tracker issue : CF-3436476

select a category, or use search below
(searches all categories and all time range)
Title:

Running an SSL ldap query with referral option generates a java error

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/

Reporter/Name(from Bugbase): Scott Chantry / Scott Chantry (scottchantry)

Created: 01/04/2013

Components: Net Protocols, LDAP

Versions: 9.0.1

Failure Type: Non Functioning

Found In Build/Fixed In Build: 9.0.1 /

Priority/Frequency: Critical / All users will encounter

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 0

Problem Description:When I try to query an Active Directory LDAP server with SSL enabled and using the referral option, I get the following Java error: 

Error casting an object of type com.sun.jndi.ldap.LdapSearchEnumeration cannot be cast to com.sun.jndi.ldap.ReferralEnumeration to an incompatible type. This usually indicates a programming error in Java, although it could also mean you have tried to use a foreign object in a different way than it was designed. 

Steps to Reproduce:
Run an ldap query against an Active Directory LDAP server using these parameters:

<cfldap 
        server="adldap.xxxx.edu" 
        port="636" 
        action="query" 
        name = "ldapQuery" 
        secure="CFSSL_BASIC" 
        scope="subtree"
        referral="1"
	start = "dc=ad,dc=xxxx,dc=edu"
	filter = "sAMAccountName=username"
	username = "AD\username"
	password = "password"
	attributes = "*" 
>

Actual Result:
Error casting an object of type com.sun.jndi.ldap.LdapSearchEnumeration cannot be cast to com.sun.jndi.ldap.ReferralEnumeration to an incompatible type. This usually indicates a programming error in Java, although it could also mean you have tried to use a foreign object in a different way than it was designed.
com.sun.jndi.ldap.LdapSearchEnumeration cannot be cast to com.sun.jndi.ldap.ReferralEnumeration 

Expected Result:
Return the results of the query.
Any Workarounds:
If I remove the secure tag and change the port to 389 (non-SSL) it runs fine. If I remove the referrals tag and start inside an OU it runs fine.  I can't do the latter because I need to search for a users in multiple OU's. For example, this works:

<cfldap 
        server="adldap.xxxx.edu" 
        port="636" 
        action="query" 
        name = "ldapQuery" 
        secure="CFSSL_BASIC" 
        scope="subtree"
        start = "ou=emp,dc=ad,dc=xxxx,dc=edu"
	filter = "sAMAccountName=username"
	username = "AD\username"
	password = "password"
	attributes = "*" 
>

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3436476

External Customer Info:
External Company:  
External Customer Name: scottchantry
External Customer Email:  
External Test Config: My Hardware and Environment details:

ColdFusion 9.0.1 (no hotfixes installed): Windows Server 2008R2

Attachments:

  1. January 05, 2013 00:00:00: 1_Capture.PNG

Comments:

Still waiting for a response. This is a big problem for us.
Comment by External U.
16779 | February 12, 2013 01:06:04 PM GMT
Does this problem still exist on currently-supported versions of ColdFusion?
Comment by External U.
16780 | July 06, 2015 11:50:14 AM GMT
Is the SSL loaded in the Java Certificate Store? From the docs: If you use the security="CFSSL_BASIC" option, ColdFusion determines whether to trust the server by comparing the server’s certificate with the information in the jre/lib/security/cacerts keystore of the JRE used by ColdFusion. The ColdFusion default cacerts file contains information about many certificate granting authorities. If you must update the file with additional information, you can use the keytool utility in the ColdFusion jre/bin directory to import certificates that are in X.509 format. For example, enter the following: keytool -import -keystore cacerts -alias ldap -file ldap.crt -keypass bl19mq
Comment by External U.
16781 | July 06, 2015 05:09:12 PM GMT
This issue does not occur on the currently supported versions of ColdFusion. Hence closing the bug. Please do let us know if you have any concerns regarding the same.
Comment by S P.
16782 | September 10, 2015 03:16:12 AM GMT