Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1474
Views
0
Helpful
0
Replies

LDAP integration issue on FMC

markosik
Level 1
Level 1

‎04-29-2020 04:09 AM

Hello,
I'm trying to integrate ldap server with Cisco FMC using LDAPS.
Unfortunately the communication with the ldap server fails due to the lack of trust to my LDAP server certificate

here is an extract from the LDAP server log:

 

[29/Apr/2020:12:15:03.061817370 +0200] conn=8044 fd=166 slot=166 SSL connection from 10.16.1.200 to 10.0.0.11
[29/Apr/2020:12:15:03.065345297 +0200] conn=8044 op=-1 fd=166 closed - Peer does not recognize and trust the CA that issued your certificate.

Since I'm using Cisco Firepower Management Center for VMWare Software Version 6.5.0.4 (build 57) I tried the following workaround:

https://community.cisco.com/t5/vpn/firepower-anyconnect-ldap-ad-authentication-issue/m-p/4048922

Hovewer despite adding the ldap server certificate to the list of trusted parties the result doesn't change

My ldap server presents a certificate for *.test.pl ( network name changed for this correspondence purposes) issued by TERENA. The certificate is valid

In order to debug I logged to the FMC and switched to the shell (expert mode)

I used ldapsearch
ldapsearch -v -H ldaps://ldapserv.test.pl -d 1

and here is a result:

ldap_url_parse_ext(ldaps://ldapserv.test.pl)
ldap_initialize( ldaps://ldapserv.test.pl:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://ldapserv.test.pl:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserv.test.pl:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.0.11:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Funny because Digicert is on a list of trusted CA-s in FMC

Can You please provide me with any suggestions

Regards

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents