I guess you need to add your CA to java (global one)
On Wed, May 8, 2013 at 2:39 PM, Vieri <[email protected]> wrote: > Hi, > > From the same machine where OM is installed I can run the following > command: > > # ldapsearch -x -D "[email protected]" -b "cn=Users,dc=domain,dc=org" -H > ldaps://ldapserver.domain.org -W sAMAccountName=aduser > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > ----------------- > > However, if I setup OM to authenticate users via LDAP/SSL I'm getting the > error reported at the end of this e-mail (LDAP without SSL works fine). > > My om_ldap.cfg is as follows: > > ldap_server_type=OpenLDAP > ldap_conn_url=ldaps://ldapserver.domain.org:636 > ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org > ldap_passwd=secret > ldap_search_base=CN:Users,DC:domain,DC:org > field_user_principal=sAMAccountName > ldap_auth_type=SIMPLE > ldap_sync_password_to_om=no > ldap_user_attr_lastname=sn > ldap_user_attr_firstname=givenName > ldap_user_attr_mail=mail > ldap_user_attr_street=streetAddress > ldap_user_attr_additionalname=description > ldap_user_attr_fax=facsimileTelephoneNumber > ldap_user_attr_zip=postalCode > ldap_user_attr_country=co > ldap_user_attr_town=l > ldap_user_attr_phone=telephoneNumber > ldap_user_picture_uri=wWWHomePage > ldap_use_lower_case=false > ldap_user_groups=memberOf > > Before running OM I export: > OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore > > OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore > JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE} > -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS} > -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE} > -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}" > > I'm using a self-signed certificate in my LDAP server (Active Directory). > Here's how I generated it: > selfssl.exe /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825" > run mmc and open the LOCAL COMPUTER Personal certificate store. The cert > should already be there. > Copy it within mmc to the "Trusted root authorities" > Export the certificate from the trusted root store within mmc as pfx > file and name it ldapserver.pfx (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}) > > Finally, on the OM machine I configured the truststore this way: > > OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore > rm -f $OM_J_TRUSTSTORE > keytool -validity 7300 -keysize 2048 -genkey -alias > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore > ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}" > openssl pkcs12 -passin pass:"" -passout pass:"" -in > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes > openssl x509 -in ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem > -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der -outform der > keytool -import -alias root -keystore ${OM_J_TRUSTSTORE} -storepass > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der > > and the keystore (used for https): > > OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore > rm -f ${OM_J_KEYSTORE} > keytool -validity 7300 -keysize 2048 -genkey -alias > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA -keystore ${OM_J_KEYSTORE} > -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -keypass > ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname "${OPENMEETINGS_JAVA_DN}" > keytool -certreq -keyalg RSA -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} > -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr -keystore > ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > # > Now submit ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to > custom CA and self-sign the certificate:" > # - the signed certificate is copied to > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt" > # - the CA root certificate is copied to ${OM_TMP_DIR}/root.crt" > keytool -import -alias root -keystore ${OM_J_KEYSTORE} -storepass > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file > ${OM_TMP_DIR}/root.crt > keytool -import -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore > ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > -trustcacerts -file ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt > cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen > > If I list the keystores: > > # keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore > ${OM_J_KEYSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v > > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} > Creation date: Feb 21, 2013 > Entry type: PrivateKeyEntry > Certificate chain length: 2 > Certificate[1]: > Owner: CN=openmeetings.domain.org, OU=IT, O=domain, L=City, ST=State, > C=COUNTRY > Issuer: [email protected], CN=MYORG1 Signing Authority, > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY > Serial number: 1 > Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb 20 09:57:44 CET > 2018 > Certificate fingerprints: > MD5: 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF > SHA1: FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98 D2 2F C4 88 1D ...l....I.../... > 0010: 1F 45 73 78 > ] > ] > > #2: ObjectId: 2.5.29.19 Criticality=false > BasicConstraints:[ > CA:false > PathLen: undefined > ] > > #3: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p > 0010: 56 EF AB 51 V..Q > ] > > ] > > #4: ObjectId: 2.5.29.18 Criticality=false > IssuerAlternativeName [ > RFC822Name: [email protected] > ] > > #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false > > #6: ObjectId: 2.5.29.17 Criticality=false > SubjectAlternativeName [ > DNSName: openmeetings > DNSName: openmeetings.domain.org > ] > > Certificate[2]: > Owner: [email protected], CN=MYORG1 Signing Authority, > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY > Issuer: [email protected], CN=MYORG1 Signing Authority, > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY > Serial number: 0 > Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb 13 09:48:02 CET > 2048 > Certificate fingerprints: > MD5: 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F > SHA1: 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.15 Criticality=false > KeyUsage [ > Key_CertSign > Crl_Sign > ] > > #2: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p > 0010: 56 EF AB 51 V..Q > ] > ] > > #3: ObjectId: 2.5.29.31 Criticality=false > CRLDistributionPoints [ > [DistributionPoint: > [URIName: http://domain.org/cert/crl.crl] > ]] > > #4: ObjectId: 2.5.29.19 Criticality=false > BasicConstraints:[ > CA:true > PathLen:2147483647 > ] > > #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false > NetscapeCertType [ > SSL CA > S/MIME CA > ] > > #6: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE A9 E2 33 AE 70 ..g......]