4

I am trying to connect to a ldap over ssl. I have generated a .jks file with the certificate entry. I do not want to import this to cacerts rather want to access it dynamically when i initialize the ldap connection.

if (sslAuth) {
        ldapHost = "ldaps://" + ldapHost;
    } else {
        ldapHost = "ldap://" + ldapHost;
    }
    Hashtable<Object, Object> env = new Hashtable<Object, Object>();
    env.put(Context.INITIAL_CONTEXT_FACTORY,
            "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, ldapHost);    
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, "userName");
    env.put(Context.SECURITY_CREDENTIALS, "password");      
    if (sslAuth) {
        System.setProperty("javax.net.ssl.trustStore", "C:\\temp\\AD-Cert-TrustStore.jks");
        System.setProperty("javax.net.ssl.trustStorePassword", "changeit");     
        env.put(DirContext.SECURITY_PROTOCOL, "ssl");
    }
    LdapContext ctx = new InitialLdapContext(env, null);
    return ctx;

But i am getting the below exception

 javax.naming.CommunicationException: simple bind failed: ldaphost:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
geekops
  • 505
  • 8
  • 21
  • You don't want to add it to `cacerts` why? Your LDAP server is using a self-signed certificate why? – user207421 Nov 02 '17 at 09:11
  • i do not want to add it to the cacerts so in case i need to upgrade jre i need to this manually.Better option will be to use a custom socket which uses the certificate only during the Ldap connection. Problem is/was `System.setProperty("javax.net.ssl.trustStore", "C:\\temp\\AD-Cert-TrustStore.jks");` is not taking effect . – geekops Nov 02 '17 at 13:16
  • @user207421 I have similar problem, don't want to add to cacerts because in my case there will be many connections to different URLs and want to have them separated. – Wojciech Piotrowiak Aug 31 '18 at 06:15
  • Any answers this question? I'm having the same issue Java 8_191? I found somewhere else saying that you must use forward slash in your path on windows and not \\, but I tried that as well but no luck, – John Tkaczewski Nov 13 '18 at 21:05
  • Does this answer your question? [how to accept self-signed certificates for JNDI/LDAP connections?](https://stackoverflow.com/questions/4615163/how-to-accept-self-signed-certificates-for-jndi-ldap-connections) – Martin Sep 08 '21 at 09:51

1 Answers1

0

If all the necessary javax.net....-properties are correctly spelled and have correct values, there must be premature initialization of some ssl-aware objects. For example, if in your app SslRMIClientSocketFactory or SslRMIServerSocketFactory are created before setting those properties, then subsequent attempts to start ssl-connection even with new factories will behave as if the properties were not set.

user4751294
  • 11
  • 1