Cfldap using CFSSL_CLIENT_AUTH

Thanks for the response. I am seeing what what I think is shown here:

https://tracker.adobe.com/#/view/CF-4205061

Fair enough. But there's no solution offered there, right? And neither of the folks reporting there indicate what JVM version they had. I just added a comment asking them about that.

So first, you should add a vote (if you had not) so that if they or others reply, you will be notified.

But until then, you might want to also indicate there or here what JVM version you are running, and whether you have tried the latest available version supported by your CF (which would be either Java 8 or 11, depending on what CF 2016 update you ahve done, and both of which have been updated in 2021). Again, see the link I offer for more, including more help if you may need it to see if this would be the solution for you.

I am using Coldfusion 2016 update 16 with Java 8 update 281 (this should be current for Java 8 as I am typing this now). As the post you linked indciated, I tried using the cert from the server obtained using OpenSSL, but that has not seemed to make a difference after importing that into the cacert keystore (I ensured I was adding it to the correct keystore for the version of Java I have installed). Thanks again @Charlie Arehart for your suggestions!

Make sure you retrieve not just the root certificate, but also any intermediate certificates on the LDAP server, and import them all into Java as a single "chain".

Dave Watts, Eidolon LLC

Thanks @Dave Watts . I did ensure the entire chain is imported into Java's cacert keystore. Unfortunately I am still having the error.

I just want to confirm that I am correct, when using the clientcert attribute, I am pointing to the actual path of the p12 file on the Coldfusion server and then providing the password with the clientcertpassword attribute correct?

That sounds right to me. I would recommend testing this in another LDAP client to ensure that it works. I've generally used JXplorer for this kind of thing in the past.

http://jxplorer.org/

Dave Watts, Eidolon LLC

Thank you @Dave Watts . I download JXplorer and loaded the chain into cacerts and pointed it to the client cert p12 file and provided the password. I was able to successfully connect to the LDAP server without any issues. Unfortunately I am still not able to get cfldap to work. It seems to immediately error with the error "One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server".

Are you able to read the LDAP server's logs? They might have more useful information.

Dave Watts, Eidolon LLC

And if somehow all still seems "right" about the certs, and yet things don't work, I have two thoughts:

• You mention that you are running the latest Java, and that's great. But are you confirming that you see that indicated in the cf admin "settings summary" page and it's Java details section? Some folks look at what jvm is installed on their machine, but that doesn't matter if cf is not pointing at it
• While it seems that what you and Dave are discussing are about pointing to certs directly, let me note also that if any aspect of working with certs involves importing them into the jvm cacerts, it's also critical that's done into the cacerts WITHIN THE LIB/SECURITY FOLDER OF THAT JVM, rather than the on in the /coldfusion2016/jre folder, as many docs would say to do. As soon as you change cf to use a different jvm, you need do any such imports into that jvm's cacerts.

Let us know if you've ruled these both out, assuming Dave suggestions don't get things solved. 

@Dave Watts I can see the test connections on the LDAP server but nothing when attempting with Coldfusion. @Charlie Arehart thanks for those two points out. I did confirm from the Summary page that Coldfusion is using new jvm that is installed on the server, pointing to the correct path. I can also confirm that I have imported the certifcate into that Java version's cacert keystore in its lib/security folder, not /coldfusion2016/jre. I appreciate all the suggestions and thoughts.

You might be able to get more useful logging information from the LDAP server if you can log into it locally, when you try to connect.

Dave Watts, Eidolon LLC

Here are a couple more ideas. The first is simple, the second may not be as palatable:

• you have shared the main error you get ("One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server"), but not any additional details of the error. Are you getting this message from a CML error handler? Can you confirm it's dumping/showing the entire error structure? 
  • For example, see someone in 2012 who reported this same error, but their error did show additional details that helped someone point out that the problem was not at all about certs (in that case): https://community.adobe.com/t5/coldfusion/fail-to-use-ldap/m-p/4124021
• assuming that doesn't help get you/us farther, something not clear from the discussions above is whether you ran that jxplorer on the server (where CF is installed). If you did not, there may be something about that server which differs from wherever you did run it from...and that issue could affect both CF and jxplorer. Can you confirm?
• You say you are running CF2016. Something you could try would be to run either CF2018 or 2021 on the same server (updating CF2018 to its latest update, and updating either to the latest Java), to see if somehow the problem is unique to your CF2016 setup? It could even be that it's not something unique to CF2016 but to something configured in your CF2016 (which would not be configured in the two later versions, out of the box).
  • Note that you can install a new CF version alongside an old one. If the old one is running when the new one is installed, the new one will get different ports, which is good. But then CF will offer to import all the settings from the old one, which may not be desirable (in this case of wanting to see if an out of the box install would work), so consider skipping that
  • And rather than try to configure the new CF to use your web server, just put a test page in the new CF's cfusion/wwwroot folder, and call that with localhost:8501 (since the CF2016 would be using localhost:8500, by default)
• One last thing: sometimes people find various aspects of network communication coming out of CF (of various sorts) might fail due to some anti-virus or VPN configuation. It can help in such cases if you could momentarily turn them off when trying whatever is failing. If that then works, you know that's the issue. Then you can debate how best to go forward (as leaving those things off won't likely be acceptable).

