I am having issues using LDAPS with Microsoft Active Directory. My configuration works using LDAP, but when i switch to LDAPS I get the following error:
Test basic connection : Succeeded
Test retrieve user : Failedorg.springframework.ldap.PartialResultException:
nested exception is javax.naming.PartialResultException
[Root exception is javax.naming.CommunicationException: ForestDnsZones.ad.uc.edu:636
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative DNS name matching ForestDnsZones.ad.uc.edu found.]]
This is with the "Follow Referrals" option enabled. If I disable that option for LDAPS, the connection times out. LDAP connections work with "Follow Referrals" disabled.
The AD is set up in a forest with ad.uc.edu as the forest root. I am accessing one of the 6 domain controllers directly at ucdceiw2.ad.uc.edu, and the connection works with "Follow Referrals" disabled on LDAP connections
My read timeout is 120 seconds
My search timeout is 120 seconds
My connection timeout is 30 seconds
My IT department will be shutting off LDAP access soon and forcing LDAPS so it is important to resolve this soon.
Are you using Self signed Certs for your LDAPS implementation. If so, you need to import the signing certs into your cacerts file in your installation.
I followed the command line instructions on that link, downloaded the server's public SSL certificate, and added it to my trusted keystore, but I get the same issues when trying to use a secure connection.
I did have to change the port on the openssl command from 443 to 636 to get the certificate, but other than that I followed the instructions exactly to import the cert.
Any additional help would be greatly appreciated.
Hmm. Assuming you bounced jira after adding the certs?
You can test that your certificate setup is correct with the sslpoke.class program.
(make sure you are using the same JAVA_HOME that jira is using.)
Since you are seeing differences with follow referrals, you may want to check and see where you are being referred to, and make sure you have the right certs for that location as well.
Your AD administrator should be able to provide you with the signing certs that AD uses, so that you can just import all of them at one shot. (there are usually a few. A root one, and an issuing one.)
Also came across this article
Does your jira server connect to one of the domain controllers for DNS?
I have bounced my JIRA server with no change. I also ran the SSLPoke tool and it successfully connected to my domain controller on port 636, and I verified the JAVA_HOME I am using is the one JIRA is using.
Before posting I did contact my IT department for the root, issuing, and signing certificates for the AD and loaded those into my keystore so I should have all of the AD servers registered in my trust file.
I just checked and the DNS that my server is connected to is not one of the AD nodes, but it is an internal DNS run by UC.
The issue I am seeing with the follow referrals option is only when SSL is enabled.
- With SSL disabled, I can leave follow referrals off.
- With SSL enabled, the Test User Retrieve times out with follow referrals disabled.
The Java error I have in my original post happens with SSL and follow referrals enabled on the Test User Retrieve step.
All of the settings I have tried result in a successful Test Basic Connection step
With the article you posted, My domain does not have any cross domain memberships. all users reside on the same directory domain and the tree nodes are just for load balancing (45,000+ active users in the system with many different apps using the directory)
Odd. two last things to try
1: Connect to the global catalog instead of a specific ldap server https://confluence.atlassian.com/confkb/how-do-i-search-from-active-directory-s-global-catalog-785453286.html
2: Use basic ldap tools (ldapsearch, etc) to confirm that you can do lookups in general from the server over ssl.
out of curiosity, What platform is you jira server running on (linux, windows etc)
Also, did you sslpoke ForestDnsZones.ad.uc.edu since that is what is specifically reporting the error?
This is a SUSE Enterprise 12 Linux system running my JIRA software.
After some more testing, it appears the issue is with the test page, not the connection.
If i use ad.uc.edu as the url with SSL enabled and follow referrals disabled, the connection can synchronize successfully, but when I try to test the connection through the test page the server times out.
My server is now syncing via LDAPS, its just annoying that the test page doesn't work
When to use CSV importer When managing your processes in Jira, there are many occasions where you need to create a lot of tasks. Creating them one by one will cost you a lot of time and effort and i...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event