You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openmeetings.apache.org by Vieri <re...@yahoo.com> on 2013/05/08 09:39:28 UTC
Cannot authenticate users via ldaps
Hi,
>From the same machine where OM is installed I can run the following command:
# ldapsearch -x -D "aduser@domain.org" -b "cn=Users,dc=domain,dc=org" -H ldaps://ldapserver.domain.org -W sAMAccountName=aduser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-----------------
However, if I setup OM to authenticate users via LDAP/SSL I'm getting the error reported at the end of this e-mail (LDAP without SSL works fine).
My om_ldap.cfg is as follows:
ldap_server_type=OpenLDAP
ldap_conn_url=ldaps://ldapserver.domain.org:636
ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org
ldap_passwd=secret
ldap_search_base=CN:Users,DC:domain,DC:org
field_user_principal=sAMAccountName
ldap_auth_type=SIMPLE
ldap_sync_password_to_om=no
ldap_user_attr_lastname=sn
ldap_user_attr_firstname=givenName
ldap_user_attr_mail=mail
ldap_user_attr_street=streetAddress
ldap_user_attr_additionalname=description
ldap_user_attr_fax=facsimileTelephoneNumber
ldap_user_attr_zip=postalCode
ldap_user_attr_country=co
ldap_user_attr_town=l
ldap_user_attr_phone=telephoneNumber
ldap_user_picture_uri=wWWHomePage
ldap_use_lower_case=false
ldap_user_groups=memberOf
Before running OM I export:
OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE} -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS} -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE} -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}"
I'm using a self-signed certificate in my LDAP server (Active Directory). Here's how I generated it:
selfssl.exe /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825"
run mmc and open the LOCAL COMPUTER Personal certificate store. The cert should already be there.
Copy it within mmc to the "Trusted root authorities"
Export the certificate from the trusted root store within mmc as pfx file and name it ldapserver.pfx (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE})
Finally, on the OM machine I configured the truststore this way:
OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
rm -f $OM_J_TRUSTSTORE
keytool -validity 7300 -keysize 2048 -genkey -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}"
openssl pkcs12 -passin pass:"" -passout pass:"" -in ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes
openssl x509 -in ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der -outform der
keytool -import -alias root -keystore ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
and the keystore (used for https):
OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
rm -f ${OM_J_KEYSTORE}
keytool -validity 7300 -keysize 2048 -genkey -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}"
keytool -certreq -keyalg RSA -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
# > Now submit ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to custom CA and self-sign the certificate:"
# - the signed certificate is copied to ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt"
# - the CA root certificate is copied to ${OM_TMP_DIR}/root.crt"
keytool -import -alias root -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file ${OM_TMP_DIR}/root.crt
keytool -import -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt
cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen
If I list the keystores:
# keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
Creation date: Feb 21, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=openmeetings.domain.org, OU=IT, O=domain, L=City, ST=State, C=COUNTRY
Issuer: EMAILADDRCOUNTRYS=IT@domain.org, CN=MYORG1 Signing Authority, OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
Serial number: 1
Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb 20 09:57:44 CET 2018
Certificate fingerprints:
MD5: 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF
SHA1: FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98 D2 2F C4 88 1D ...l....I.../...
0010: 1F 45 73 78
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
0010: 56 EF AB 51 V..Q
]
]
#4: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
RFC822Name: IT@domain.org
]
#5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
#6: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: openmeetings
DNSName: openmeetings.domain.org
]
Certificate[2]:
Owner: EMAILADDRCOUNTRYS=IT@domain.org, CN=MYORG1 Signing Authority, OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
Issuer: EMAILADDRCOUNTRYS=IT@domain.org, CN=MYORG1 Signing Authority, OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
Serial number: 0
Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb 13 09:48:02 CET 2048
Certificate fingerprints:
MD5: 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
SHA1: 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
0010: 56 EF AB 51 V..Q
]
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://domain.org/cert/crl.crl]
]]
#4: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]
#6: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
0010: 56 EF AB 51 V..Q
]
[EMAILADDRCOUNTRYS=IT@domain.org, CN=MYORG1 Signing Authority, OU=ORG IT, O=MYORG, ST=State, C=COUNTRY]
SerialNumber: [ 00]
]
#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
RFC822Name: IT@domain.org
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: IT@domain.org
]
# keytool -list -alias root -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
root, Feb 21, 2013, trustedCertEntry,
Certificate fingerprint (MD5): 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
And now for the trust store:
# keytool -list -alias root -keystore ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
Alias name: root
Creation date: May 7, 2013
Entry type: trustedCertEntry
Owner: CN=LDAPSERVER.DOMAIN.ORG
Issuer: CN=LDAPSERVER.DOMAIN.ORG
Serial number: -76629fd860703546b57165ba54276ec2
Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun May 14 19:07:45 CEST 2017
Certificate fingerprints:
MD5: ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE
SHA1: 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
]
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
# keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
Creation date: May 7, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City, ST=State, C=COUNTRY
Issuer: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City, ST=State, C=COUNTRY
Serial number: 5188f626
Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon May 02 14:40:06 CEST 2033
Certificate fingerprints:
MD5: C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F
SHA1: D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC
Signature algorithm name: SHA1withRSA
Version: 3
When an LDAP user tries to log into OM, the log show the following messages:
DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242 117 org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
Authentification to LDAP - Server start
DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244 151 org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - loginToLdapServer
ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278 123 org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
Authentification on LDAP Server failed : simple bind failed: ldapserver.domain.org:636
ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294 124 org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - [Authentification on LDAP Server failed]
javax.naming.CommunicationException: simple bind failed: ldapserver.domain.org:636
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215) ~[na:1.6.0_24]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) ~[na:1.6.0_24]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) ~[na:1.6.0_24]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) ~[na:1.6.0_24]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) ~[na:1.6.0_24]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) ~[na:1.6.0_24]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) ~[na:1.6.0_24]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.6.0_24]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) ~[na:1.6.0_24]
