Secure LDAP sync fails after upgrade to Cascade CMS v8.11

Cascade CMS v8.11 comes bundled with a newer version of Java (JRE 8u191). This newer version of the JRE enables endpoint identification algorithms for LDAPS servers for added security. The change was included in JRE 8u181+ and more information on it can be found in the Oracle/Java Release Notes. Due to this, you may have problems syncing with your LDAPS server.

A common error as a result of this change may look like this:

ERROR [LdapServiceImpl] {User: system, id: not specified, type: not specified} During LDAP user import, encountered an error and could not bind to the LDAP server:

javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx.xxx found]

To work around this, you can disable endpoint identification algorithms by adding the following parameter to your startup script. For example:

Linux/macOS

1. Stop Cascade CMS.
2. Edit cascade.sh.
3. In the JAVA_OPTS line, add -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
4. Save.
5. Start Cascade CMS.

Windows

1. Stop Cascade CMS.
2. Right-click the tomcat/bin/CascadeCMSw.exe file and select the Run as Administrator option.
3. Click the Java tab.
4. In the Java Options section, add the line -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
5. Click Apply/OK.
6. Start Cascade CMS.