Hello,

we run LMT 9.5.17 here with LMT server 9.2.22/23 and noticed that LDAP authentication stopped working after the MS-AD guys changed their LDAP certificate before it expires.

LMT noticed the certificate change and placed the dialogue to trust the new certificates. We did that, but login is still not possible.

The error in tema.log looks like this:

[3/26/21 11:32:21:540 UTC] 00000037 com.ibm.ws.webcontainer.webapp I SRVE0292I: Servlet Message - [tema]:.[WARN] An error occurred while attempting to connect to server adserver.domain:636: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server adserver.domain/10.x.x.x:636: SSLException(Connection reset), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))

I suspect that the old trust is still configured somewhere and doesn't work anymore because the certificate is expired.

Any suggestions on how to bring encrypted LDAP back to work?

Sadly, nobody of the LMT support seems to read questions...

Please open a case with IBM. This appears to be a bug introduced in 9.2.23 (APAR IJ31909). You will have to open a case to get the work around file.

https://www.ibm.com/support/pages/apar/IJ31909

Thanks. A colleague of mine opened a case and supplied me with the workaround. Didn't work. Test connection is again working, but authentication still not. I tried both login name and login name with "" appended. Suggestions?

Two technotes were published last night about this issue, that I think are relevant.

https://www.ibm.com/support/pages/node/6440615

https://www.ibm.com/support/pages/node/6440621

Thanks!

This first one is what was suggested by IBM support.

The second one is not relevant because we didn't enable FIPS (as of my knowledge).

Sadly, it's still not working correctly after we changed the config according to the first note.