BSA: message "Cannot establish a TLS connection with ldap://ldap.servername.com:389. Most likely cause is failed certificate validation." when authenticating with load balanced LDAP

Version 3
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BladeLogic Server Automation Suite


    APPLIES TO:

    BMC BladeLogic Server Automation Suite



    PROBLEM:

     

    When using LDAP for user authentication you see:

      
    Cannot establish a TLS connection with ldap://ldap.servername.com:389. Most likely cause is failed certificate validation.
    And the LDAP server(s) are behind a load balancer. 

     


    SOLUTION:

     

    Legacy ID:KA312372

      

    The problem usually occurs when the certificate(s) added to the trust store during configuration of LDAP authentication have an "Issued to CN" to a specific LDAP server behind the load balancer but not the other LDAP servers behind the load balancer.

      

    This could happen when the blcred command was run to add the LDAP certificate to the trust store.  If the load balancer was used during this step, it would route to one specific LDAP server and BSA would retrieve its certificate.  This results in authentication failures when the load balancer routes authentication attempts to an LDAP server whose certificate was not in the trust store.

      

    There are a few ways to resolve the issue.

      

    1. Add the certificates of each of the LDAP servers behind the load balancer to the trust store
    2. Add the certificate of the Certificate Authority (CA) that issued certificates to the LDAP servers to the trust store.  Since all CA-issued certificates are trusted, all current and future LDAP certificates are automatically trusted with this configuration.  If the common names (CN) specified in the issued certificates are set to the directory server’s fully qualified domain names, be sure to also set IsHostValidationEnabled to True for the Application Server (set Ldap IsHostValidationEnabled true).
    3.  This can also be worked-around by setting IsHostValidationEnabled to False for the Application Server (set Ldap IsHostValidationEnabled false).

     


    Article Number:

    000084937


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles