Highlighted

LDAPs (SSL) set up simple bind failed 636

New Here ,
Dec 13, 2019

Copy link to clipboard

Copied

Need to switch to LDAPS (LDAP over SSL) before Microsoft turn off LDAP in January 2020 - but cannot get it to work.

  • Created certificate on Cold Fusion server (checked is using ldp.exe).
  • Exported it to a Base64-encoded X.509 format xxx.cer certificate file.
  • Added it to the cacerts file using keytool, this being under the JVM listed in the Cold Fusion Admin page (and checked contents using -v option).
  • Amended the existing cfldap tag to include port="636"  and secure="CFSSL_BASIC"
  • Ran test - and it failed with :

An error has occurred while trying to execute

query :simple bind failed: xxxx.xxxx:636.  

One or more of the required attributes may be missing or incorrect or you do not have

permissions to execute this operation on the server.

 

Has anyone any ideas to fix it?

TOPICS
Connector, Security

Views

2.0K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

LDAPs (SSL) set up simple bind failed 636

New Here ,
Dec 13, 2019

Copy link to clipboard

Copied

Need to switch to LDAPS (LDAP over SSL) before Microsoft turn off LDAP in January 2020 - but cannot get it to work.

  • Created certificate on Cold Fusion server (checked is using ldp.exe).
  • Exported it to a Base64-encoded X.509 format xxx.cer certificate file.
  • Added it to the cacerts file using keytool, this being under the JVM listed in the Cold Fusion Admin page (and checked contents using -v option).
  • Amended the existing cfldap tag to include port="636"  and secure="CFSSL_BASIC"
  • Ran test - and it failed with :

An error has occurred while trying to execute

query :simple bind failed: xxxx.xxxx:636.  

One or more of the required attributes may be missing or incorrect or you do not have

permissions to execute this operation on the server.

 

Has anyone any ideas to fix it?

TOPICS
Connector, Security

Views

2.0K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Dec 13, 2019 0
Advocate ,
Dec 13, 2019

Copy link to clipboard

Copied

I have been through this several times and unfortunately I cannot provide a silver bullet solution. Sometimes it seems like black magic!

However, the first thing you must do is verify that LDAPS is working from the ColdFusion server, but external to ColdFusion.

First, use telnet to check that you can establish a connection to the LDAP server on the LDAPS port.

Once that test succeeds, use an LDAP client to test authentication and simple queries.

Only once those two tests succeed should you start troubleshooting ColdFusion.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 13, 2019 0
New Here ,
Dec 13, 2019

Copy link to clipboard

Copied

I agree.

I've done the Telnet test, and then used ldp.exe to test the connection on the LDAP server.

So it looks like I have to continue looking into Cold Fusion.

Thanks

Paul

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 13, 2019 0
Advocate ,
Dec 13, 2019

Copy link to clipboard

Copied

Good.

Have you used the keytool utility to verify that the certificate is present in the same cacerts keystore that the ColdFusion JVM is using?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 13, 2019 0
New Here ,
Dec 13, 2019

Copy link to clipboard

Copied

Yes I have.

I know the Cold Fusion Admin refers to a specific JVM, but I was also going to re-check all the 7 other cacert files on the server next. 

No idea why we have 7 other sets of files, as this is only a Cold Fusion server.

Trouble is, the people who set all this up are long gone.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 13, 2019 0
Advocate ,
Dec 13, 2019

Copy link to clipboard

Copied

Unfortunately that's all I've got.

I did, however, stumble across this information for Adobe Connect which mentions that the certificate file  should be in DER format rather than PEM format. I have no experience with this and I don't know if it is applicable to ColdFusion, but it's worth investigating.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 13, 2019 0
New Here ,
Dec 16, 2019

Copy link to clipboard

Copied

Thanks - yes, my certificate is in the DER format.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 16, 2019 0
Adobe Community Professional ,
Dec 14, 2019

Copy link to clipboard

Copied

What version of CF are you using? LDAPS uses TLS (aka SSL), and TLS cipher support etc changes frequently. Older versions of CF will have problems with newer versions of TLS.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 14, 2019 0
New Here ,
Dec 16, 2019

Copy link to clipboard

Copied

We are version 10 (out of support in May 2017), and have plans to upgrade next year.  

(Trouble is Microsoft is turning off unsecured LDAP before then in January - which is why I'm doing this task first). 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 16, 2019 0
Adobe Community Professional ,
Dec 17, 2019

Copy link to clipboard

Copied

This is going to be a pretty vague answer.

 

ColdFusion 10 comes with either Java 6 or 7, I forget which. These are very old versions of Java. You may have to upgrade your JVM. Older JVMs don't support the newer TLS ciphers and so on that you might need. You may have to install updates to ColdFusion 10 before you can upgrade your JVM.

 

You may have to install a server certificate to your JVM keystore. You should be able to fetch the certificate using the openssl command line tool. I expect this would be similar to fetching a TLS certificate from a web server. If there are multiple certificates in the chain, you may have to fetch the server certificate and the intermediate certificate. You'll have to put them together in a single chain to put them in the keystore. There are plenty of tutorials etc describing how to do this for HTTPS web servers, so I won't look for an example now, but let me know if that's a problem later.

 

You may have to change the ciphers and default versions used by TLS within Java, even with a newer JVM. There are various tutorials etc out there about this, too, and I haven't looked for them either. Let me know if that's a problem later.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 17, 2019 0
New Here ,
Mar 12, 2020

Copy link to clipboard

Copied

Thanks to everyone who supplied advice - so only seemed polite to tell you what happend.

Did not manage to get it to work - will get back to this after we've upgraded the Cold Fusion to a more recent version.

Implemented a workaround, where a SSIS job pulls the relevant data out of Active Directory and drops it into a database table.  Then got Cold Fusion to check the entries in this table.  Not perfect, but kept us going.

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 12, 2020 0