cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6276
Views
5
Helpful
9
Replies

SSL LDAP Authentication

williamsmj7
Level 1
Level 1

Hi All,

I'm trying to use LDAP Authentication via SSL (Internal Policy dictates this).

I can successfully do an unencrypted authentication which is allowed just for testing but as soon as I enable SSL this stops working. It appears in the trace that CUCM isn't correctly formatting the DN that it is trying to bind with once SSL is enabled.

I have included the two traces below it looks like CUCM is missing the convertToBindDN section when SSL i enabled. I've running CUCM Version 8.6.1.20000-1. I've looked through the bug toolkit and found no bugs relating to this. I'm going to try and follow this up with Cisco but thought I'd see if anyone else has successfully used SSL LDAP Authentication with CUCM 8.6?

With SSL disabled :-

2011-09-28 14:51:06,924 DEBUG [http-8443-2] impl.AuthenticationLDAP - isLDAPURL: url=ldap://LDAPSRV:389/cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

2011-09-28 14:51:06,925 DEBUG [http-8443-2] impl.AuthenticationLDAP - isLDAPURL: url contains ldap://. Returning true.

2011-09-28 14:51:06,925 DEBUG [http-8443-2] impl.AuthenticationLDAP - searchUserDn: dn is LDAPURL=ldap://LDAPSRV:389/cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

2011-09-28 14:51:06,925 DEBUG [http-8443-2] impl.AuthenticationLDAP - convertToBindDN: ldapURL=ldap://LDAPSRV:389/cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

2011-09-28 14:51:06,925 DEBUG [http-8443-2] impl.AuthenticationLDAP - convertToBindDN: Returning dn=cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

2011-09-28 14:51:06,925 DEBUG [http-8443-2] impl.AuthenticationLDAP - searchUserDn: dn after convertToBindDN=cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

2011-09-28 14:51:06,926 DEBUG [http-8443-2] impl.AuthenticationLDAP - searchUserDn: returning dn=cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX for user MYUSER

2011-09-28 14:51:06,926 DEBUG [http-8443-2] impl.AuthenticationLDAP - authenticateUserWithPassword: calling auth as dn search is successful for user MYUSER and the dn is cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

2011-09-28 14:51:06,926 DEBUG [http-8443-2] impl.AuthenticationLDAP - auth: dn=cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

With SSL Enabled :-

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - isLDAPURL: url=ldaps://LDAPSRV:636/cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - isLDAPURL: url doesn't contains ldap://. Returning false.

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: returning dn=ldaps://LDAPSRV:636/cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX for user MYUSER

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - authenticateUserWithPassword: calling auth as dn search is successful for user MYUSER and the dn is ldaps://LDAPSRV:636/cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

2011-09-29 09:46:26,411 DEBUG [http-8443-1] impl.AuthenticationLDAP - auth: dn=ldaps://LDAPSRV:636/cn=MYUSER,ou=XXXX,ou=XXXX,ou=XXXX,o=XXXX

Thanks of listening!

Mike

9 Replies 9

michael-luo
Level 1
Level 1

Are you using IP address or DNS name of the LDAP?  Keep in mind that SSL requires the name matches with the CN in certificate.

Michael

http://htluo.blogspot.com

Hi Michael,

I'm using a dns name that is in the subject alternative name. CUCM is binding to the LDAP server via SSL to look up my full DN from my username.

Thanks,

Mike

It'll be helpful if we can get the logs that cover the service startup (restart DirSync service).

Or even better, get the packet capture from CUCM command line.

utils network capture file mycap count 100000 size all host all 192.168.1.100

Substitute 192.168.1.100 with the LDAP's IP address.  Press Ctrl-C to stop capture.  Use RTMT to get the "packet capture log".

