Hi, >From the same machine where OM is installed I can run the following command:
# ldapsearch -x -D "[email protected]" -b "cn=Users,dc=domain,dc=org" -H ldaps://ldapserver.domain.org -W sAMAccountName=aduser # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------- However, if I setup OM to authenticate users via LDAP/SSL I'm getting the error reported at the end of this e-mail (LDAP without SSL works fine). My om_ldap.cfg is as follows: ldap_server_type=OpenLDAP ldap_conn_url=ldaps://ldapserver.domain.org:636 ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org ldap_passwd=secret ldap_search_base=CN:Users,DC:domain,DC:org field_user_principal=sAMAccountName ldap_auth_type=SIMPLE ldap_sync_password_to_om=no ldap_user_attr_lastname=sn ldap_user_attr_firstname=givenName ldap_user_attr_mail=mail ldap_user_attr_street=streetAddress ldap_user_attr_additionalname=description ldap_user_attr_fax=facsimileTelephoneNumber ldap_user_attr_zip=postalCode ldap_user_attr_country=co ldap_user_attr_town=l ldap_user_attr_phone=telephoneNumber ldap_user_picture_uri=wWWHomePage ldap_use_lower_case=false ldap_user_groups=memberOf Before running OM I export: OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE} -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS} -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE} -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}" I'm using a self-signed certificate in my LDAP server (Active Directory). Here's how I generated it: selfssl.exe /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825" run mmc and open the LOCAL COMPUTER Personal certificate store. The cert should already be there. Copy it within mmc to the "Trusted root authorities" Export the certificate from the trusted root store within mmc as pfx file and name it ldapserver.pfx (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}) Finally, on the OM machine I configured the truststore this way: OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore rm -f $OM_J_TRUSTSTORE keytool -validity 7300 -keysize 2048 -genkey -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}" openssl pkcs12 -passin pass:"" -passout pass:"" -in ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes openssl x509 -in ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der -outform der keytool -import -alias root -keystore ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der and the keystore (used for https): OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore rm -f ${OM_J_KEYSTORE} keytool -validity 7300 -keysize 2048 -genkey -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}" keytool -certreq -keyalg RSA -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} # > Now submit ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to custom CA and self-sign the certificate:" # - the signed certificate is copied to ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt" # - the CA root certificate is copied to ${OM_TMP_DIR}/root.crt" keytool -import -alias root -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file ${OM_TMP_DIR}/root.crt keytool -import -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen If I list the keystores: # keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} Creation date: Feb 21, 2013 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=openmeetings.domain.org, OU=IT, O=domain, L=City, ST=State, C=COUNTRY Issuer: [email protected], CN=MYORG1 Signing Authority, OU=ORG IT, O=MYORG, ST=State, C=COUNTRY Serial number: 1 Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb 20 09:57:44 CET 2018 Certificate fingerprints: MD5: 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF SHA1: FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98 D2 2F C4 88 1D ...l....I.../... 0010: 1F 45 73 78 ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p 0010: 56 EF AB 51 V..Q ] ] #4: ObjectId: 2.5.29.18 Criticality=false IssuerAlternativeName [ RFC822Name: [email protected] ] #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false #6: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: openmeetings DNSName: openmeetings.domain.org ] Certificate[2]: Owner: [email protected], CN=MYORG1 Signing Authority, OU=ORG IT, O=MYORG, ST=State, C=COUNTRY Issuer: [email protected], CN=MYORG1 Signing Authority, OU=ORG IT, O=MYORG, ST=State, C=COUNTRY Serial number: 0 Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb 13 09:48:02 CET 2048 Certificate fingerprints: MD5: 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F SHA1: 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign Crl_Sign ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p 0010: 56 EF AB 51 V..Q ] ] #3: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://domain.org/cert/crl.crl] ]] #4: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA ] #6: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p 0010: 56 EF AB 51 V..Q ] [[email protected], CN=MYORG1 Signing Authority, OU=ORG IT, O=MYORG, ST=State, C=COUNTRY] SerialNumber: [ 00] ] #7: ObjectId: 2.5.29.18 Criticality=false IssuerAlternativeName [ RFC822Name: [email protected] ] #8: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ RFC822Name: [email protected] ] # keytool -list -alias root -keystore ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} root, Feb 21, 2013, trustedCertEntry, Certificate fingerprint (MD5): 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F And now for the trust store: # keytool -list -alias root -keystore ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v Alias name: root Creation date: May 7, 2013 Entry type: trustedCertEntry Owner: CN=LDAPSERVER.DOMAIN.ORG Issuer: CN=LDAPSERVER.DOMAIN.ORG Serial number: -76629fd860703546b57165ba54276ec2 Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun May 14 19:07:45 CEST 2017 Certificate fingerprints: MD5: ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE SHA1: 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment Data_Encipherment ] #2: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth ] # keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} Creation date: May 7, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City, ST=State, C=COUNTRY Issuer: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City, ST=State, C=COUNTRY Serial number: 5188f626 Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon May 02 14:40:06 CEST 2033 Certificate fingerprints: MD5: C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F SHA1: D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC Signature algorithm name: SHA1withRSA