Querying a secure CFLDAP

Report · Mar 28, 2008

Hello all,

I have been pulling my hair out trying to figure out why my CFMX7 box will not authenticate with a secure LDAP. I have been able to query using ldp.exe from micosoft but nothing with CF. I have been all over the Internet looking for solutions and suggestion but nothing has helped.

I believe I imported the crt correctly but I suspect that is where I am experiencing the breakdown.

Here is the code:
<cfldap
server = "#domain#"
action = "query"
name = "results"
start = "dc=school,dc=edu"
filter = "(sAMAccountName=aasmith)"
port="636"
username="username"
password="password"
attributes = "ldapDisplayName"
secure="cfssl_basic">

I imported the crt before and tried again just case and it said that it was already there. I would like to delete the alias out and start over be could not. Can someone help me with this?

Thanks!!!

Report · Mar 28, 2008

have you looked at this?

http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19139

Report · Mar 28, 2008

Yes, I thought I followed it to the tee. However it still is not working. I tried to run "keytool -list -keystore cacerts -alias ldapserver-cert -storepass changeit -v" to check the cert but it just came back with a list of all the functions.

Any idea? Thanks

Report · Mar 28, 2008

depending on where you've installed CF, you may need to change these paths -

Open a command prompt and cd to “C:\CFusionMX7\runtime\jre\bin”

From here you can feed the command prompt the following command (on one line):

keytool -list -storepass changeit -noprompt -keystore C:\CFusionMX7\runtime\jre\lib\security\cacerts

Example:

C:\CFusionMX7\runtime\jre\bin>keytool -list -storepass changeit -noprompt -keystore C:\CFusionMX7\runtime\jre\lib\security\cacerts

This should list out all the current certs.

This blog post has more info as well - http://www.coldfusionmuse.com/index.cfm/2005/01/29/keystore

Report · Mar 28, 2008

also, you didn't say what the error message, if any, you were receiving when making the ldap call. If it's 'connection failure' then it's almost a guarantee that the issue is with the cert not being imported or configured properly.

Report · Mar 28, 2008

Here is the error message:

Connection to LDAP Server failed

Report · Mar 28, 2008

I just ran the list function and I do not see the certificate anywhere. In addition, I just ran another one which was Starfield.cer (godaddy) and I do not see it in there either. I made sure to restart CF after each time.

Thanks!!

Report · Mar 28, 2008

We also have a version of CF5 running and I understand that it is a bit easier to configure. Can you tell me where I could find the certificate_db? I am trying this: secure="CFSSL_BASIC, C:\cfusion\ldap\certificate_db"

However I get the following error:

Invalid security information for security type "CFSSL_BASIC" was provided within the SECURITY attribute. Please refer to the documentation for the correct format of this multi-field string value. Error: The path component, "C:\cfusion\ldap\certificate_db", specifies a file that does not exist.

Thanks for all your help!!

Report · Mar 28, 2008

I think there may be an issue with how I name the alias. Would I name the alias ldap.domain.edu if that the server I was querying (server = "ldap.domain.edu")???

Report · Mar 30, 2008

Well the believe it or not I figured it out. It was only after reading this post ( http://www.numtopia.com/terry/blog/archives/2006/07/importing_ssl_certificates_with_keytool_finally.... that I started thinking that I remember I would import certificates and thenn run a list to make sure that they were in there. I could never find them and the total amount would always stay at 106.

I then entered the following (replace "whateverthecertis"): keytool -import -keystore C:\CFusionMX7\runtime\jre\lib\security\cacerts -file whateverthecertis.cer -alias whateverthecertis

All of the documentation examples I read (which was quite a bit) always had "-keystore cacerts" which places it in the same directory as the keytool (C:\CFusionMX7\runtime\jre\bin). Therefore the CF server never sees it.

I hope this helps someone as it would have saved me a week.

Querying a secure CFLDAP

1 Correct answer