at javax.naming.InitialContext.init(InitialContext.java:240) ~[na:1.6.0_24]
at javax.naming.InitialContext.<init>(InitialContext.java:214) ~[na:1.6.0_24]
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) ~[na:1.6.0_24]
at org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161) ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
at org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119) ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
at org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422) [openmeetings-2.1.1-SNAPSHOT.jar:na]
at org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333) [openmeetings-2.1.1-SNAPSHOT.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.6.0_24]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.6.0_24]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:616) ~[na:1.6.0_24]
at org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196) [red5.jar:na]
at org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115) [red5.jar:na]
at org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157) [red5.jar:na]
at org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399) [red5.jar:na]
at org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130) [red5.jar:na]
at org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164) [red5.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) [mina-core-2.0.4.jar:na]
at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427) [mina-core-2.0.4.jar:na]
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) [mina-core-2.0.4.jar:na]
at org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124) [red5.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) [mina-core-2.0.4.jar:na]
at org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320) [mina-core-2.0.4.jar:na]
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68) [mina-core-2.0.4.jar:na]
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141) [mina-core-2.0.4.jar:na]
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) [mina-core-2.0.4.jar:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [na:1.6.0_24]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [na:1.6.0_24]
at java.lang.Thread.run(Thread.java:679) [na:1.6.0_24]
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.6.0_24]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697) ~[na:1.6.0_24]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257) ~[na:1.6.0_24]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251) ~[na:1.6.0_24]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165) ~[na:1.6.0_24]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154) ~[na:1.6.0_24]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609) ~[na:1.6.0_24]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:545) ~[na:1.6.0_24]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945) ~[na:1.6.0_24]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) ~[na:1.6.0_24]
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657) ~[na:1.6.0_24]
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108) ~[na:1.6.0_24]
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.6.0_24]
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.6.0_24]
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409) ~[na:1.6.0_24]
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352) ~[na:1.6.0_24]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210) ~[na:1.6.0_24]
... 55 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324) ~[na:1.6.0_24]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224) ~[na:1.6.0_24]
at sun.security.validator.Validator.validate(Validator.java:235) ~[na:1.6.0_24]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) ~[na:1.6.0_24]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230) ~[na:1.6.0_24]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270) ~[na:1.6.0_24]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144) ~[na:1.6.0_24]
... 67 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197) ~[na:1.6.0_24]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) ~[na:1.6.0_24]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319) ~[na:1.6.0_24]
... 73 common frames omitted
How can I solve the "unable to find valid certification path" issue? What does it refer to exactly?
I can correctly connect to https://openmeetings.domain.org/openmeetings/ but the LDAPS authentication/login is failing.
My ldapsearch example at the beginning succeeded probably because I have 'TLS_REQCERT never' in ldap.conf. Is there a way to "loosen up" OM/java as far as self-signed certs are concerned?
Thanks,
Vieri
Re: Cannot authenticate users via ldaps
Posted by Maxim Solodovnik <so...@gmail.com>.
To be fair I don't know :(
I never setup LDAP integration myself
Maybe Sebastian can suggest anything?
On Wed, May 8, 2013 at 3:11 PM, Vieri <re...@yahoo.com> wrote:
> # java -version
> java version "1.6.0_24"
> OpenJDK Runtime Environment (IcedTea6 1.11.1) (Gentoo build 1.6.0_24-b24)
> OpenJDK Client VM (build 20.0-b12, mixed mode)
>
> I guess that would be:
> /etc/java-config-2/current-system-vm/jre/lib/security/cacerts
>
> So I'd need to add the CA and only the CA cert to this file?
> I'd run something like:
>
> keytool -import -alias root -keystore
> /etc/java-config-2/current-system-vm/jre/lib/security/cacerts -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file
> ${OM_TMP_DIR}/root.crt
>
> However, I have no experience whatsoever in this field and I currently
> don't know what to use as the keystore password (or maybe it should be left
> blank).
>
> So if you suggest to put the CA in the global store, does it mean that
> JAVA_OPTS="-Djavax.net.ssl.keyStore="
> is not enough?
>
> Vieri
>
> --- On Wed, 5/8/13, Maxim Solodovnik <so...@gmail.com> wrote:
>
> > I guess you need to add your CA to
> > java (global one)
> >
> >
> > On Wed, May 8, 2013 at 2:39 PM, Vieri <re...@yahoo.com>
> > wrote:
> >
> > > Hi,
> > >
> > > From the same machine where OM is installed I can run
> > the following
> > > command:
> > >
> > > # ldapsearch -x -D "aduser@domain.org"
> > -b "cn=Users,dc=domain,dc=org" -H
> > > ldaps://ldapserver.domain.org -W sAMAccountName=aduser
> > >
> > > # search result
> > > search: 2
> > > result: 0 Success
> > >
> > > # numResponses: 2
> > > # numEntries: 1
> > >
> > > -----------------
> > >
> > > However, if I setup OM to authenticate users via
> > LDAP/SSL I'm getting the
> > > error reported at the end of this e-mail (LDAP without
> > SSL works fine).
> > >
> > > My om_ldap.cfg is as follows:
> > >
> > > ldap_server_type=OpenLDAP
> > > ldap_conn_url=ldaps://ldapserver.domain.org:636
> > > ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org
> > > ldap_passwd=secret
> > > ldap_search_base=CN:Users,DC:domain,DC:org
> > > field_user_principal=sAMAccountName
> > > ldap_auth_type=SIMPLE
> > > ldap_sync_password_to_om=no
> > > ldap_user_attr_lastname=sn
> > > ldap_user_attr_firstname=givenName
> > > ldap_user_attr_mail=mail
> > > ldap_user_attr_street=streetAddress
> > > ldap_user_attr_additionalname=description
> > > ldap_user_attr_fax=facsimileTelephoneNumber
> > > ldap_user_attr_zip=postalCode
> > > ldap_user_attr_country=co
> > > ldap_user_attr_town=l
> > > ldap_user_attr_phone=telephoneNumber
> > > ldap_user_picture_uri=wWWHomePage
> > > ldap_use_lower_case=false
> > > ldap_user_groups=memberOf
> > >
> > > Before running OM I export:
> > >
> >
> OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> > >
> > >
> >
> OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> > >
> > JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE}
> > >
> > -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}
> > >
> > -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE}
> > >
> > -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}"
> > >
> > > I'm using a self-signed certificate in my LDAP server
> > (Active Directory).
> > > Here's how I generated it:
> > > selfssl.exe
> > /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825"
> > > run mmc and open the LOCAL COMPUTER
> > Personal certificate store. The cert
> > > should already be there.