Let us know how things go.

Also, it might be helpful to know:

• is this a cfldap call (with ssl) that WAS working previously in CF2016 for you, then just suddenly stopped? Or is this the first time you're calling that ldap server from this CF2016 setup?
• do you (or does anyone there) have any other working cfldap call (with ssl) to the same server?
  • (As you may know, CF has various logs that track things like cfhttp calls, in an http.log, and webservice calls in the webservice.log. There may well be an ldap.log that tracks out bound calls to that. I'm not sure. Dave may know. If they are logged, I just wonder if you'd find others calling that same server.)
• did you have a cfldap call (with ssl) to that server on any previous verison of CF? If so, was that ever on the same server you are on now?

Finally, in that tracker ticket link I shared in my first reply, note how the person reporting it showed using jvm args (like -Djavax.net.debug) to capture the handshake of the ssl communications (between CF and any ssl/tls call out to anything). Have you enabled that, to see if it shows anything useful when things fail? I realize that can be a bit of dumpster diving. Again, just trying yo give you ideas so you don't feel totally stuck.

Often in cases like this, it turns out that there is something rather unique about your setup which explains why it's happening to you--and yet doesn't happen so often that there are clear and obvious solutions.

Thanks for all the suggestions @Charlie Arehart . I'm going to dig into all of those and I'll report back. Thank you again!

Out of curiousity, did you have any luck with this?

I can't be much help with it, because I never found a solution.  I know this would be a pain, because I did it back when I was trying to figure out this issue, but I'd recommend installing Coldfusion 11 Update 19 go through the exact same setup steps you did for CF 2016.   Make sure you update the JVM and import the certs.    Then copy your test page and P12 over to CF11 and see if it works.   That won't fix your problem, but it would confirm that you have a working test page and that the issue started with CF 2016.

I set all three versions of CF (11, 2016,and 2018) up in a new test environment, so I was sure I was following the steps exactly the same for all three.  It worked just fine in CF 11, but in both 2016 and 2018 I'd get the error.  If you go that route, it wouldn't take much longer to also install CF 2021 to see if it happened to get fixed in there.

I eventually gave up and had to wait until we got a new information provider that we use username and password for.

Good luck, I hope you find a solution.

@George=A I have not been able to get it to work. @Charlie Arehart had a lot of great suggestions, I was able to try a few of them:

• The error is not invalid password or user related. It only gives the "One or more of the required attributes may be missing or incorrect..." error
• With @Dave Watts's suggestion, I did run jxexplorer on the coldfusion server and did connect successfully to the ldap server with the client certs.
• I was not able to get another version to test at this time
• I did disable any AV and checked firewall rules. No change in the result.
• This was my first attempt at cfldap with certificates, so I can't say it was working, then it was not. 
• I do have other cfldap calls working, unfortunately they are not using basic auth, not client auth.
• I did not have client auth working previously working on a different version
• I did enable the logging that was in the tracker ticket, it seemed to show the same errors the person refered to from the tracker ticket but did not really provide much insight that I could discern.

I did apply the latest hotfix (version 17) and am still getting the same error. I do appreciate everyone's thoughts and suggestions very much!

Slobs, given all your testing and details you have shared, I want to press on one more point. While you shared about a month ago that you had confirmed you had an updaetd jvm (1.8.0_281) and that you confirmed in the CF Admin that CF was using it (and that you had imported any certs into its lib/security/cacerts), I want to ask if you would do one more sanity check. The following code will confirm things FROM WITHIN code (the current JVM version and the location that would have the lib/security folder you would have wanted to manipulate, if needed). Are they really the values you expect them to be:

<cfdump var="#server.system.properties.java.version#">
<cfdump var="#server.system.properties.java.home#">

 Again, it's just a sanity check before folks may go further into other explorations. Thanks.

@Charlie Arehart Thanks for your suggestion.

Indeed, the cfdump version outputs 1.8.0_281 and the home location cfdump outputs E:\ColdFusion2016\jre1.8.0_281. 

Ah, ok. Wow. Strange tale, indeed. Hope someone may come along with more insight for you. I think I'm out of ideas, for now.

(FWIW, these last couple of replies prompted me to create a blog post about how to check the JVM version running in CF, via code. I posted a longer variant of the post on my own site, and a shorter post on the Adobe site.)