Solving LDAP Connection Errors with eDirectory on AWS

Are you receiving “No subject alternative names matching IP address…” error when attempting to make an LDAP connection to an AWS server hosting eDirectory? This quick tutorial will help you solve the issue.

Either using Designer or wanting to look over eDirectory using your favorite LDAP browser you may run into the following error when attempting to connect to an instance of eDirectory hosted on an AWS server.

“simple bind failed: xxx.xxx.xxx.xxx:636

  javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx.xxx found]”

xxx.xxx.xxx.xxx = External facing IP address of your AWS server.

A bit of background: Subject Alternative Names is an extension of the X509 certificate standard. It allows you to specify additional Email Addresses, DNS Name IP Addresses, Directory Name, and URIs to be included in one SSL Certificate.

Why is this causing an issue? Because the certificate that was originally created is using the static internal IP address within AWS. By adding the external IP address value to the Subject Alternative Names list, the certificate is now good for both IP addresses.

To remedy this situation you will need to create a new server certificate through iManager and make sure to add the external facing IP address under the “Subject Alternative Names” field.

We will be following the steps laid out in this documentation with one extra step: here.

Create the self-signed certificate:

  • Authenticate to iManager
  • Under the Roles and Tasks section click on NetIQ Certificate Server
  • Click Create Server Certificate
  • Select which LDAP server that will own the server certificate
  • Enter a Nickname for the certificate
  • Under Creation method– select Custom (User Specifies Parameters)
  • Click Next
  • Select how to have the Certificate signed. To have the TREE CA sign, please select the Organizational Certificate AuthorityOption
  • Click Next 
  • Take the default options, unless additional customization is needed
  • Click Next
  • Under the Subject Alternative Names dropdown click Under Type select IP Address. Then under Name enter the external facing IP address of your AWS server.
  • Click the drop-down for the Signature algorithm and select the preferred option (i.e. SHA 256-RSA (SHA2))
  • Take the defaults for all of the options unless otherwise needed
  • Click Next
  • Select where to place the certificate in the TREE (i.e. Your organization’s certificate)
  • Click Next
  • Look over the parameters, if all looks good – Click Finish
  • Click Close

Implement the certificate created above with the intended LDAP Server:

  • Assign the certificate to the LDAP server in iManager:
    • Click the View Objectstab (Magnify Glass)
    • Navigate and Click your LDAP server object
    • In the pop-up window, Click Modify Object
    • Click the Connections Tab
    • Click theServer Certificate Magnify Glass
    • In the pop-up window, Click drop-down and select the new custom cert
    • Click OK
    • Click Apply

Restart eDirectory (DO NOT RESTART YOUR AWS SERVER UNLESS YOU HAVE A STATIC EXTERNAL IP ADDRESS)