me know if that's a problem later.

 

Dave Watts, Eidolon LLC

Dave Watts, Eidolon LLC
EddieLotter
EddieLotter
Inspiring
December 13, 2019

I have been through this several times and unfortunately I cannot provide a silver bullet solution. Sometimes it seems like black magic!

However, the first thing you must do is verify that LDAPS is working from the ColdFusion server, but external to ColdFusion.

First, use telnet to check that you can establish a connection to the LDAP server on the LDAPS port.

Once that test succeeds, use an LDAP client to test authentication and simple queries.

Only once those two tests succeed should you start troubleshooting ColdFusion.

P
PaulDurrantAuthor
Participating Frequently
December 13, 2019

I agree.

I've done the Telnet test, and then used ldp.exe to test the connection on the LDAP server.

So it looks like I have to continue looking into Cold Fusion.

Thanks

Paul

EddieLotter
EddieLotter
Inspiring
December 13, 2019

Good.

Have you used the keytool utility to verify that the certificate is present in the same cacerts keystore that the ColdFusion JVM is using?

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices