IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: LDAPs fails

 
Regular Advisor

[SOLVED] LDAPs fails

javax.naming.CommunicationException: simple bind failed: SP-P-DC04.brookgreen.spgs.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: No trusted certificate found]

I have RootCA (MS ADCA) in every keystore on the IMC server that I think could be used.

Certificate is based on:

Template=LDAPoverSSL(1.3.6.1.4.1.311.21.8.16574533.5077679.4147093.4566469.16611918.39.9795857.15890548)
Major Version Number=100
Minor Version Number=3

It drives me nuts

ldaps imc.PNG

 

4 REPLIES 4
Regular Advisor

Re: LDAPs fails

Anybody any ideas?

Esteemed Contributor

Re: LDAPs fails

i tried to make it work as well. i had my DC certsrv issue a client cert to the user logging into LDAP/DC and uploaded that to imc. I figured it wanted a client cert that the DC would recognixe and It all looks ok. WIreshark shows it fails.

So I went back to the docs. They have an example but not for secure LDAp over SSL, so no help there as to how to set up the cert. 

Looks like its broken unless someone else has made it work.

Regular Advisor

Re: LDAPs fails

Well, my AD server definitely works with LDAPs (LDAP over SSL) as tested with ldp.exe

Certificate was issued by MS ADCA as per this or even better this

Just to make sure I did follow the bit in above writeup - Exporting the LDAPS Certificate and Importing for use with AD DS

And once imported to NTDS\Personal IMC was OK to use provided certificate & do LDAPs connection!

Esteemed Contributor

Re: LDAPs fails

Thanks!

Those links were helpful. My main misunderstanding was regarding the uploaded certificate in the IMC config.

I assumed it was supposed to be a client cert issued to the IMC server, NOT the cert created  using  the LDAP over SSL template and issued to the DC

Now it works

EDIT: downside, I'm running active and standby. The standby gets its configuration for this through the nightly backup as there is no option to configure much on the standby server. The regular LDAP config gets synced, but the LDAP over SSL does not get correctly configured. So make sure you have a local admin account configured as no authentication sever will be available.