> > > Copy it within mmc to the "Trusted
> > root authorities"
> > > Export the certificate from the
> > trusted root store within mmc as pfx
> > > file and name it ldapserver.pfx
> > (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE})
> > >
> > > Finally, on the OM machine I configured the truststore
> > this way:
> > >
> > >
> > OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> > > rm -f $OM_J_TRUSTSTORE
> > > keytool -validity 7300 -keysize 2048 -genkey -alias
> > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA
> > -keystore
> > > ${OM_J_TRUSTSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > > -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname
> > "${OPENMEETINGS_JAVA_DN}"
> > > openssl pkcs12 -passin pass:"" -passout pass:"" -in
> > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out
> > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes
> > > openssl x509 -in
> > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem
> > > -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
> > -outform der
> > > keytool -import -alias root -keystore
> > ${OM_J_TRUSTSTORE} -storepass
> > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts
> > -file
> > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
> > >
> > > and the keystore (used for https):
> > >
> > >
> > OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> > > rm -f ${OM_J_KEYSTORE}
> > > keytool -validity 7300 -keysize 2048 -genkey -alias
> > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA
> > -keystore ${OM_J_KEYSTORE}
> > > -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > -keypass
> > > ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname
> > "${OPENMEETINGS_JAVA_DN}"
> > > keytool -certreq -keyalg RSA -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > > -file
> > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr
> > -keystore
> > > ${OM_J_KEYSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > > # > Now submit
> > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to
> > > custom CA and self-sign the certificate:"
> > > # - the signed certificate is copied to
> > > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt"
> > > # - the CA root certificate is copied to
> > ${OM_TMP_DIR}/root.crt"
> > > keytool -import -alias root -keystore ${OM_J_KEYSTORE}
> > -storepass
> > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts
> > -file
> > > ${OM_TMP_DIR}/root.crt
> > > keytool -import -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > > ${OM_J_KEYSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > > -trustcacerts -file
> > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt
> > > cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen
> > >
> > > If I list the keystores:
> > >
> > > # keytool -list -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > > ${OM_J_KEYSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> > >
> > > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > > Creation date: Feb 21, 2013
> > > Entry type: PrivateKeyEntry
> > > Certificate chain length: 2
> > > Certificate[1]:
> > > Owner: CN=openmeetings.domain.org, OU=IT, O=domain,
> > L=City, ST=State,
> > > C=COUNTRY
> > > Issuer: EMAILADDRCOUNTRYS=IT@domain.org,
> > CN=MYORG1 Signing Authority,
> > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > > Serial number: 1
> > > Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb
> > 20 09:57:44 CET
> > > 2018
> > > Certificate fingerprints:
> > > MD5:
> > 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF
> > > SHA1:
> > FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56
> > > Signature algorithm
> > name: SHA1withRSA
> > > Version: 3
> > >
> > > Extensions:
> > >
> > > #1: ObjectId: 2.5.29.14 Criticality=false
> > > SubjectKeyIdentifier [
> > > KeyIdentifier [
> > > 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98
> > D2 2F C4 88 1D ...l....I.../...
> > > 0010: 1F 45 73 78
> > > ]
> > > ]
> > >
> > > #2: ObjectId: 2.5.29.19 Criticality=false
> > > BasicConstraints:[
> > > CA:false
> > > PathLen: undefined
> > > ]
> > >
> > > #3: ObjectId: 2.5.29.35 Criticality=false
> > > AuthorityKeyIdentifier [
> > > KeyIdentifier [
> > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> > A9 E2 33 AE 70 ..g......]...3.p
> > > 0010: 56 EF AB 51
> >
> > V..Q
> > > ]
> > >
> > > ]
> > >
> > > #4: ObjectId: 2.5.29.18 Criticality=false
> > > IssuerAlternativeName [
> > > RFC822Name: IT@domain.org
> > > ]
> > >
> > > #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
> > >
> > > #6: ObjectId: 2.5.29.17 Criticality=false
> > > SubjectAlternativeName [
> > > DNSName: openmeetings
> > > DNSName: openmeetings.domain.org
> > > ]
> > >
> > > Certificate[2]:
> > > Owner: EMAILADDRCOUNTRYS=IT@domain.org,
> > CN=MYORG1 Signing Authority,
> > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > > Issuer: EMAILADDRCOUNTRYS=IT@domain.org,
> > CN=MYORG1 Signing Authority,
> > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > > Serial number: 0
> > > Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb
> > 13 09:48:02 CET
> > > 2048
> > > Certificate fingerprints:
> > > MD5:
> > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> > > SHA1:
> > 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85
> > > Signature algorithm
> > name: SHA1withRSA
> > > Version: 3
> > >
> > > Extensions:
> > >
> > > #1: ObjectId: 2.5.29.15 Criticality=false
> > > KeyUsage [
> > > Key_CertSign
> > > Crl_Sign
> > > ]
> > >
> > > #2: ObjectId: 2.5.29.14 Criticality=false
> > > SubjectKeyIdentifier [
> > > KeyIdentifier [
> > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> > A9 E2 33 AE 70 ..g......]...3.p
> > > 0010: 56 EF AB 51
> >
> > V..Q
> > > ]
> > > ]
> > >
> > > #3: ObjectId: 2.5.29.31 Criticality=false
> > > CRLDistributionPoints [
> > > [DistributionPoint:
> > > [URIName: http://domain.org/cert/crl.crl]
> > > ]]
> > >
> > > #4: ObjectId: 2.5.29.19 Criticality=false
> > > BasicConstraints:[
> > > CA:true
> > > PathLen:2147483647
> > > ]
> > >
> > > #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
> > > NetscapeCertType [
> > > SSL CA
> > > S/MIME CA
> > > ]
> > >
> > > #6: ObjectId: 2.5.29.35 Criticality=false
> > > AuthorityKeyIdentifier [
> > > KeyIdentifier [
> > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> > A9 E2 33 AE 70 ..g......]...3.p
> > > 0010: 56 EF AB 51
> >
> > V..Q
> > > ]
> > >
> > > [EMAILADDRCOUNTRYS=IT@domain.org,
> > CN=MYORG1 Signing Authority, OU=ORG IT,
> > > O=MYORG, ST=State, C=COUNTRY]
> > > SerialNumber: [ 00]
> > > ]
> > >
> > > #7: ObjectId: 2.5.29.18 Criticality=false
> > > IssuerAlternativeName [
> > > RFC822Name: IT@domain.org
> > > ]
> > >
> > > #8: ObjectId: 2.5.29.17 Criticality=false
> > > SubjectAlternativeName [
> > > RFC822Name: IT@domain.org
> > > ]
> > >
> > >
> > > # keytool -list -alias root -keystore ${OM_J_KEYSTORE}
> > -storepass
> > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > >
