"Not Connected" when LDAP connections to generic LDAP are made over SSL
Article ID: 325603
Updated On:
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
- Specifying a generic FQDN resolved by multiple domain controllers for the configuration.
- Multiple domain controllers are resolving to the generic name.
- Simple mode is selected for configuration.
- Configuration with single Domain Controller is successful.
- Using Both SSL and Accept all certificates for the generic FQDN fails.
- From /opt/vmware/vcloud-director/logs/vcloud-container-debug.log
2020-04-30 15:46:27,062 | ERROR | pool-jetty-5916143 | LdapProviderImpl | Error logging into LDAP. | requestId=<REQUEST_ID>,request=POST https://vcloud.example.com/cloud/amfsecure,requestTime=1234567890123,remoteAddress=<IP>:57372,userAgent=Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTM...,accept=*/* method=orgService.testLdapConnection
javax.naming.CommunicationException: simple bind failed: example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching example.com found]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
javax.naming.CommunicationException: simple bind failed: example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching example.com found]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
Environment
VMware Cloud Director for Service Provider 9.x
Cause
This issue is caused when the certificates on the multiple domain controllers doesn't have the generic name in their Subject Alternative Name section.
Resolution
To resolve the issue, verify the certificates from the domain controllers to see if the generic name is included in their certificates.
For example : if you have dc1.example.com and dc2.example.com and you want to connect with example.com FQDN then both of the server needs to have example.com in their certificate SAN field.
Feedback
Yes
No
Powered by
