search cancel

LDAPS connection is failing with simple bind failed error

book

Article ID: 175296

calendar_today

Updated On:

Products

ICDx

Issue/Introduction

LDAPS is configured but AD credentials cannot log into Integrated Cyber Defense exchange (ICDx).

Failed startup connection to LDAP server [ldaps://test.domain.com:636] using Bind User [TEST\Administrator] err=[simple bind failed: test.domain.com:636]

Cause

The LDAPS server needs to be installed in the ICDx Java keystore. As of version 1.3, this must be done manually via shell commands.

Resolution

Extracting public key from Windows AD server

There are two approaches:

  1. Export the pubic key cert using the Certificate Export Wizard provided by Windows.
  2. Use the output of the openssl s_client connect command on the CLI and copy the key in PEM format from the output to the console.

Windows Certificate Export Wizard (Windows Server)

  1. Open the Microsoft Management Console (MMC) by using Win+R to open the run box, then type "mmc" and press Enter or click OK.
  2. In the File menu, choose "Add / Remove Snap In".
  3. Double-click Certificates in the left box.
  4. Select Computer Account and click Next.
  5. Select Local Computer and click Finish.
  6. Click OK to exit the prompt window.
  7. Expand the tree: Certificates > Personal > Certificates in the MMC
  8. Locate and click to select the certificate for the correct domain.
  9. Right-click and select All tasks > Export.
  10. Press Next.
  11. Select "No, do not export the private key".
  12. Choose Base-64 encoded X.509 (.CER) for the certificate file format and click Next.
  13. Enter the filename and location to save the extracted file
  14. Click Next, then finish.

OpenSSL s_client command (Linux/UNIX or Windows [must download OpenSSL for Windows, available online])

  • Test the SSL connection to the AD server on port 636 with the following command:

openssl s_client -connect <IP ADDRESS or SERVER NAME>:636 -showcerts

This test will fail, but will display the following output:

CONNECTED(00000003)
depth=0 CN = test.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = test.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=test.domain.com
   i:/DC=com/DC=domain/DC=test/CN=test
-----BEGIN CERTIFICATE-----
    SOME HASH VALUE
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=test.domain.com
issuer=/DC=com/DC=domain/DC=test/CN=test
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDS                               A+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA2                               56:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA1
Server Temp Key: X25519, 253 bits
---
...
  • Copy the text from -----BEGIN CERTIFICATE-----  until  -----END CERTIFICATE-----, and paste it into a file called certificate.pem. If there are multiple BEGIN and END certificates, copy and paste all of them into certificate.pem.

Importing the cert into the Java keystore

Ubuntu

  1. Copy the certificate.pem file to /etc/ssl/certs
  2. sudo update-ca-certificates --fresh
  3. sudo keytool -importcert -alias MY_ALIAS -trustcacerts -file /etc/ssl/certs/certificate.pem -keystore /etc/ssl/certs/java/cacerts

RedHat Linux 7

  1. sudo update-ca-trust enable
  2. sudo cp certificate.cer /etc/pki/ca-trust/source/anchors/
  3. sudo update-ca-trust extract

Verification

Check the System Archive logs for any errors like below:

Failed startup connection to LDAP server [ldaps://test.domain.com:636] using Bind User [TEST\Administrator] err=[simple bind failed: test.domain.com:636]
ERRATTA

If the java keystore needs the certificate to be in PEM format for import, you will need to convert the certificate from the DER format to PEM using this command: 

openssl x509 -inform der -in certificate.cer -out certificate.pem
 

Attachments