> > > root, Feb 21, 2013, trustedCertEntry,
> > > Certificate fingerprint (MD5):
> > > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> > >
> > >
> > >
> > > And now for the trust store:
> > >
> > > # keytool -list -alias root -keystore
> > ${OM_J_TRUSTSTORE} -storepass
> > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> > > Alias name: root
> > > Creation date: May 7, 2013
> > > Entry type: trustedCertEntry
> > >
> > > Owner: CN=LDAPSERVER.DOMAIN.ORG
> > > Issuer: CN=LDAPSERVER.DOMAIN.ORG
> > > Serial number: -76629fd860703546b57165ba54276ec2
> > > Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun
> > May 14 19:07:45 CEST
> > > 2017
> > > Certificate fingerprints:
> > > MD5:
> > ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE
> > > SHA1:
> > 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29
> > > Signature algorithm
> > name: SHA1withRSA
> > > Version: 3
> > >
> > > Extensions:
> > >
> > > #1: ObjectId: 2.5.29.15 Criticality=false
> > > KeyUsage [
> > > DigitalSignature
> > > Key_Encipherment
> > > Data_Encipherment
> > > ]
> > >
> > > #2: ObjectId: 2.5.29.37 Criticality=false
> > > ExtendedKeyUsages [
> > > serverAuth
> > > ]
> > >
> > > # keytool -list -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > > ${OM_J_TRUSTSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> > >
> > > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > > Creation date: May 7, 2013
> > > Entry type: PrivateKeyEntry
> > > Certificate chain length: 1
> > > Certificate[1]:
> > > Owner: CN=openmeetings.domain.org, OU=IT,
> > O=MyCompanyOrg, L=City,
> > > ST=State, C=COUNTRY
> > > Issuer: CN=openmeetings.domain.org, OU=IT,
> > O=MyCompanyOrg, L=City,
> > > ST=State, C=COUNTRY
> > > Serial number: 5188f626
> > > Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon
> > May 02 14:40:06 CEST
> > > 2033
> > > Certificate fingerprints:
> > > MD5:
> > C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F
> > > SHA1:
> > D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC
> > > Signature algorithm
> > name: SHA1withRSA
> > > Version: 3
> > >
> > >
> > > When an LDAP user tries to log into OM, the log show
> > the following
> > > messages:
> > >
> > > DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242
> > 117
> > > org.apache.openmeetings.ldap.LdapAuthBase
> > [NioProcessor-19] -
> > >
> > > Authentification to LDAP - Server start
> > > DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244
> > 151
> > > org.apache.openmeetings.ldap.LdapAuthBase
> > [NioProcessor-19] -
> > > loginToLdapServer
> > > ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278
> > 123
> > > org.apache.openmeetings.ldap.LdapAuthBase
> > [NioProcessor-19] -
> > >
> > > Authentification on LDAP Server failed : simple bind
> > failed:
> > > ldapserver.domain.org:636
> > > ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294
> > 124
> > > org.apache.openmeetings.ldap.LdapAuthBase
> > [NioProcessor-19] -
> > > [Authentification on LDAP Server failed]
> > > javax.naming.CommunicationException: simple bind
> > failed:
> > > ldapserver.domain.org:636
> > > at
> > com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
> > > ~[na:1.6.0_24]
> > > at
> > javax.naming.InitialContext.init(InitialContext.java:240)
> > > ~[na:1.6.0_24]
> > > at
> > javax.naming.InitialContext.<init>(InitialContext.java:214)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161)
> > > ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> > > at
> > >
> >
> org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119)
> > > ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> > > at
> > >
> >
> org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422)
> > > [openmeetings-2.1.1-SNAPSHOT.jar:na]
> > > at
> > >
> >
> org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333)
> > > [openmeetings-2.1.1-SNAPSHOT.jar:na]
> > > at
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > ~[na:1.6.0_24]
> > > at
> > java.lang.reflect.Method.invoke(Method.java:616)
> > ~[na:1.6.0_24]
> > > at
> > >
> > org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196)
> > > [red5.jar:na]
> > > at
> > >
> > org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115)
> > > [red5.jar:na]
> > > at
> > >
> > org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157)
> > > [red5.jar:na]
> > > at
> > >
> > org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399)
> > > [red5.jar:na]
> > > at
> > >
> >
> org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130)
> > > [red5.jar:na]
> > > at
> > >
> >
> org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164)
> > > [red5.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124)
> > > [red5.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> > > [na:1.6.0_24]
> > > at
> > >
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> > > [na:1.6.0_24]
> > > at
> > java.lang.Thread.run(Thread.java:679) [na:1.6.0_24]
> > > Caused by: javax.net.ssl.SSLHandshakeException:
> > > sun.security.validator.ValidatorException: PKIX path
> > building failed:
> > >
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find
> > > valid certification path to requested target
> > > at
> > sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
> > > ~[na:1.6.0_24]
> > > ... 55 common
> > frames omitted
> > > Caused by: sun.security.validator.ValidatorException:
> > PKIX path building
> > > failed:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > unable
> > > to find valid certification path to requested target
> > > at
> > >
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.validator.Validator.validate(Validator.java:235)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
> > > ~[na:1.6.0_24]
> > > ... 67 common
> > frames omitted
> > > Caused by:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > > unable to find valid certification path to requested
> > target
> > > at
> > >
> >
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
> > > ~[na:1.6.0_24]
> > > ... 73 common
> > frames omitted
> > >
> > > How can I solve the "unable to find valid certification
> > path" issue? What
> > > does it refer to exactly?
> > >
> > > I can correctly connect to
> https://openmeetings.domain.org/openmeetings/but the
> > LDAPS authentication/login is failing.
> > >
> > > My ldapsearch example at the beginning succeeded
> > probably because I have
> > > 'TLS_REQCERT never' in ldap.conf. Is there a way to
> > "loosen up" OM/java as
> > > far as self-signed certs are concerned?
> > >
> > > Thanks,
> > >
> > > Vieri
> > >
> > >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
> >
>
--
WBR
Maxim aka solomax
Re: Cannot authenticate users via ldaps
Posted by Vieri <re...@yahoo.com>.
# java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.1) (Gentoo build 1.6.0_24-b24)
OpenJDK Client VM (build 20.0-b12, mixed mode)
I guess that would be:
/etc/java-config-2/current-system-vm/jre/lib/security/cacerts
So I'd need to add the CA and only the CA cert to this file?
I'd run something like:
keytool -import -alias root -keystore /etc/java-config-2/current-system-vm/jre/lib/security/cacerts -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file ${OM_TMP_DIR}/root.crt
However, I have no experience whatsoever in this field and I currently don't know what to use as the keystore password (or maybe it should be left blank).
So if you suggest to put the CA in the global store, does it mean that
JAVA_OPTS="-Djavax.net.ssl.keyStore="
is not enough?
Vieri
--- On Wed, 5/8/13, Maxim Solodovnik <so...@gmail.com> wrote:
> I guess you need to add your CA to
> java (global one)
>
>
> On Wed, May 8, 2013 at 2:39 PM, Vieri <re...@yahoo.com>
> wrote:
>
> > Hi,
> >
> > From the same machine where OM is installed I can run
> the following
> > command:
> >
> > # ldapsearch -x -D "aduser@domain.org"
> -b "cn=Users,dc=domain,dc=org" -H
> > ldaps://ldapserver.domain.org -W sAMAccountName=aduser
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> > -----------------
> >
> > However, if I setup OM to authenticate users via
> LDAP/SSL I'm getting the
> > error reported at the end of this e-mail (LDAP without
> SSL works fine).
> >
> > My om_ldap.cfg is as follows:
> >
> > ldap_server_type=OpenLDAP
> > ldap_conn_url=ldaps://ldapserver.domain.org:636
> > ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org
> > ldap_passwd=secret
> > ldap_search_base=CN:Users,DC:domain,DC:org
> > field_user_principal=sAMAccountName
> > ldap_auth_type=SIMPLE
> > ldap_sync_password_to_om=no
> > ldap_user_attr_lastname=sn
> > ldap_user_attr_firstname=givenName
> > ldap_user_attr_mail=mail
> > ldap_user_attr_street=streetAddress
> > ldap_user_attr_additionalname=description
> > ldap_user_attr_fax=facsimileTelephoneNumber
> > ldap_user_attr_zip=postalCode
> > ldap_user_attr_country=co
> > ldap_user_attr_town=l
> > ldap_user_attr_phone=telephoneNumber
> > ldap_user_picture_uri=wWWHomePage
> > ldap_use_lower_case=false
> > ldap_user_groups=memberOf
> >
> > Before running OM I export:
> >
> OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> >
> >
> OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> >
> JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE}
> >
> -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}
> >
> -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE}
> >
> -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}"
> >
> > I'm using a self-signed certificate in my LDAP server
> (Active Directory).
> > Here's how I generated it:
> > selfssl.exe
> /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825"
> > run mmc and open the LOCAL COMPUTER
> Personal certificate store. The cert
> > should already be there.
> > Copy it within mmc to the "Trusted
> root authorities"
> > Export the certificate from the
> trusted root store within mmc as pfx
> > file and name it ldapserver.pfx
> (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE})
> >
> > Finally, on the OM machine I configured the truststore
> this way:
> >
> >
> OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> > rm -f $OM_J_TRUSTSTORE
> > keytool -validity 7300 -keysize 2048 -genkey -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA
> -keystore
> > ${OM_J_TRUSTSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname
> "${OPENMEETINGS_JAVA_DN}"
> > openssl pkcs12 -passin pass:"" -passout pass:"" -in
> > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out
> > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes
> > openssl x509 -in
> ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem
> > -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
> -outform der
> > keytool -import -alias root -keystore
> ${OM_J_TRUSTSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts
> -file
> > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
> >
> > and the keystore (used for https):
> >
> >
> OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> > rm -f ${OM_J_KEYSTORE}
> > keytool -validity 7300 -keysize 2048 -genkey -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA
> -keystore ${OM_J_KEYSTORE}
> > -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> -keypass
> > ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname
> "${OPENMEETINGS_JAVA_DN}"
> > keytool -certreq -keyalg RSA -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > -file
> ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr
> -keystore
> > ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > # > Now submit
> ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to
> > custom CA and self-sign the certificate:"
> > # - the signed certificate is copied to
> > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt"
> > # - the CA root certificate is copied to
> ${OM_TMP_DIR}/root.crt"
> > keytool -import -alias root -keystore ${OM_J_KEYSTORE}
> -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts
> -file
> > ${OM_TMP_DIR}/root.crt
> > keytool -import -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > -trustcacerts -file
> ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt
> > cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen
> >
> > If I list the keystores:
> >
> > # keytool -list -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> >
> > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > Creation date: Feb 21, 2013
> > Entry type: PrivateKeyEntry
> > Certificate chain length: 2
> > Certificate[1]:
> > Owner: CN=openmeetings.domain.org, OU=IT, O=domain,
> L=City, ST=State,
> > C=COUNTRY
> > Issuer: EMAILADDRCOUNTRYS=IT@domain.org,
> CN=MYORG1 Signing Authority,
> > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > Serial number: 1
> > Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb
> 20 09:57:44 CET
> > 2018
> > Certificate fingerprints:
> > MD5:
> 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF
> > SHA1:
> FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56
> > Signature algorithm
> name: SHA1withRSA
> > Version: 3
> >
> > Extensions:
> >
> > #1: ObjectId: 2.5.29.14 Criticality=false
> > SubjectKeyIdentifier [
> > KeyIdentifier [
> > 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98
> D2 2F C4 88 1D ...l....I.../...
