Copy link to clipboard
Copied
I am attempting to migrate a CF10 application to CF2018 that uses a CFLDAP call to an Active Directory server and is experiencing failures. We have already used keytool to import the AD server certificate, and we have verified connectivity by telnet <ip address>:636 and can create a connection via openssl s_client -connect <ip address>:636.
We use CFSSL_BASIC, port 636, and are getting this error on the LDAP call:
Detail: One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server.
Operation: query :<ip address>:636
I have noted in the coldfusion-error.log an error that occurs when CF restarts:
INFO: The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [C:\ColdFusion2018\cfusion\lib;C:\ColdFusion2018\cfusion\jintegra\bin;C:\ColdFusion2018\cfusion\jintegra\bin\international;C:\ColdFusion2018\cfusion\lib\oosdk\classes\win;C:\\ColdFusion2018\\jre\bin]
My hypothesis is that I am missing a library and/or don't have the correct directory in the PATH?
System details:
Update - success!
After reading the release notes at https://www.oracle.com/java/technologies/javase/11-0-1-relnotes.html, I added -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to the java command. In this JVM version, some additional checks were added to LDAPS connections. I'll investigate that and fix the connection issue later so we can enable strict endpoint identification, but the connection works now
Copy link to clipboard
Copied
I got one private reply, thanks for that!
As an update, I had our network admin do a packet capture for all traffic from my test servers to the two Active Directory servers I was using for testing, and she saw no traffic. There are no firewall rules blocking this outbound traffic, leading me to believe that the ColdFusion servers aren't even attempting to initiate a connection.
Copy link to clipboard
Copied
Update - success!
After reading the release notes at https://www.oracle.com/java/technologies/javase/11-0-1-relnotes.html, I added -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to the java command. In this JVM version, some additional checks were added to LDAPS connections. I'll investigate that and fix the connection issue later so we can enable strict endpoint identification, but the connection works now