Michael

Hi Michael,

I can do this but will the packet capture be of any use if its encoded via SSL? I forgot to add as the DN that CUCM is trying to bind with I get this error in the log when the user trys to authenticate. The directory synchronization works correctly its the authentication that doesn't work :-

javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax]

    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2982)

    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)

    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)

    at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293)

    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)

    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

    at javax.naming.InitialContext.init(InitialContext.java:223)

    at javax.naming.InitialContext.(InitialContext.java:197)

    at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)

    at com.cisco.security.ims.impl.AuthenticationLDAP.authenticate(AuthenticationLDAP.java:419)

    at com.cisco.security.ims.impl.AuthenticationLDAP.authenticateUserWithPassword(AuthenticationLDAP.java:243)

    at com.cisco.security.ims.impl.AuthenticationDB.authenticateUser(AuthenticationDB.java:163)

    at com.cisco.security.ims.authentication.AuthenticationImpl.loginUtil(AuthenticationImpl.java:274)

    at com.cisco.security.ims.authentication.AuthenticationImpl.login(AuthenticationImpl.java:202)

    at com.cisco.platform.realm.Realm.login(Realm.java:178)

    at com.cisco.platform.realm.Realm.authenticate(Realm.java:113)

    at com.cisco.platform.valve.FormRequestHandler.authenticate(FormRequestHandler.java:160)

    at com.cisco.platform.valve.AuthenticationValve.authenticate(AuthenticationValve.java:164)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:454)

    at com.cisco.ccm.admin.servlets.SessionValve.invoke(SessionValve.java:44)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555)

    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:421)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)

    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)

    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)

    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

    at java.lang.Thread.run(Thread.java:662)

Thanks,

Mike

Looking at "Invalid DN Syntax", it seems that somebody fat fingered the DN on CUCM.  A full cover the authentication process would help.

2011-09-29 09:46:26,274 DEBUG [http-8443-1] authentication.AuthenticationImpl - GiveAuthLDAPPersistent: Going to find Directory context

2011-09-29 09:46:26,282 DEBUG [http-8443-1] impl.AuthenticationLDAP - Constructor:

2011-09-29 09:46:26,282 DEBUG [http-8443-1] impl.AuthenticationLDAP - Constructor: getting LDAPConfiguration object.

2011-09-29 09:46:26,282 DEBUG [http-8443-1] impl.LDAPConfiguration - getLDAPObject:

2011-09-29 09:46:26,282 DEBUG [http-8443-1] impl.LDAPConfiguration - returning singleton object = com.cisco.security.ims.impl.LDAPConfiguration@1520293

2011-09-29 09:46:26,283 DEBUG [http-8443-1] impl.AuthenticationLDAP - Constructor: got LDAPConfiguration object.

2011-09-29 09:46:26,283 DEBUG [http-8443-1] impl.AuthenticationLDAP - Constructor: Index of this object is 0

2011-09-29 09:46:26,283 DEBUG [http-8443-1] impl.AuthenticationLDAP - makeConnection:

2011-09-29 09:46:26,283 DEBUG [http-8443-1] impl.AuthenticationLDAP - makeConnection: NumOfURLs=1

2011-09-29 09:46:26,283 DEBUG [http-8443-1] impl.AuthenticationLDAP - makeConnection: timeout(msec)=5000

2011-09-29 09:46:26,284 DEBUG [http-8443-1] impl.AuthenticationLDAP - Previous trust store : /usr/local/platform/.security/tomcat/trust-certs/tomcat-trust.keystore

2011-09-29 09:46:26,295 DEBUG [http-8443-1] impl.AuthenticationLDAP - Using trust store : /usr/local/platform/.security/tomcat/trust-certs/tomcat-trust.keystore

2011-09-29 09:46:26,295 DEBUG [http-8443-1] impl.AuthenticationLDAP - makeConnection: ldapURL[0]=ldaps://ldap.cf.ac.uk:636

2011-09-29 09:46:26,296 DEBUG [http-8443-1] impl.AuthenticationLDAP - makeConnection: Creating InitialDirContext

2011-09-29 09:46:26,380 DEBUG [http-8443-1] impl.AuthenticationLDAP - makeConnection: Creating InitialDirContext Success. Returning true.