> > 0010: 1F 45 73 78
> > ]
> > ]
> >
> > #2: ObjectId: 2.5.29.19 Criticality=false
> > BasicConstraints:[
> > CA:false
> > PathLen: undefined
> > ]
> >
> > #3: ObjectId: 2.5.29.35 Criticality=false
> > AuthorityKeyIdentifier [
> > KeyIdentifier [
> > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> A9 E2 33 AE 70 ..g......]...3.p
> > 0010: 56 EF AB 51
>
> V..Q
> > ]
> >
> > ]
> >
> > #4: ObjectId: 2.5.29.18 Criticality=false
> > IssuerAlternativeName [
> > RFC822Name: IT@domain.org
> > ]
> >
> > #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
> >
> > #6: ObjectId: 2.5.29.17 Criticality=false
> > SubjectAlternativeName [
> > DNSName: openmeetings
> > DNSName: openmeetings.domain.org
> > ]
> >
> > Certificate[2]:
> > Owner: EMAILADDRCOUNTRYS=IT@domain.org,
> CN=MYORG1 Signing Authority,
> > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > Issuer: EMAILADDRCOUNTRYS=IT@domain.org,
> CN=MYORG1 Signing Authority,
> > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > Serial number: 0
> > Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb
> 13 09:48:02 CET
> > 2048
> > Certificate fingerprints:
> > MD5:
> 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> > SHA1:
> 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85
> > Signature algorithm
> name: SHA1withRSA
> > Version: 3
> >
> > Extensions:
> >
> > #1: ObjectId: 2.5.29.15 Criticality=false
> > KeyUsage [
> > Key_CertSign
> > Crl_Sign
> > ]
> >
> > #2: ObjectId: 2.5.29.14 Criticality=false
> > SubjectKeyIdentifier [
> > KeyIdentifier [
> > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> A9 E2 33 AE 70 ..g......]...3.p
> > 0010: 56 EF AB 51
>
> V..Q
> > ]
> > ]
> >
> > #3: ObjectId: 2.5.29.31 Criticality=false
> > CRLDistributionPoints [
> > [DistributionPoint:
> > [URIName: http://domain.org/cert/crl.crl]
> > ]]
> >
> > #4: ObjectId: 2.5.29.19 Criticality=false
> > BasicConstraints:[
> > CA:true
> > PathLen:2147483647
> > ]
> >
> > #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
> > NetscapeCertType [
> > SSL CA
> > S/MIME CA
> > ]
> >
> > #6: ObjectId: 2.5.29.35 Criticality=false
> > AuthorityKeyIdentifier [
> > KeyIdentifier [
> > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> A9 E2 33 AE 70 ..g......]...3.p
> > 0010: 56 EF AB 51
>
> V..Q
> > ]
> >
> > [EMAILADDRCOUNTRYS=IT@domain.org,
> CN=MYORG1 Signing Authority, OU=ORG IT,
> > O=MYORG, ST=State, C=COUNTRY]
> > SerialNumber: [ 00]
> > ]
> >
> > #7: ObjectId: 2.5.29.18 Criticality=false
> > IssuerAlternativeName [
> > RFC822Name: IT@domain.org
> > ]
> >
> > #8: ObjectId: 2.5.29.17 Criticality=false
> > SubjectAlternativeName [
> > RFC822Name: IT@domain.org
> > ]
> >
> >
> > # keytool -list -alias root -keystore ${OM_J_KEYSTORE}
> -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> >
> > root, Feb 21, 2013, trustedCertEntry,
> > Certificate fingerprint (MD5):
> > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> >
> >
> >
> > And now for the trust store:
> >
> > # keytool -list -alias root -keystore
> ${OM_J_TRUSTSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> > Alias name: root
> > Creation date: May 7, 2013
> > Entry type: trustedCertEntry
> >
> > Owner: CN=LDAPSERVER.DOMAIN.ORG
> > Issuer: CN=LDAPSERVER.DOMAIN.ORG
> > Serial number: -76629fd860703546b57165ba54276ec2
> > Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun
> May 14 19:07:45 CEST
> > 2017
> > Certificate fingerprints:
> > MD5:
> ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE
> > SHA1:
> 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29
> > Signature algorithm
> name: SHA1withRSA
> > Version: 3
> >
> > Extensions:
> >
> > #1: ObjectId: 2.5.29.15 Criticality=false
> > KeyUsage [
> > DigitalSignature
> > Key_Encipherment
> > Data_Encipherment
> > ]
> >
> > #2: ObjectId: 2.5.29.37 Criticality=false
> > ExtendedKeyUsages [
> > serverAuth
> > ]
> >
> > # keytool -list -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > ${OM_J_TRUSTSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> >
> > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > Creation date: May 7, 2013
> > Entry type: PrivateKeyEntry
> > Certificate chain length: 1
> > Certificate[1]:
> > Owner: CN=openmeetings.domain.org, OU=IT,
> O=MyCompanyOrg, L=City,
> > ST=State, C=COUNTRY
> > Issuer: CN=openmeetings.domain.org, OU=IT,
> O=MyCompanyOrg, L=City,
> > ST=State, C=COUNTRY
> > Serial number: 5188f626
> > Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon
> May 02 14:40:06 CEST
> > 2033
> > Certificate fingerprints:
> > MD5:
> C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F
> > SHA1:
> D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC
> > Signature algorithm
> name: SHA1withRSA
> > Version: 3
> >
> >
> > When an LDAP user tries to log into OM, the log show
> the following
> > messages:
> >
> > DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242
> 117
> > org.apache.openmeetings.ldap.LdapAuthBase
> [NioProcessor-19] -
> >
> > Authentification to LDAP - Server start
> > DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244
> 151
> > org.apache.openmeetings.ldap.LdapAuthBase
> [NioProcessor-19] -
> > loginToLdapServer
> > ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278
> 123
> > org.apache.openmeetings.ldap.LdapAuthBase
> [NioProcessor-19] -
> >
> > Authentification on LDAP Server failed : simple bind
> failed:
> > ldapserver.domain.org:636
> > ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294
> 124
> > org.apache.openmeetings.ldap.LdapAuthBase
> [NioProcessor-19] -
> > [Authentification on LDAP Server failed]
> > javax.naming.CommunicationException: simple bind
> failed:
> > ldapserver.domain.org:636
> > at
> com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
> > ~[na:1.6.0_24]
> > at
> >
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> > ~[na:1.6.0_24]
> > at
> >
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> > ~[na:1.6.0_24]
> > at
> >
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> > ~[na:1.6.0_24]
> > at
> >
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> > ~[na:1.6.0_24]
> > at
> >
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> > ~[na:1.6.0_24]
> > at
> >
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
> > ~[na:1.6.0_24]
> > at
> javax.naming.InitialContext.init(InitialContext.java:240)
> > ~[na:1.6.0_24]
> > at
> javax.naming.InitialContext.<init>(InitialContext.java:214)
> > ~[na:1.6.0_24]
> > at
> >
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
> > ~[na:1.6.0_24]
> > at
> >
> org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161)
> > ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> > at
> >
> org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119)
> > ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> > at
> >
> org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422)
> > [openmeetings-2.1.1-SNAPSHOT.jar:na]
> > at
> >
> org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333)
> > [openmeetings-2.1.1-SNAPSHOT.jar:na]
> > at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > ~[na:1.6.0_24]
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > ~[na:1.6.0_24]
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > ~[na:1.6.0_24]
> > at
> java.lang.reflect.Method.invoke(Method.java:616)
> ~[na:1.6.0_24]
> > at
> >
> org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196)
> > [red5.jar:na]
> > at
> >
> org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115)
> > [red5.jar:na]
> > at
> >
> org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157)
> > [red5.jar:na]
> > at
> >
> org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399)
> > [red5.jar:na]
> > at
> >
> org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130)
> > [red5.jar:na]
> > at
> >
> org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164)
> > [red5.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124)
> > [red5.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > [mina-core-2.0.4.jar:na]
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> > [na:1.6.0_24]
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> > [na:1.6.0_24]
> > at
> java.lang.Thread.run(Thread.java:679) [na:1.6.0_24]
> > Caused by: javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path
> building failed:
> >
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find
> > valid certification path to requested target
> > at
> sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
> > ~[na:1.6.0_24]
> > at
> sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
> > ~[na:1.6.0_24]
> > at
> >
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> > ~[na:1.6.0_24]
> > at
> >
> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
> > ~[na:1.6.0_24]
> > at
> com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
> > ~[na:1.6.0_24]
> > ... 55 common
> frames omitted
> > Caused by: sun.security.validator.ValidatorException:
> PKIX path building
> > failed:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> > to find valid certification path to requested target
> > at
> >
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
> > ~[na:1.6.0_24]
> > at
> sun.security.validator.Validator.validate(Validator.java:235)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
> > ~[na:1.6.0_24]
> > ... 67 common
> frames omitted
> > Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested
> target
> > at
> >
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
> > ~[na:1.6.0_24]
> > at
> >
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
> > ~[na:1.6.0_24]
> > at
> >
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
> > ~[na:1.6.0_24]
> > ... 73 common
> frames omitted
> >
> > How can I solve the "unable to find valid certification
> path" issue? What
> > does it refer to exactly?
