Secure LDAP user import and authentication fails with patch 5 on iPrint Appliance 3.2

  • 7024566
  • 16-Apr-2020
  • 16-Apr-2020

Environment

iPrint Appliance 3.2 Patch 5

Situation

Users on iPrint Appliance 3.2 Patch.4 authenticate fine and LDAP import synchronizations are successful. However, after applying patch 5 (to upgrade to 3.2.5), the two following problems are introduced:
  • News users do not import into the Appliance.
  • Existing users can not print to SSL enable printers
    • Authentications fail.

Resolution

Recreate the certificate on the source LDAP server to have a SAN ( Subject Alternative Name) attribute which contains the server DNS and IP address.

Cause

Patch 5 for the iPrint Appliance 3.2 introduces a new set of security measures which enforces the validation of the certificate SAN attribute.  Prior to this update, the CN (Common Name) was sufficient.

If the current certificate does not have a SAN, LDAPS communication will fail.

Additional Information

The following error where show witin the /var/opt/novell/tomcat-filr/logs/appserver.log
---------->Starting ldap sync...
2020-04-01 09:45:01,002 ERROR [Sitescape_Worker-16] [org.kablink.teaming.module.ldap.impl.LdapModuleImpl] - syncUsers() threw an exception:
javax.naming.CommunicationException: 10.0.0.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.0.1 found]

Note that in this example, 10.0.0.1 is the source LDAP server.