Secure LDAP sync fails after upgrade to Cascade CMS v8.11

Cascade CMS v8.11 comes bundled with a newer version of Java (JRE 8u191). This newer version of the JRE enables endpoint identification algorithms for LDAPS servers for added security. The change was included in JRE 8u181+ and more information on it can be found in the Oracle/Java Release Notes. Due to this, you may have problems syncing with your LDAPS server.

A common error as a result of this change may look like this:

ERROR [LdapServiceImpl] {User: system, id: not specified, type: not specified} During LDAP user import, encountered an error and could not bind to the LDAP server:
	
javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx.xxx found]

To work around this, you can disable endpoint identification algorithms by adding the following parameter to your startup script. For example:

Linux/macOS
  1. Stop Cascade CMS.
  2. Edit cascade.sh.
  3. In the JAVA_OPTS line, add -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
  4. Save.
  5. Start Cascade CMS.
Windows
  1. Stop Cascade CMS.
  2. Right-click the tomcat/bin/CascadeCMSw.exe file and select the Run as Administrator option.
  3. Click the Java tab.
  4. In the Java Options section, add the line -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
  5. Click Apply/OK.
  6. Start Cascade CMS.