> >
> > I can correctly connect to https://openmeetings.domain.org/openmeetings/but the
> LDAPS authentication/login is failing.
> >
> > My ldapsearch example at the beginning succeeded
> probably because I have
> > 'TLS_REQCERT never' in ldap.conf. Is there a way to
> "loosen up" OM/java as
> > far as self-signed certs are concerned?
> >
> > Thanks,
> >
> > Vieri
> >
> >
>
>
> --
> WBR
> Maxim aka solomax
>
Re: Cannot authenticate users via ldaps
Posted by Maxim Solodovnik <so...@gmail.com>.
I guess you need to add your CA to java (global one)
On Wed, May 8, 2013 at 2:39 PM, Vieri <re...@yahoo.com> wrote:
> Hi,
>
> From the same machine where OM is installed I can run the following
> command:
>
> # ldapsearch -x -D "aduser@domain.org" -b "cn=Users,dc=domain,dc=org" -H
> ldaps://ldapserver.domain.org -W sAMAccountName=aduser
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> -----------------
>
> However, if I setup OM to authenticate users via LDAP/SSL I'm getting the
> error reported at the end of this e-mail (LDAP without SSL works fine).
>
> My om_ldap.cfg is as follows:
>
> ldap_server_type=OpenLDAP
> ldap_conn_url=ldaps://ldapserver.domain.org:636
> ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org
> ldap_passwd=secret
> ldap_search_base=CN:Users,DC:domain,DC:org
> field_user_principal=sAMAccountName
> ldap_auth_type=SIMPLE
> ldap_sync_password_to_om=no
> ldap_user_attr_lastname=sn
> ldap_user_attr_firstname=givenName
> ldap_user_attr_mail=mail
> ldap_user_attr_street=streetAddress
> ldap_user_attr_additionalname=description
> ldap_user_attr_fax=facsimileTelephoneNumber
> ldap_user_attr_zip=postalCode
> ldap_user_attr_country=co
> ldap_user_attr_town=l
> ldap_user_attr_phone=telephoneNumber
> ldap_user_picture_uri=wWWHomePage
> ldap_use_lower_case=false
> ldap_user_groups=memberOf
>
> Before running OM I export:
> OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
>
> OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE}
> -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}
> -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE}
> -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}"
>
> I'm using a self-signed certificate in my LDAP server (Active Directory).
> Here's how I generated it:
> selfssl.exe /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825"
> run mmc and open the LOCAL COMPUTER Personal certificate store. The cert
> should already be there.
> Copy it within mmc to the "Trusted root authorities"
> Export the certificate from the trusted root store within mmc as pfx
> file and name it ldapserver.pfx (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE})
>
> Finally, on the OM machine I configured the truststore this way:
>
> OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> rm -f $OM_J_TRUSTSTORE
> keytool -validity 7300 -keysize 2048 -genkey -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore
> ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}"
> openssl pkcs12 -passin pass:"" -passout pass:"" -in
> ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out
> ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes
> openssl x509 -in ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem
> -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der -outform der
> keytool -import -alias root -keystore ${OM_J_TRUSTSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file
> ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
>
> and the keystore (used for https):
>
> OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> rm -f ${OM_J_KEYSTORE}
> keytool -validity 7300 -keysize 2048 -genkey -alias
> ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore ${OM_J_KEYSTORE}
> -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -keypass
> ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}"
> keytool -certreq -keyalg RSA -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr -keystore
> ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> # > Now submit ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to
> custom CA and self-sign the certificate:"
> # - the signed certificate is copied to
> ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt"
> # - the CA root certificate is copied to ${OM_TMP_DIR}/root.crt"
> keytool -import -alias root -keystore ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file
> ${OM_TMP_DIR}/root.crt
> keytool -import -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> -trustcacerts -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt
> cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen
>
> If I list the keystores:
>
> # keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
>
> Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> Creation date: Feb 21, 2013
> Entry type: PrivateKeyEntry
> Certificate chain length: 2
> Certificate[1]:
> Owner: CN=openmeetings.domain.org, OU=IT, O=domain, L=City, ST=State,
> C=COUNTRY
> Issuer: EMAILADDRCOUNTRYS=IT@domain.org, CN=MYORG1 Signing Authority,
> OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> Serial number: 1
> Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb 20 09:57:44 CET
> 2018
> Certificate fingerprints:
> MD5: 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF
> SHA1: FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56
> Signature algorithm name: SHA1withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98 D2 2F C4 88 1D ...l....I.../...
