[cisco-voip] ldaps authentication
Ed Leatherman
ealeatherman at gmail.com
Mon Oct 5 08:21:18 EDT 2015
Hello!
We turned up directory sync on cucm yesterday, and ran into some issues
with authentication; I ran out of maintenance window so we ended up
converting the small number of end users that were synced back into local
accounts for now.
Our LDAP is front-ended by a load balancer that uses a wild-card
certificate. Yeah, I should have seen this coming.
What I have is my test cluster, running 10.5.2.10000-5, integrated using
ldaps and working fine
My production system is slightly more recent 10.5.2.12901 (unrelated reason
as to why they don't match). Directory sync works fine using ldaps , but
authentication will not work, error message in the tomcat trace says that
the hostname doesn't match the certificate. I can see the wildcard cert
CN's in the trace.
I can't even see any entries in the test system trace file related the SSL
socket (nor could Tac), so i'm assuming that extra trace info was added in
the SU. I guess it also started enforcing the no wild-card rule on
certificates for other things - I was under the (apparently false)
impression that that rule was only related to signing CUCM certs.
But why does my dir sync work ok, it uses SSL also to the same host? Tac
isn't interested in troubleshooting any further as they say it's
unsupported.
We tried changing LDAP on CUCM to use IP instead of hostname to skip the
SSL hostname check, this worked for authenticating Ucmuser webpage but it
did not work for Jabber. I wanted to troubleshoot this to see if this issue
was not SSL related but we ran out of maintenance window.
My action plan right now is to move my "beta" users off the test system and
get it to the same version as production, and try to reproduce the issue.
Also investigating getting a normal cert for our ldap but I'm not sure how
feasible this will be.
Any suggestions or am I SOL with that wildcard cert?
--
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20151005/02eb1979/attachment.html>
More information about the cisco-voip
mailing list