What means the error : The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

AdminDomino · March 25, 2025, 1:50pm

We have setup Sametime 12.0.2 + LDAP using Active Directory over SSL.

User can NOT connect with a browser.

They enter their credentials and get a "wrong credentials" message.

Any ideas?

Seems to be that Sametime does not hable well AD+SSL

[34;1mcommunity_1 |[0m stuserinfosa 2025-03-25 12:16:30.428 SEVERE 0 --- 22 : createConnection : Problem Initalizing context for simple bind
[34;1mcommunity_1 |[0m javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090276, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839 ]

caseytoole · March 25, 2025, 2:02pm

Hi Dominique,

I posted some suggestions in your other post. First if this is a new set up make sure you have completed all of the steps required.

We made some changes to the TLS libraries we use in 12.0.2 and they are more secure. If you are using the secure port, you must connect using a FQDN and it must match the subject of your LDAP server's certificate.

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118000

You can use openssl to query the LDAP server's certificate to check the subject. I would try it from the Sametime server. The command is:

openssl s_client -connect ldap.example.com:636 -showcerts

Be sure to substitute your LDAP hostname and port (you can try using what you have defined for Sametime to use). Look at the output for "Certificate subject", ensure that it has a full certificate chain and that matches your ldaptruststore.p12 file.

Also make sure you are connecting the the secure port, if this is Microsoft Active Directory the default secure port for the global domain controller is 3269. For most other LDAP directories the secure port is 636.

Thanks,

Casey

anon-1872 · March 25, 2025, 2:20pm

Looking at the specific error (LDAP: error code 8 ) - it seems the LDAP server is requiring TLS for this connection.

This is specific to the UserInfo connection, which is required for the webclient and mobile authentication process.

If you need more assistance, please open a case.

AdminDomino · March 25, 2025, 2:34pm

Hi Tony.

HCL Notes Basic is connecting, Web is Not, so it confirms your statement.

We set up a trustore for LDAPS, import the CRT, and setup custom.env, .env, docker-compose to active SSL in sametime to connect to LDAPS.

We trired LDAPSearch CMD.

This LDAP on Active Directory is currently in use for another sametime server. Correctly.

anon-1872 · March 25, 2025, 2:42pm

I think the best course of action is to open a case so that we can review your configuration.

Of course, since this error is coming from LDAP - reviewing the LDAP diags may also shed some light.