I just finished writing an article detailing setting up LDAPS on Active Directory: https://dev.to/bondr007/active-directory-ldaps-the-easy-way-1bnc
For cas I just specified the CA cert I created using the config line below: cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt On Fri, Feb 21, 2020 at 8:25 AM Robert Bond <bo...@nsuok.edu> wrote: > iirc it can be the root ca or the client public cert. > > Are you using a public ca, and if so which one? > To be safe you could just put the fullchain. > > On Thu, Feb 20, 2020 at 8:06 PM Jason Everling <jason.everl...@gmail.com> > wrote: > >> Does that work if you specify the root or only the end entity certificate? >> >> On Thu, Feb 20, 2020 at 8:33 AM 'Robert Bond' via CAS Community < >> cas-user@apereo.org> wrote: >> >>> You can also just pass it just the (CA or client) cert file. Like so: >>> cas.authn.ldap[0].trustCertificates=file:/etc/cas/ldaps_cert.crt >>> >>> On Wed, Feb 19, 2020 at 7:34 PM Jason Everling <jason.everl...@gmail.com> >>> wrote: >>> >>>> Grab your LDAPS certificates, create a new JKS keystore type and add >>>> your certificates to it. The default java password is changeit so we will >>>> just use that as well. The AD ldap settings would be, >>>> >>>> cas.authn.ldap[0].keystore=file:/etc/cas/your_keystore_name >>>> cas.authn.ldap[0].keystorePassword=changeit >>>> >>>> On Wednesday, February 19, 2020 at 6:40:54 PM UTC-6, Tom Healey wrote: >>>>> >>>>> >>>>> Daniel, >>>>> Thank you for your response. Is there a difference between the >>>>> keystore >>>>> >>>>> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore >>>>> cas.authn.ldap[0].keystorePassword=keystorepassword >>>>> >>>>> >>>>> and the trust store parameters? >>>>> >>>>> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore >>>>> cas.authn.ldap[0].trustStorePassword=truststorepassword >>>>> >>>>> In any event >>>>> I did this: >>>>> >>>>> keytool -alias myalias -importcert -keystore theLdapKeystore - >>>>> -storetype PKCS12 -file myalias.cer # root >>>>> keytool -alias myalias2 -importcert -keystore theLdapKeystore - >>>>> -storetype PKCS12 -file myalias.cer # server >>>>> and still have the problem of >>>>> >>>>> *sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>>> valid certification path to requested target* >>>>> >>>>> Thanks all. >>>>> Tom >>>>> >>>>> >>>>> >>>>> I did add the certs to the keystore(/etc/cas/thekeystore), which is >>>>> the same one that tomcat uses for SSL server keys. >>>>> Thanks. >>>>> >>>>> On Wednesday, February 19, 2020 at 4:58:24 PM UTC-5, dfisher wrote: >>>>>> >>>>>> On Wed, Feb 19, 2020 at 1:21 PM Tom Healey <thomas...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> LDAPS issue >>>>>>> >>>>>>> Hi all! >>>>>>> I get the following error when trying to communicate to MS AD server >>>>>>> over LDAPS. >>>>>>> (PKIX path building failed: >>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>> find >>>>>>> valid certification path to requested target) >>>>>>> >>>>>>> here is my relevant LDAP config in cas.properties >>>>>>> >>>>>>> cas.authn.ldap[0].name=Active Directory >>>>>>> cas.authn.ldap[0].type=AUTHENTICATED >>>>>>> cas.authn.ldap[0].ldapUrl=ldaps://XXX.XXX.XXX.XXX:636 >>>>>>> cas.authn.ldap[0].useSsl=true >>>>>>> cas.authn.ldap[0].baseDn="set to sane value" >>>>>>> cas.authn.ldap[0].searchFilter="set to sane value" >>>>>>> cas.authn.ldap[0].bindDn="set to sane value" >>>>>>> cas.authn.ldap[0].bindCredential="set to sane value" >>>>>>> cas.authn.ldap[0].dnFormat="set to sane value" >>>>>>> cas.authn.ldap[0].connectTimeout=1000 >>>>>>> >>>>>>> cas.authn.ldap[0].principalAttributeList=memberOf,cn,givenName,mail,givenName,mail,sn >>>>>>> cas.authn.ldap[0].followReferrals=false >>>>>>> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore >>>>>>> cas.authn.ldap[0].keystorePassword=keystorepassword >>>>>>> >>>>>>> >>>>>> Try adding new properties: >>>>>> cas.authn.ldap[0].trustStore=file:/etc/cas/thetruststore >>>>>> cas.authn.ldap[0].trustStorePassword=truststorepassword >>>>>> >>>>>> Then import your CA into that truststore file. I'm not certain about >>>>>> the camel casing of those properties, but it should be something close to >>>>>> that. >>>>>> >>>>> >>>>> >>>>>> >>>>>> --Daniel Fisher >>>>>> >>>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to cas-user+unsubscr...@apereo.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60ee9d3-6154-4adc-ba38-f2cfd52643af%40apereo.org >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60ee9d3-6154-4adc-ba38-f2cfd52643af%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> >>> -- >>> Robert Bond >>> Network Administrator >>> (918) 444-5886 >>> Northeastern State University >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+unsubscr...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6ru4wYRvpPLtL_KWw1MxNvnmTPeR_9rOnzjoKq5zzseLQ%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6ru4wYRvpPLtL_KWw1MxNvnmTPeR_9rOnzjoKq5zzseLQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALdoKi%2BqronSah%2BdRF8b9ris9mEbW-7dOBKNaoyuOC9bpWFDdg%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALdoKi%2BqronSah%2BdRF8b9ris9mEbW-7dOBKNaoyuOC9bpWFDdg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Robert Bond > Network Administrator > (918) 444-5886 > Northeastern State University > -- Robert Bond Network Administrator (918) 444-5886 Northeastern State University -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6qk24M8XD5C8xs6OXVUP-oSGyEgR%2BAGDyg%2BHKhwMbrV2g%40mail.gmail.com.
