Troubleshooting LDAP server SSL certificate-related issues

Use this information to troubleshoot possible Lightweight Directory Access Protocol (LDAP) server SSL certificate-related issues.

About this task

The new Java™ SDK security patches include improvement to the robustness of LDAPS (secure LDAP over TLS) connections wherein the endpoint identification algorithms are enabled. If you do not configure the certificate correctly for the LDAP server, the LDAP connection does not work and results in errors.

Procedure

  1. Ensure that the LDAP server connection is correct.
    To verify, click System > Security (or click Security and access > System Security in 2.3.3.3 or later).
  2. Populate the details in LDAP Settings.
    To verify, use Test LDAP Authentication Settings.
    For example, if you see the following error, it can be due to invalid certificates:
    CWZIP4684E Unable to retrieve groups for user. 
The following error occurred: javax.naming.CommunicationException : simple bind failed
  3. Run this command to verify invalid certificate issues. 
    openssl s_client -CApath <PEM format directory of CA's> -host <hostname> -port <port>
    If the certificate is valid, the following message is displayed:
    Verify return code: 0 (ok)
    Since you can add the certificate from the configuration pane to a truststore for establishing a communication, ignore any signer verification errors such as:
    Verify return code: 21 (unable to verify the first certificate)
    Following are the most commonly identified errors with the certificates:
    certificate has not expired
    To verify, download your LDAP certificate and run this command:
    cat <certificateFileName> | openssl x509 -dates -noout
    Check the date values that are displayed for notBefore and notAfter. Ensure that the current date is within the notBefore and the notAfter range.
    Note: You must renew the certificate before the notAfter date.
    common name in the certificate matches the Hostname which will be used in the ldaps configuration
    To verify, download the LDAP certificate and run this command:
    cat dummy.pem | openssl x509 -subject -noout
    In the output, ensure that the value that is displayed for CN= matches the host name.
    Note: If you want to use the IP address instead of the host name to connect to the LDAP server, ensure that your certificate contains the IP address in Subject Alternative Names.