cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

LDAPs (SSL) set up simple bind failed 636

PaulDurrant
New Here ,
Dec 13, 2019 Dec 13, 2019

Copy link to clipboard

Copied

Need to switch to LDAPS (LDAP over SSL) before Microsoft turn off LDAP in January 2020 - but cannot get it to work.

  • Created certificate on Cold Fusion server (checked is using ldp.exe).
  • Exported it to a Base64-encoded X.509 format xxx.cer certificate file.
  • Added it to the cacerts file using keytool, this being under the JVM listed in the Cold Fusion Admin page (and checked contents using -v option).
  • Amended the existing cfldap tag to include port="636"  and secure="CFSSL_BASIC"
  • Ran test - and it failed with :

An error has occurred while trying to execute

query :simple bind failed: xxxx.xxxx:636.  

One or more of the required attributes may be missing or incorrect or you do not have

permissions to execute this operation on the server.

 

Has anyone any ideas to fix it?

TOPICS
Connector , Security

Views

4.4K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 10 Replies 10
latest latest Jump to latest reply
EddieLotter
Advocate ,
Dec 13, 2019 Dec 13, 2019

Copy link to clipboard

Copied

I have been through this several times and unfortunately I cannot provide a silver bullet solution. Sometimes it seems like black magic!

However, the first thing you must do is verify that LDAPS is working from the ColdFusion server, but external to ColdFusion.

First, use telnet to check that you can establish a connection to the LDAP server on the LDAPS port.

Once that test succeeds, use an LDAP client to test authentication and simple queries.

Only once those two tests succeed should you start troubleshooting ColdFusion.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
PaulDurrant
New Here ,
Dec 13, 2019 Dec 13, 2019

Copy link to clipboard

Copied

In Response To EddieLotter

I agree.

I've done the Telnet test, and then used ldp.exe to test the connection on the LDAP server.

So it looks like I have to continue looking into Cold Fusion.

Thanks

Paul

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
EddieLotter
Advocate ,
Dec 13, 2019 Dec 13, 2019

Copy link to clipboard

Copied

In Response To PaulDurrant

Good.

Have you used the keytool utility to verify that the certificate is present in the same cacerts keystore that the ColdFusion JVM is using?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
PaulDurrant
New Here ,
Dec 13, 2019 Dec 13, 2019

Copy link to clipboard

Copied

In Response To EddieLotter

Yes I have.

I know the Cold Fusion Admin refers to a specific JVM, but I was also going to re-check all the 7 other cacert files on the server next. 

No idea why we have 7 other sets of files, as this is only a Cold Fusion server.

Trouble is, the people who set all this up are long gone.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
EddieLotter
Advocate ,
Dec 13, 2019 Dec 13, 2019

Copy link to clipboard

Copied

In Response To PaulDurrant

Unfortunately that's all I've got.

I did, however, stumble across this information for Adobe Connect which mentions that the certificate file  should be in DER format rather than PEM format. I have no experience with this and I don't know if it is applicable to ColdFusion, but it's worth investigating.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
PaulDurrant
New Here ,
Dec 16, 2019 Dec 16, 2019

Copy link to clipboard

Copied

In Response To EddieLotter

Thanks - yes, my certificate is in the DER format.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Dec 14, 2019 Dec 14, 2019

Copy link to clipboard

Copied

What version of CF are you using? LDAPS uses TLS (aka SSL), and TLS cipher support etc changes frequently. Older versions of CF will have problems with newer versions of TLS.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
PaulDurrant
New Here ,
Dec 16, 2019 Dec 16, 2019

Copy link to clipboard

Copied

In Response To Dave Watts

We are version 10 (out of support in May 2017), and have plans to upgrade next year.  

(Trouble is Microsoft is turning off unsecured LDAP before then in January - which is why I'm doing this task first). 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Dec 17, 2019 Dec 17, 2019

Copy link to clipboard

Copied

In Response To PaulDurrant

This is going to be a pretty vague answer.

 

ColdFusion 10 comes with either Java 6 or 7, I forget which. These are very old versions of Java. You may have to upgrade your JVM. Older JVMs don't support the newer TLS ciphers and so on that you might need. You may have to install updates to ColdFusion 10 before you can upgrade your JVM.

 

You may have to install a server certificate to your JVM keystore. You should be able to fetch the certificate using the openssl command line tool. I expect this would be similar to fetching a TLS certificate from a web server. If there are multiple certificates in the chain, you may have to fetch the server certificate and the intermediate certificate. You'll have to put them together in a single chain to put them in the keystore. There are plenty of tutorials etc describing how to do this for HTTPS web servers, so I won't look for an example now, but let me know if that's a problem later.

 

You may have to change the ciphers and default versions used by TLS within Java, even with a newer JVM. There are various tutorials etc out there about this, too, and I haven't looked for them either. Let me know if that's a problem later.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
PaulDurrant
New Here ,
Mar 12, 2020 Mar 12, 2020

Copy link to clipboard

Copied

LATEST
In Response To Dave Watts

Thanks to everyone who supplied advice - so only seemed polite to tell you what happend.

Did not manage to get it to work - will get back to this after we've upgraded the Cold Fusion to a more recent version.

Implemented a workaround, where a SSIS job pulls the relevant data out of Active Directory and drops it into a database table.  Then got Cold Fusion to check the entries in this table.  Not perfect, but kept us going.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices