Bind fails when testing LDAP over SSL - c06614062
Microsoft will be hardening access to Active Directory in the near future , which would require the PrinterOn solution to communicate over TLS. A failure to bind to could be due to the configuration options selected in the LDAP profile within PrinterOn Configuration Manager. When Enabling SSL, ensure the LDAP URI reflects the ldaps:// protocol with the appropriate port defined (port 636 is the default LDAPS port). In addition, the "Enable Strict SSL Validation" option should also be enabled.
There are 3 main fixes to overcome the failure to bind when using SSL, listed in order of preference.
-
Import the cert into Java’s
cacerts
keystore
-
Use the Java
keytool
or a tool like KeyStore Explorer to import the root certificate of the LDAP server. The keytool.exe is located here: C:\Program Files (x
86)\
PrinterOn
Corporation\
PrinterOn
Server Install Manager\Java\bin. The keystore will be located here: C:\Program Files (x
86)\
PrinterOn
Corporation\
PrinterOn
Server Install Manager\Java\lib\security
- eg. keytool -import - trustcacerts -keystore "C:\Program Files (x 86)\ PrinterOn Corporation\ PrinterOn Server Install Manager\Java\lib\security\ cacerts " - storepass changeit -alias activedirectory -file "C:\Users\Administrator\Desktop\ad-root.cer" Items in bold are variables
-
Use the Java
keytool
or a tool like KeyStore Explorer to import the root certificate of the LDAP server. The keytool.exe is located here: C:\Program Files (x
86)\
PrinterOn
Corporation\
PrinterOn
Server Install Manager\Java\bin. The keystore will be located here: C:\Program Files (x
86)\
PrinterOn
Corporation\
PrinterOn
Server Install Manager\Java\lib\security
-
Correct the certificate to include the subject alternative
name, or
update your configuration to ensure you're using the DNS referenced in the certificate.
- When reviewing CPS logs, if they are at Debug level or higher, this error reported: javax.net.ssl.SSLHandshakeException : java.security.cert.CertificateException : No subject alternative DNS name matching servername found. If this error is not reported, this suggested resolution can be omitted.
- For example, if you configure the service to connect to the AD IP address, but the certificate is issued to the DNS name of the AD server, update the configuration to reflect the DNS.
-
Apply the changes noted to disable endpoint identification as outlined by Java - this is not recommended by
PrinterOn
, and if using this
option
it should be cleared with Network Security
- This would need to be added to the Java tab of tomcat8w.exe found here: C:\Program Files (x 86)\ PrinterOn Corporation\Apache Tomcat\bin.
- Stop the Central Print Services Windows service before making the change, and start it again after applying changes.
-
Define this system property (or set it to true) to disable endpoint identification algorithms:
com.sun.jndi
.ldap.object.disableEndpointIdentification
.
- From the Java release notes : Change : Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default. Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property