> 0010: 1F 45 73 78
> ]
> ]
>
> #2: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:false
> PathLen: undefined
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
> 0010: 56 EF AB 51 V..Q
> ]
>
> ]
>
> #4: ObjectId: 2.5.29.18 Criticality=false
> IssuerAlternativeName [
> RFC822Name: IT@domain.org
> ]
>
> #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
>
> #6: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> DNSName: openmeetings
> DNSName: openmeetings.domain.org
> ]
>
> Certificate[2]:
> Owner: EMAILADDRCOUNTRYS=IT@domain.org, CN=MYORG1 Signing Authority,
> OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> Issuer: EMAILADDRCOUNTRYS=IT@domain.org, CN=MYORG1 Signing Authority,
> OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> Serial number: 0
> Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb 13 09:48:02 CET
> 2048
> Certificate fingerprints:
> MD5: 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> SHA1: 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85
> Signature algorithm name: SHA1withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.15 Criticality=false
> KeyUsage [
> Key_CertSign
> Crl_Sign
> ]
>
> #2: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
> 0010: 56 EF AB 51 V..Q
> ]
> ]
>
> #3: ObjectId: 2.5.29.31 Criticality=false
> CRLDistributionPoints [
> [DistributionPoint:
> [URIName: http://domain.org/cert/crl.crl]
> ]]
>
> #4: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:true
> PathLen:2147483647
> ]
>
> #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
> NetscapeCertType [
> SSL CA
> S/MIME CA
> ]
>
> #6: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p
> 0010: 56 EF AB 51 V..Q
> ]
>
> [EMAILADDRCOUNTRYS=IT@domain.org, CN=MYORG1 Signing Authority, OU=ORG IT,
> O=MYORG, ST=State, C=COUNTRY]
> SerialNumber: [ 00]
> ]
>
> #7: ObjectId: 2.5.29.18 Criticality=false
> IssuerAlternativeName [
> RFC822Name: IT@domain.org
> ]
>
> #8: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> RFC822Name: IT@domain.org
> ]
>
>
> # keytool -list -alias root -keystore ${OM_J_KEYSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
>
> root, Feb 21, 2013, trustedCertEntry,
> Certificate fingerprint (MD5):
> 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
>
>
>
> And now for the trust store:
>
> # keytool -list -alias root -keystore ${OM_J_TRUSTSTORE} -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> Alias name: root
> Creation date: May 7, 2013
> Entry type: trustedCertEntry
>
> Owner: CN=LDAPSERVER.DOMAIN.ORG
> Issuer: CN=LDAPSERVER.DOMAIN.ORG
> Serial number: -76629fd860703546b57165ba54276ec2
> Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun May 14 19:07:45 CEST
> 2017
> Certificate fingerprints:
> MD5: ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE
> SHA1: 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29
> Signature algorithm name: SHA1withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.15 Criticality=false
> KeyUsage [
> DigitalSignature
> Key_Encipherment
> Data_Encipherment
> ]
>
> #2: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> serverAuth
> ]
>
> # keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
>
> Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> Creation date: May 7, 2013
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City,
> ST=State, C=COUNTRY
> Issuer: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City,
> ST=State, C=COUNTRY
> Serial number: 5188f626
> Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon May 02 14:40:06 CEST
> 2033
> Certificate fingerprints:
> MD5: C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F
> SHA1: D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC
> Signature algorithm name: SHA1withRSA
> Version: 3
>
>
> When an LDAP user tries to log into OM, the log show the following
> messages:
>
> DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242 117
> org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
>
> Authentification to LDAP - Server start
> DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244 151
> org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
> loginToLdapServer
> ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278 123
> org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
>
> Authentification on LDAP Server failed : simple bind failed:
> ldapserver.domain.org:636
> ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294 124
> org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] -
> [Authentification on LDAP Server failed]
> javax.naming.CommunicationException: simple bind failed:
> ldapserver.domain.org:636
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
> ~[na:1.6.0_24]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> ~[na:1.6.0_24]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> ~[na:1.6.0_24]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> ~[na:1.6.0_24]
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> ~[na:1.6.0_24]
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> ~[na:1.6.0_24]
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
> ~[na:1.6.0_24]
> at javax.naming.InitialContext.init(InitialContext.java:240)
> ~[na:1.6.0_24]
> at javax.naming.InitialContext.<init>(InitialContext.java:214)
> ~[na:1.6.0_24]
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
> ~[na:1.6.0_24]
> at
> org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161)
> ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> at
> org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119)
> ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> at
> org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422)
> [openmeetings-2.1.1-SNAPSHOT.jar:na]
> at
> org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333)
> [openmeetings-2.1.1-SNAPSHOT.jar:na]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[na:1.6.0_24]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[na:1.6.0_24]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[na:1.6.0_24]
> at java.lang.reflect.Method.invoke(Method.java:616) ~[na:1.6.0_24]
> at
> org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196)
> [red5.jar:na]
> at
> org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115)
> [red5.jar:na]
> at
> org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157)
> [red5.jar:na]
> at
> org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399)
> [red5.jar:na]
> at
> org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130)
> [red5.jar:na]
> at
> org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164)
> [red5.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> [mina-core-2.0.4.jar:na]
> at
> org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124)
> [red5.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
> [mina-core-2.0.4.jar:na]
> at
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> [mina-core-2.0.4.jar:na]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> [na:1.6.0_24]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> [na:1.6.0_24]
> at java.lang.Thread.run(Thread.java:679) [na:1.6.0_24]
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> ~[na:1.6.0_24]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
> ~[na:1.6.0_24]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
> ~[na:1.6.0_24]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
> ~[na:1.6.0_24]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
> ~[na:1.6.0_24]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
> ~[na:1.6.0_24]
> at
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> ~[na:1.6.0_24]
> at
> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
> ~[na:1.6.0_24]
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
> ~[na:1.6.0_24]
> ... 55 common frames omitted
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
> ~[na:1.6.0_24]
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
> ~[na:1.6.0_24]
> at sun.security.validator.Validator.validate(Validator.java:235)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
> ~[na:1.6.0_24]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
> ~[na:1.6.0_24]
> ... 67 common frames omitted
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
> ~[na:1.6.0_24]
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
> ~[na:1.6.0_24]
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
> ~[na:1.6.0_24]
> ... 73 common frames omitted
>
> How can I solve the "unable to find valid certification path" issue? What
> does it refer to exactly?
>
> I can correctly connect to https://openmeetings.domain.org/openmeetings/but the LDAPS authentication/login is failing.
>
> My ldapsearch example at the beginning succeeded probably because I have
> 'TLS_REQCERT never' in ldap.conf. Is there a way to "loosen up" OM/java as
> far as self-signed certs are concerned?
>
> Thanks,
>
> Vieri
>
>
--
WBR
Maxim aka solomax