Backend LDAP Connection Issue over SSL (636)

By: Satish Chintala user 22 Mar 2019 at 12:59 p.m. CDT

11 Responses
Satish Chintala gravatar
Backend LDAP Connection Issue over SSL (636) to MS AD. Same is working fine with 389 but not with 636. Where can i find the issue logs or how to fix it?
CentOS 7.0
closed

Answers

By Aliaksandr Samuseu staff 22 Mar 2019 at 1:33 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Satish. Try to comment out next lines in `/etc/gluu/conf/ox-ldap.properties` and restart "oxauth" service: ``` ssl.trustStoreFile: /etc/certs/opendj.pkcs12 ssl.trustStorePin: ZQZDoImU0bke6hmMaOnkLg== ssl.trustStoreFormat: pkcs12 ```

By Michael Schwartz Account Admin 22 Mar 2019 at 2:27 p.m. CDT

Copy
Michael Schwartz gravatar
or make sure you import the self signed cert into the truststore...

By Satish Chintala user 22 Mar 2019 at 4:14 p.m. CDT

Copy
Satish Chintala gravatar
Thanks for quick update. SSL handshake is failing with below error. " LdapServerSslConnection,loop|Failed to complete SSL handshake: 0x80090322 SEC_E_WRONG_PRINCIPAL " Even after, I have imported same certs to opendj.crt. Can you please advise, how do i fix SSl issue?

By Michael Schwartz Account Admin 23 Mar 2019 at 5:37 p.m. CDT

Copy
Michael Schwartz gravatar
i think you need to import into the trustore jks, or the jvm truststore (cacerts).

By Satish Chintala user 23 Mar 2019 at 10:15 p.m. CDT

Copy
Satish Chintala gravatar
Yes, i too suspected the same and imported the certs with no luck. Is there anything else i can do to fix it or log pointer to review?

By Michael Schwartz Account Admin 24 Mar 2019 at 4:59 a.m. CDT

Copy
Michael Schwartz gravatar
But as I said above, `opendj.crt` is not the right place.

By Aliaksandr Samuseu staff 25 Mar 2019 at 11:15 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Satish. >Yes, i too suspected the same and imported the certs with no luck. >Is there anything else i can do to fix it or log pointer to review? Have you tried the solution I suggested [before](https://support.gluu.org/authentication/6830/backend-ldap-connection-issue-over-ssl-636/#at46468)? I had issues with resolving a similar issue by adding certs to those truststores myself, but the solution I described worked for me in all those cases.

By Aliaksandr Samuseu staff 25 Mar 2019 at 11:19 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Also, Michael most likely meant this file, not `opendj.crt`: `/opt/jdk1.8.0_181/jre/lib/security/cacerts`. It's jks keystore, you need to import it there with `keytool` utility: `# /opt/jdkx.x.x.x/jre/bin/keytool -importcert -file certificate.crt -keystore /opt/jdkx.x.x.x/jre/lib/security/cacerts -alias some_alias -storepass changeit`

By Satish Chintala user 01 Apr 2019 at 5:06 p.m. CDT

Copy
Satish Chintala gravatar
No luck, still the same issue.

By Aliaksandr Samuseu staff 01 Apr 2019 at 5:59 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Satish. Please provide screenshots of all "Manage authentication" and "Cache Refresh" web UI pages, will all your settings visible. Also, where does the error message mentioned [here](https://support.gluu.org/authentication/6830/backend-ldap-connection-issue-over-ssl-636/#at46479) come from, which log file?

By Aliaksandr Samuseu staff 23 Apr 2019 at 2:43 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Closing the ticket due to inactivity.

Post an answer