2011-09-29 09:46:26,380 DEBUG [http-8443-1] impl.AuthenticationLDAP - Setting trust store back to : /usr/local/platform/.security/tomcat/trust-certs/tomcat-trust.keystore

2011-09-29 09:46:26,381 DEBUG [http-8443-1] impl.AuthenticationLDAP - Setting trust store type back to : PKCS12

2011-09-29 09:46:26,381 DEBUG [http-8443-1] impl.AuthenticationLDAP - Setting trust store password back

2011-09-29 09:46:26,381 DEBUG [http-8443-1] authentication.AuthenticationImpl - GiveAuthLDAPPersistent: Going to add dir context to linked list, currNumOfDirCtx= 0

2011-09-29 09:46:26,381 DEBUG [http-8443-1] authentication.AuthenticationImpl - GiveAuthLDAPPersistent: Added Directory context with index 0

2011-09-29 09:46:26,381 DEBUG [http-8443-1] authentication.AuthenticationImpl - GiveAuthLDAPPersistent: returing dir context

2011-09-29 09:46:26,381 DEBUG [http-8443-1] impl.AuthenticationLDAP - authenticateUserWithPassword: userName=sismjw

2011-09-29 09:46:26,382 DEBUG [http-8443-1] impl.AuthenticationLDAP - SearchUserDn for sismjw

2011-09-29 09:46:26,382 DEBUG [http-8443-1] impl.LDAPConfiguration - loadLdapConfig: Creating Connector Object

2011-09-29 09:46:26,386 DEBUG [http-8443-1] impl.LDAPConfiguration - getUserFilter(String): Returning ResultSet = com.informix.jdbc.IfxResultSet@18849be

2011-09-29 09:46:26,386 DEBUG [http-8443-1] impl.LDAPConfiguration - getUserFilter(String): DB Returns com.informix.jdbc.IfxPreparedStatement@a159bb=(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))

2011-09-29 09:46:26,387 DEBUG [http-8443-1] impl.AuthenticationLDAP - escapeFilter: filter=sismjw

2011-09-29 09:46:26,387 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=sismjw, argstrOldString=\, argstrNewString=\\

2011-09-29 09:46:26,387 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=sismjw

2011-09-29 09:46:26,387 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=sismjw, argstrOldString=*, argstrNewString=\*

2011-09-29 09:46:26,387 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=sismjw

2011-09-29 09:46:26,388 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=sismjw, argstrOldString=(, argstrNewString=\(

2011-09-29 09:46:26,388 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=sismjw

2011-09-29 09:46:26,388 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=sismjw, argstrOldString=), argstrNewString=\)

2011-09-29 09:46:26,388 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=sismjw

2011-09-29 09:46:26,388 DEBUG [http-8443-1] impl.AuthenticationLDAP - escapeFilter: Returning escFilter=sismjw

2011-09-29 09:46:26,388 DEBUG [http-8443-1] impl.LDAPConfiguration - loadLdapConfig: Creating Connector Object

2011-09-29 09:46:26,391 DEBUG [http-8443-1] impl.LDAPConfiguration - getUserFilter(String): Returning ResultSet = com.informix.jdbc.IfxResultSet@10a11a5

2011-09-29 09:46:26,391 DEBUG [http-8443-1] impl.LDAPConfiguration - getUserFilter(String): DB Returns com.informix.jdbc.IfxPreparedStatement@c9447=(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))

2011-09-29 09:46:26,392 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: getUserFilter= (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))

2011-09-29 09:46:26,392 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: filter=(&(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))(uid=sismjw))

2011-09-29 09:46:26,392 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: connectionTryCount=0

2011-09-29 09:46:26,392 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: operationFlag=false, connectionTryCount=0

2011-09-29 09:46:26,393 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: performing search with userBase=t=faraway, filter=(&(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))(uid=sismjw)), constraints=javax.naming.directory.SearchControls@1daed73

2011-09-29 09:46:26,407 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: userEnum=com.sun.jndi.ldap.LdapSearchEnumeration@c7eb9d

2011-09-29 09:46:26,407 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: connectionTryCount=0, MAX_TRIES=3

2011-09-29 09:46:26,408 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: userEnum = com.sun.jndi.ldap.LdapSearchEnumeration@c7eb9d

2011-09-29 09:46:26,409 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: userEntry = (not relative)ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF: null:null:No attributes

2011-09-29 09:46:26,409 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: userEntry is not relative.

