Home

Results 1 to 5 of 5

Thread: Cant use LDAP over SSL against Active Directory servers

Threaded View

  1. #1
    Join Date
    Jul 2012
    Posts
    22

    Cant use LDAP over SSL against Active Directory servers

    Hi.
    Up until now our user connection to the AD user source was unencrypted. I wanted to change this, and once I did, the user source stopped functioning.
    When trying to edit each connection individually, I am able to retrieve the certificate, but when applying the changes, I get an error: "Ensure that the address is valid and does not contain port number.". The address is indeed valid, and there is no port number. The evidence is that when I change back to non-SSL connection, the connection is restored immediately. So, looking at the logs I see these messages in the loader-messages:
    Code:
    [TRACE] [11/21/2017 10:22:07.435] [2524] [ZENLoader] [74] [] [Loader.CasaAuthRealmConfigurator] [] [com.novell.zenworks.datamodel.exceptions.ConnectionException: blahblah.somewhere:636
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:853)
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:563)
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:389)
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:362)
    	at com.novell.zenworks.loader.modules.queue.handlers.CasaAuthRealmConfigurator.reconfigureCASA(CasaAuthRealmConfigurator.java:347)
    	at com.novell.zenworks.loader.modules.queue.handlers.CasaAuthRealmConfigurator.doWork(CasaAuthRealmConfigurator.java:151)
    	at com.novell.zenworks.loader.modules.queue.handlers.CasaAuthRealmConfigurator.initialize(CasaAuthRealmConfigurator.java:86)
    	at com.novell.zenworks.loader.ZENModuleThread.run(ZENModuleThread.java:69)
    ] [] [] [] [ZENServer]
    And...
    Code:
    [TRACE] [11/21/2017 10:10:17.861] [2680] [ZENLoader] [74] [] [Loader.CasaAuthRealmConfigurator] [com.novell.zenworks.datamodel.exceptions.UntrustedCertificateException: javax.naming.CommunicationException: blabla.somewhere:636 ((Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No trusted certificate found()
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.handleAuthenticationException(LDAPUtil.java:1379)
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:806)
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:563)
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:389)
    	at com.novell.zenworks.datamodel.utils.ldap.LDAPUtil.getLDAPConnectionInfo(LDAPUtil.java:362)
    	at com.novell.zenworks.loader.modules.queue.handlers.CasaAuthRealmConfigurator.reconfigureCASA(CasaAuthRealmConfigurator.java:347)
    	at com.novell.zenworks.loader.modules.queue.handlers.CasaAuthRealmConfigurator.doWork(CasaAuthRealmConfigurator.java:151)
    	at com.novell.zenworks.loader.modules.queue.handlers.CasaAuthRealmConfigurator.initialize(CasaAuthRealmConfigurator.java:86)
    	at com.novell.zenworks.loader.ZENModuleThread.run(ZENModuleThread.java:69)
    The thing is, if I change the address of the server from DNS hostname to IP, the connection completes successfully, thus the claim the certificate is "not trusted" is refuted, as the certificate hasn't changed. Also, the CA (internal MS CA) is in the trusted CAs list on the Zenworks server, and the server itself is domain-joined (windows 2012 R2 server). That said, I do not wish to work with IP based settings. What I have also noticed is that the subject field of the Domain Controller certificate is empty (as is by design according to X.509 RFC 3280), but in ZCC the "Issued To:" field also seems empty, even though the same field in the certificate itself is indeed populated with the correct value. I'm guessing a possible solution is to reissue the certificates with the subject name set, but this will require rolling-restarts for all my DCs, and I can't predict the effect of changing a certificate on other systems relying on AD. I've tried looking for this issue and was very surprised not to find anything. Has anyone encountered this issue?
    Last edited by yaronw1; 21-Nov-2017 at 09:58 AM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •