0

I had to enable SSL over Active Directory server, to do that I followed each and every steps mentioned here: http://www.linuxmail.info/enable-ldap-ssl-active-directory/

Now I am not sure if SSL is really enabled properly?

On server itself if I run ldp, I think I can connect on 636 port. However on my system I don't see SSL option on ldp client?

I've two other LDAP clients (Softerra LDAP Browser and Apache Directory Studio) but I am not able to connect using ldaps (on 636 port). I guess I'll need to import certificate used in AD server so these tools can trust that self sign certificate which I used on AD server.

Using Java code, I've added certificate into cacerts (got certificate using steps mentioned here: http://www.linuxmail.info/export-ssl-certificate-windows-2003/), however I still can't connect to AD using SSL.

I tried SSL as well as TSL:

TLS:

// got LdapContext using ldap (not with ldaps)
StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());

It gives following exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

SSL:

String ldapURL = "ldaps://<domain-name>:636";
String keystore = "C:/Oracle/Middleware/jdk160_24/jre/lib/security/cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
env.put(Context.SECURITY_PROTOCOL,"ssl");
// other properties are set in env
LdapContext ctx = new InitialLdapContext(env, null);

It gives following exception:

javax.naming.CommunicationException: <domain-name>:636 [Root exception is java.net.ConnectException: Connection timed out: connect]

Can anyone please suggest where I am wrong?

Thanks.

keeping_it_simple
  • 439
  • 1
  • 11
  • 31

2 Answers2

1

This one was fixed.

I was using wrong (rather incomplete) command to import certificate.

I was using:

keytool -import -alias mycert -keystore cacerts -file d:\mycert.cer

When I used follwing:

keytool -import -noprompt -trustcacerts -alias mycert -file c:/mycert.cer -keystore C:/Oracle/Middleware/jdk160_24/jre/lib/security/cacerts -storepass changeit

And it started working.

keeping_it_simple
  • 439
  • 1
  • 11
  • 31
0

If you can't get TLS to work, it is unlikely that SSL will work. Are you sure that you got the right certificate and configured the keystore correctly? Based on the SSLHandshakeException when trying to use TLS, it would seem that may not be set up correctly.

Check out this SO answer for some tips on how to verify that your keystore is correctly set up: https://stackoverflow.com/a/9619478/1792088

Community
  • 1
  • 1
Mathew Eis
  • 280
  • 1
  • 2
  • 7
  • thanks Mathew, yes, I can certainly say that importing certificate shouldn't have gone wrong. I've used same command to do that. – keeping_it_simple Jun 28 '13 at 08:27
  • it looks to me that it's issue with either: SSL is not enabled properly or I am importing wrong certificate in cacarts. however I've followed process mentioned in above links and didn't get any error as such. – keeping_it_simple Jun 28 '13 at 08:29