Version: 3 When an LDAP user tries to log into OM, the log show the following messages: DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242 117 org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - Authentification to LDAP - Server start DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244 151 org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - loginToLdapServer ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278 123 org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - Authentification on LDAP Server failed : simple bind failed: ldapserver.domain.org:636 ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294 124 org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - [Authentification on LDAP Server failed] javax.naming.CommunicationException: simple bind failed: ldapserver.domain.org:636 at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215) ~[na:1.6.0_24] at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) ~[na:1.6.0_24] at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) ~[na:1.6.0_24] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) ~[na:1.6.0_24] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) ~[na:1.6.0_24] at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) ~[na:1.6.0_24] at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) ~[na:1.6.0_24] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.6.0_24] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) ~[na:1.6.0_24] at javax.naming.InitialContext.init(InitialContext.java:240) ~[na:1.6.0_24] at javax.naming.InitialContext.<init>(InitialContext.java:214) ~[na:1.6.0_24] at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) ~[na:1.6.0_24] at org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161) ~[openmeetings-2.1.1-SNAPSHOT.jar:na] at org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119) ~[openmeetings-2.1.1-SNAPSHOT.jar:na] at org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422) [openmeetings-2.1.1-SNAPSHOT.jar:na] at org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333) [openmeetings-2.1.1-SNAPSHOT.jar:na] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.6.0_24] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.6.0_24] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.6.0_24] at java.lang.reflect.Method.invoke(Method.java:616) ~[na:1.6.0_24] at org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196) [red5.jar:na] at org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115) [red5.jar:na] at org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157) [red5.jar:na] at org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399) [red5.jar:na] at org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130) [red5.jar:na] at org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164) [red5.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) [mina-core-2.0.4.jar:na] at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427) [mina-core-2.0.4.jar:na] at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) [mina-core-2.0.4.jar:na] at org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124) [red5.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) [mina-core-2.0.4.jar:na] at org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320) [mina-core-2.0.4.jar:na] at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) [mina-core-2.0.4.jar:na] at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426) [mina-core-2.0.4.jar:na] at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715) [mina-core-2.0.4.jar:na] at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668) [mina-core-2.0.4.jar:na] at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657) [mina-core-2.0.4.jar:na] at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68) [mina-core-2.0.4.jar:na] at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141) [mina-core-2.0.4.jar:na] at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) [mina-core-2.0.4.jar:na] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [na:1.6.0_24] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [na:1.6.0_24] at java.lang.Thread.run(Thread.java:679) [na:1.6.0_24] Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.6.0_24] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697) ~[na:1.6.0_24] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257) ~[na:1.6.0_24] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251) ~[na:1.6.0_24] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165) ~[na:1.6.0_24] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154) ~[na:1.6.0_24] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609) ~[na:1.6.0_24] at sun.security.ssl.Handshaker.process_record(Handshaker.java:545) ~[na:1.6.0_24] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945) ~[na:1.6.0_24] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) ~[na:1.6.0_24] at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657) ~[na:1.6.0_24] at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108) ~[na:1.6.0_24] at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[na:1.6.0_24] at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[na:1.6.0_24] at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409) ~[na:1.6.0_24] at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352) ~[na:1.6.0_24] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210) ~[na:1.6.0_24] ... 55 common frames omitted Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324) ~[na:1.6.0_24] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224) ~[na:1.6.0_24] at sun.security.validator.Validator.validate(Validator.java:235) ~[na:1.6.0_24] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) ~[na:1.6.0_24] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230) ~[na:1.6.0_24] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270) ~[na:1.6.0_24] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144) ~[na:1.6.0_24] ... 67 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197) ~[na:1.6.0_24] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) ~[na:1.6.0_24] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319) ~[na:1.6.0_24] ... 73 common frames omitted How can I solve the "unable to find valid certification path" issue? What does it refer to exactly? I can correctly connect to https://openmeetings.domain.org/openmeetings/ but the LDAPS authentication/login is failing. My ldapsearch example at the beginning succeeded probably because I have 'TLS_REQCERT never' in ldap.conf. Is there a way to "loosen up" OM/java as far as self-signed certs are concerned? Thanks, Vieri