2011-09-29 09:46:26,409 DEBUG [http-8443-1] impl.AuthenticationLDAP - processName: Name=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,409 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF, argstrOldString=\\", argstrNewString=\"

2011-09-29 09:46:26,409 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,409 DEBUG [http-8443-1] impl.AuthenticationLDAP - processName: pName=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - processName: returning pName=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: dn=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - isLDAPURL: url=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - isLDAPURL: url doesn't contains ldap://. Returning false.

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: returning dn=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF for user sismjw

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - authenticateUserWithPassword: calling auth as dn search is successful for user sismjw and the dn is ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,411 DEBUG [http-8443-1] impl.AuthenticationLDAP - auth: dn=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,411 DEBUG [http-8443-1] impl.LDAPConfiguration - loadLdapConfig: Creating Connector Object

2011-09-29 09:46:26,414 DEBUG [http-8443-1] impl.LDAPConfiguration - getUserFilter(String): Returning ResultSet = com.informix.jdbc.IfxResultSet@18b56d0

2011-09-29 09:46:26,414 DEBUG [http-8443-1] impl.LDAPConfiguration - getUserFilter(String): DB Returns com.informix.jdbc.IfxPreparedStatement@f09a7c=(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))

2011-09-29 09:46:26,415 DEBUG [http-8443-1] impl.AuthenticationLDAP - escapeFilter: filter=sismjw

2011-09-29 09:46:26,415 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=sismjw, argstrOldString=\, argstrNewString=\\

2011-09-29 09:46:26,415 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=sismjw

2011-09-29 09:46:26,415 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=sismjw, argstrOldString=*, argstrNewString=\*

2011-09-29 09:46:26,415 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=sismjw

2011-09-29 09:46:26,415 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=sismjw, argstrOldString=(, argstrNewString=\(

2011-09-29 09:46:26,416 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=sismjw

2011-09-29 09:46:26,416 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: argstrInput=sismjw, argstrOldString=), argstrNewString=\)

2011-09-29 09:46:26,416 DEBUG [http-8443-1] impl.AuthenticationLDAP - replaceString: Returning argstrInput=sismjw

2011-09-29 09:46:26,416 DEBUG [http-8443-1] impl.AuthenticationLDAP - escapeFilter: Returning escFilter=sismjw

2011-09-29 09:46:26,416 DEBUG [http-8443-1] impl.LDAPConfiguration - loadLdapConfig: Creating Connector Object

2011-09-29 09:46:26,419 DEBUG [http-8443-1] impl.LDAPConfiguration - getUserFilter(String): Returning ResultSet = com.informix.jdbc.IfxResultSet@2e6640

2011-09-29 09:46:26,419 DEBUG [http-8443-1] impl.LDAPConfiguration - getUserFilter(String): DB Returns com.informix.jdbc.IfxPreparedStatement@3afc0c=(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))

2011-09-29 09:46:26,420 DEBUG [http-8443-1] impl.AuthenticationLDAP - auth: getUserFilter= (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))

2011-09-29 09:46:26,420 DEBUG [http-8443-1] impl.AuthenticationLDAP - auth: filter=(&(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (telephonenumber=*))(uid=sismjw))

2011-09-29 09:46:26,420 DEBUG [http-8443-1] impl.AuthenticationLDAP - auth: connectionTryCount=0

2011-09-29 09:46:26,420 DEBUG [http-8443-1] impl.AuthenticationLDAP - auth: Creating new InitialDirContext using dn = ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,460 ERROR [http-8443-1] impl.AuthenticationLDAP - auth: NamingException

javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax]

    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2982)

    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)

    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)

    at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293)

    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)

