Spring security, ssl ldap and no certificate

Question

I use spring security to manage login. I've configured spring security to connect to a ldap server which is securized with ssl (ldaps).

This server is a test server and has no valid certificate. When I try to test the login, spring security complains that the certificate cannot be verified (of course!):

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
 valid certification path to requested target

My question is simple : I don't want to manage any kind of certificate, I would like to deactivate the certificate check and keep using a ssl ldap. How can I do that ?

Can you show how you configured your ldap client to use ldaps? — eze, Dec 16 '20 at 15:50
I posted this question 8 years ago. And I definitively lost this code ;) — Jerome Cance, Dec 17 '20 at 16:05

score 14 · Accepted Answer · answered Mar 28 '12 at 08:34

It sounds like the certificate of the LDAP server is just self-cert rather than invalid.

To me the simplest solution would be to get that certificate and add it to the cacerts trust store in java. Once that's done the code will run without any modifications.

To get the certificate from the server:

$ openssl s_client -showcerts -connect ldapserver:636

The output will contain a number of entries delimited with

-----BEGIN CERTIFICATE-----
aklfhskfadljasdl1340234234ASDSDFSDFSDFSDFSD
....
-----END CERTIFICATE-----

Copy the last certificate entry into a file (ldapca.crt)

Then, add it to the java keystore in $JRE_HOME/lib/security

$ cd $JRE_HOME/lib/security
$ keytool -import -alias ldapca_self_sign -keystore cacerts -storepass changeit -file ldapca.crt

That means, you'll trust the certificate on the LDAP server and are using SSL correctly in your test environment (rather than having some custom code to switch off part of SSL checking).

Once you've done that (once) your code should run without any modifications.

Thanks for answer. the problem with that is : I work with a team using maven and svn. I would like to avoid that each developer do this kind of procedure. Is there an easy way to do it just using spring configuration ? — Jerome Cance, Mar 28 '12 at 08:38
You could create a separate truststore file (essentially use the same `keytool` command with a different filename, add that file to SVN and then look follow these steps: http://stackoverflow.com/questions/6431383/using-spring-ldap-with-ssl However, personally I'd send an email to each developer, attach the `ldapca.crt` file and get them to run the command, as I think the benefit of not-having-test-specific-code-in-your-codebase outweighs the convenience of a developer having to run a command once. — beny23, Mar 28 '12 at 08:47

Spring security, ssl ldap and no certificate

1 Answers1

Linked