SCH fails to start when LDAPS is enabled.


Userlevel 4
Badge

Issue:

SCH fails to start, when LDAPS is enabled, with the following message,

2018-05-07 13:26:28,313 [requestId:] [app:security] [componentId:security000] [user:security000] [thread:main] WARN  LdapUserGroupProvider - LDAP(ldaps://*******.*******:3269) validateConnection(), error: [org.ldaptive.provider.ConnectionException@959923849::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: *******.*******:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target], providerException=javax.naming.CommunicationException: *******.*******:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested ta!

 

Solution:

The final outcome of the troubleshooting was that there was a DNS load balancer. So, the certificate coming back from LDAP server was not matching the hostname on the outgoing request.

 

Following steps helped to narrow down the problem area and resolve the issue:

  1. Performed an nslookup on the configured hostname. Repeated look-ups showed continuously changing IPs indicating DNS round-robin because of the load balancing in place.
  2. Verified that port was working curl <hostname>: <LDAP port> 
  3. Looked through the logs and identified a certificate mismatch error.
  4. Took the hostname in the certificate and configured the LDAP to match the hostname specified in the certificate.
  5. Restarted DPM/SCH.

Note: Hard-coding the hostname in the certificate instead of using the DNS round robin, will take away HA. So, ensure that the certificate contains the appropriate entry.


0 replies

Be the first to reply!

Reply