Environment
iPrint Appliance 3.2 Patch 5
Situation
Users on iPrint Appliance 3.2 Patch.4 authenticate fine and LDAP import synchronizations are successful. However, after applying patch 5 (to upgrade to 3.2.5), the two following problems are introduced:
- News users do not import into the Appliance.
- Existing users can not print to SSL enable printers
- Authentications fail.
Resolution
Recreate the certificate on the source LDAP server to have a SAN ( Subject Alternative Name) attribute which contains the server DNS and IP address.
Cause
Patch 5 for the iPrint Appliance 3.2 introduces a new set of security measures which enforces the validation of the certificate SAN attribute. Prior to this update, the CN (Common Name) was sufficient.
If the current certificate does not have a SAN, LDAPS communication will fail.
Additional Information
The following error where show witin the /var/opt/novell/tomcat-filr/logs/appserver.log
---------->Starting ldap sync...2020-04-01 09:45:01,002 ERROR [Sitescape_Worker-16] [org.kablink.teaming.module.ldap.impl.LdapModuleImpl] - syncUsers() threw an exception:javax.naming.CommunicationException: 10.0.0.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.0.1 found]
Note that in this example, 10.0.0.1 is the source LDAP server.