    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

    at javax.naming.InitialContext.init(InitialContext.java:223)

    at javax.naming.InitialContext.(InitialContext.java:197)

    at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)

    at com.cisco.security.ims.impl.AuthenticationLDAP.authenticate(AuthenticationLDAP.java:419)

    at com.cisco.security.ims.impl.AuthenticationLDAP.authenticateUserWithPassword(AuthenticationLDAP.java:243)

    at com.cisco.security.ims.impl.AuthenticationDB.authenticateUser(AuthenticationDB.java:163)

    at com.cisco.security.ims.authentication.AuthenticationImpl.loginUtil(AuthenticationImpl.java:274)

    at com.cisco.security.ims.authentication.AuthenticationImpl.login(AuthenticationImpl.java:202)

    at com.cisco.platform.realm.Realm.login(Realm.java:178)

    at com.cisco.platform.realm.Realm.authenticate(Realm.java:113)

    at com.cisco.platform.valve.FormRequestHandler.authenticate(FormRequestHandler.java:160)

    at com.cisco.platform.valve.AuthenticationValve.authenticate(AuthenticationValve.java:164)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:454)

    at com.cisco.ccm.admin.servlets.SessionValve.invoke(SessionValve.java:44)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555)

    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:421)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)

    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)

    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)

    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

    at java.lang.Thread.run(Thread.java:662)

2011-09-29 09:46:26,461 DEBUG [http-8443-1] impl.AuthenticationDB - login: AuthenticationLDAP complete with result=false

2011-09-29 09:46:26,461 DEBUG [http-8443-1] impl.AuthenticationLDAP - returnContext: DirContext for index 0

2011-09-29 09:46:26,462 DEBUG [http-8443-1] authentication.AuthenticationImpl - loginUtil: Authentication complete with result=1

2011-09-29 09:46:26,462 DEBUG [http-8443-1] auditing.AlarmSender - AlarmSender: getInstance

2011-09-29 09:46:26,671 DEBUG [http-8443-1] authentication.AuthenticationImpl - Constructor:

2011-09-29 09:46:26,672 DEBUG [http-8443-1] authentication.AuthenticationImpl - getLoginResult: Entering getLoginResult

2011-09-29 09:46:26,672 DEBUG [http-8443-1] authentication.AuthenticationImpl - loginUtil: Authenticating against DB.

2011-09-29 09:46:26,672 DEBUG [http-8443-1] impl.AuthenticationDB - Constructor:

2011-09-29 09:46:26,672 DEBUG [http-8443-1] impl.AuthenticationDB - authenticateUser: userId=sismjw isLogin false

2011-09-29 09:46:26,692 DEBUG [http-8443-1] impl.LDAPConfiguration - getLDAPObject:

2011-09-29 09:46:26,693 DEBUG [http-8443-1] impl.LDAPConfiguration - returning singleton object = com.cisco.security.ims.impl.LDAPConfiguration@1520293

2011-09-29 09:46:26,693 DEBUG [http-8443-1] impl.AuthenticationDB - authenticateUserWithPassword: isAuthenticateWCorpDirectory flag is = TRUE

2011-09-29 09:46:26,693 DEBUG [http-8443-1] authentication.AuthenticationImpl - loginUtil: Authentication complete with result=9

That's a full trace if me trying to authenticate. CUCM has successfully resolved my dn to

cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF via the account that was created for it but cannot bind as my dn as it trys to bind with

dn = ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF which is clearly incorrect. On my first post I added the output from a non SSL protected authentication from the same server but CUCM successfully runs a routine to remove "ldaps://ldap.cf.ac.uk:636/".

Did you have "ldaps" configured somewhere in CUCM?  If yes, could you post a screenshot?

I'm concerning about the following:

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - searchUserDn: dn=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - isLDAPURL: url=ldaps://ldap.cf.ac.uk:636/cn=sismjw,ou=UIG,ou=INFOS,ou=MAIN,o=CF

2011-09-29 09:46:26,410 DEBUG [http-8443-1] impl.AuthenticationLDAP - isLDAPURL: url doesn't contains ldap://. Returning false.

I didn't add ldaps, this was automatically added by CUCM when I checked the SSL checkbox in LDAP Authentication. Looking at the trace for a non SSL protected authentication ithas ldap:// not ldaps:// but CUCM removes this along with the server name to leave the correct DN.

Cisco have admitted this is a fault and are raising a defect to get this fixed. Its to do with convertToBindDN not being called when using openldap ssl authentication. Just thought this may be useful if anyone else comes across this.