LDAP Signing in Active Directory affects TLS LDAP connections in NuGenesis 9 SDMS - WKB194682

SYMPTOMS

• The following error appears in SDMS Administrator or SDMS WebVision when logging in to SDMS with an LDAP account; the message usually appears after a few minutes of waiting; sometimes the error does not appear and the application never responds
  • [NG17543] LDAP driver reports error: Can't contact LDAP server (-1) : 00002028: LDapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 Can't contact LDAP server Unable to search the LDAP Directory
• The LDAP connection test in SDMS Administrator is successful

ENVIRONMENT

• NuGenesis 9 SDMS
• LDAP Signing is active in the Active Directory servers

CAUSE

A defect in the software libraries that SDMS uses for LDAP authentication means that SDMS tries to connect to referrals with an unencrypted session. The main connection is made with the STARTTLS extension and is encrypted with TLS 1.2. The libraries should use TLS for the referrals, but they do not, and the AD servers therefore block the connection.

FIX or WORKAROUND

1. A software patch is available for NuGenesis 9.1 SDMS that changes the application to use LDAPS instead of the STARTTLS extension. Tests have confirmed that TLS is active for all binds (initial and referrals) when TLS is configured in SDMS and this patch is present.
2. Contact Waters Technical Support or your Field Service engineer to obtain a copy of this patch.
3. The patch requires a small change to the LDAP connection parameters in SDMS. Previously, with the STARTTLS extension, the application would bind to port 389 and specify that extension, which starts the TLS protocol negotiation. Now, with LDAPS, the server starts the TLS negotiation first, and therefore must use port 636.

ADDITIONAL INFORMATION

This issue does not affect LMS in NuGenesis 9.1. LMS uses LDAPS for secure LDAP authentication.