LDAPs (SSL) set up simple bind failed 636

Report · Dec 13, 2019

Need to switch to LDAPS (LDAP over SSL) before Microsoft turn off LDAP in January 2020 - but cannot get it to work.

Created certificate on Cold Fusion server (checked is using ldp.exe).
Exported it to a Base64-encoded X.509 format xxx.cer certificate file.
Added it to the cacerts file using keytool, this being under the JVM listed in the Cold Fusion Admin page (and checked contents using -v option).
Amended the existing cfldap tag to include port="636" and secure="CFSSL_BASIC"
Ran test - and it failed with :

An error has occurred while trying to execute

query :simple bind failed: xxxx.xxxx:636.

One or more of the required attributes may be missing or incorrect or you do not have

permissions to execute this operation on the server.

Has anyone any ideas to fix it?

Report · Dec 13, 2019

I have been through this several times and unfortunately I cannot provide a silver bullet solution. Sometimes it seems like black magic!

However, the first thing you must do is verify that LDAPS is working from the ColdFusion server, but external to ColdFusion.

First, use telnet to check that you can establish a connection to the LDAP server on the LDAPS port.

Once that test succeeds, use an LDAP client to test authentication and simple queries.

Only once those two tests succeed should you start troubleshooting ColdFusion.

Report · Dec 13, 2019

I agree.

I've done the Telnet test, and then used ldp.exe to test the connection on the LDAP server.

So it looks like I have to continue looking into Cold Fusion.

Thanks

Paul

Report · Dec 13, 2019

Good.

Have you used the keytool utility to verify that the certificate is present in the same cacerts keystore that the ColdFusion JVM is using?

Report · Dec 13, 2019

Yes I have.

I know the Cold Fusion Admin refers to a specific JVM, but I was also going to re-check all the 7 other cacert files on the server next.

No idea why we have 7 other sets of files, as this is only a Cold Fusion server.

Trouble is, the people who set all this up are long gone.

Report · Dec 13, 2019

Unfortunately that's all I've got.

I did, however, stumble across this information for Adobe Connect which mentions that the certificate file should be in DER format rather than PEM format. I have no experience with this and I don't know if it is applicable to ColdFusion, but it's worth investigating.

Report · Dec 16, 2019

Thanks - yes, my certificate is in the DER format.

Report · Dec 14, 2019

What version of CF are you using? LDAPS uses TLS (aka SSL), and TLS cipher support etc changes frequently. Older versions of CF will have problems with newer versions of TLS.

Dave Watts, Eidolon LLC

Report · Dec 16, 2019

We are version 10 (out of support in May 2017), and have plans to upgrade next year.

(Trouble is Microsoft is turning off unsecured LDAP before then in January - which is why I'm doing this task first).

Report · Dec 17, 2019

This is going to be a pretty vague answer.

ColdFusion 10 comes with either Java 6 or 7, I forget which. These are very old versions of Java. You may have to upgrade your JVM. Older JVMs don't support the newer TLS ciphers and so on that you might need. You may have to install updates to ColdFusion 10 before you can upgrade your JVM.

You may have to install a server certificate to your JVM keystore. You should be able to fetch the certificate using the openssl command line tool. I expect this would be similar to fetching a TLS certificate from a web server. If there are multiple certificates in the chain, you may have to fetch the server certificate and the intermediate certificate. You'll have to put them together in a single chain to put them in the keystore. There are plenty of tutorials etc describing how to do this for HTTPS web servers, so I won't look for an example now, but let me know if that's a problem later.

You may have to change the ciphers and default versions used by TLS within Java, even with a newer JVM. There are various tutorials etc out there about this, too, and I haven't looked for them either. Let me know if that's a problem later.

Dave Watts, Eidolon LLC

Report · Mar 12, 2020

Thanks to everyone who supplied advice - so only seemed polite to tell you what happend.

Did not manage to get it to work - will get back to this after we've upgraded the Cold Fusion to a more recent version.

Implemented a workaround, where a SSIS job pulls the relevant data out of Active Directory and drops it into a database table. Then got Cold Fusion to check the entries in this table. Not perfect, but kept us going.