...3.p > 0010: 56 EF AB 51 V..Q > ] > > [[email protected], CN=MYORG1 Signing Authority, OU=ORG IT, > O=MYORG, ST=State, C=COUNTRY] > SerialNumber: [ 00] > ] > > #7: ObjectId: 2.5.29.18 Criticality=false > IssuerAlternativeName [ > RFC822Name: [email protected] > ] > > #8: ObjectId: 2.5.29.17 Criticality=false > SubjectAlternativeName [ > RFC822Name: [email protected] > ] > > > # keytool -list -alias root -keystore ${OM_J_KEYSTORE} -storepass > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > > root, Feb 21, 2013, trustedCertEntry, > Certificate fingerprint (MD5): > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F > > > > And now for the trust store: > > # keytool -list -alias root -keystore ${OM_J_TRUSTSTORE} -storepass > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v > Alias name: root > Creation date: May 7, 2013 > Entry type: trustedCertEntry > > Owner: CN=LDAPSERVER.DOMAIN.ORG > Issuer: CN=LDAPSERVER.DOMAIN.ORG > Serial number: -76629fd860703546b57165ba54276ec2 > Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun May 14 19:07:45 CEST > 2017 > Certificate fingerprints: > MD5: ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE > SHA1: 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.15 Criticality=false > KeyUsage [ > DigitalSignature > Key_Encipherment > Data_Encipherment > ] > > #2: ObjectId: 2.5.29.37 Criticality=false > ExtendedKeyUsages [ > serverAuth > ] > > # keytool -list -alias ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore > ${OM_J_TRUSTSTORE} -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v > > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} > Creation date: May 7, 2013 > Entry type: PrivateKeyEntry > Certificate chain length: 1 > Certificate[1]: > Owner: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City, > ST=State, C=COUNTRY > Issuer: CN=openmeetings.domain.org, OU=IT, O=MyCompanyOrg, L=City, > ST=State, C=COUNTRY > Serial number: 5188f626 > Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon May 02 14:40:06 CEST > 2033 > Certificate fingerprints: > MD5: C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F > SHA1: D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC > Signature algorithm name: SHA1withRSA > Version: 3 > > > When an LDAP user tries to log into OM, the log show the following > messages: > > DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242 117 > org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - > > Authentification to LDAP - Server start > DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244 151 > org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - > loginToLdapServer > ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278 123 > org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - > > Authentification on LDAP Server failed : simple bind failed: > ldapserver.domain.org:636 > ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294 124 > org.apache.openmeetings.ldap.LdapAuthBase [NioProcessor-19] - > [Authentification on LDAP Server failed] > javax.naming.CommunicationException: simple bind failed: > ldapserver.domain.org:636 > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215) > ~[na:1.6.0_24] > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) > ~[na:1.6.0_24] > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) > ~[na:1.6.0_24] > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > ~[na:1.6.0_24] > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > ~[na:1.6.0_24] > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > ~[na:1.6.0_24] > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > ~[na:1.6.0_24] > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > ~[na:1.6.0_24] > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) > ~[na:1.6.0_24] > at javax.naming.InitialContext.init(InitialContext.java:240) > ~[na:1.6.0_24] > at javax.naming.InitialContext.<init>(InitialContext.java:214) > ~[na:1.6.0_24] > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) > ~[na:1.6.0_24] > at > org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161) > ~[openmeetings-2.1.1-SNAPSHOT.jar:na] > at > org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119) > ~[openmeetings-2.1.1-SNAPSHOT.jar:na] > at > org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422) > [openmeetings-2.1.1-SNAPSHOT.jar:na] > at > org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333) > [openmeetings-2.1.1-SNAPSHOT.jar:na] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[na:1.6.0_24] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > ~[na:1.6.0_24] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[na:1.6.0_24] > at java.lang.reflect.Method.invoke(Method.java:616) ~[na:1.6.0_24] > at > org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196) > [red5.jar:na] > at > org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115) > [red5.jar:na] > at > org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157) > [red5.jar:na] > at > org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399) > [red5.jar:na] > at > org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130) > [red5.jar:na] > at > org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164) > [red5.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > [mina-core-2.0.4.jar:na] > at > org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124) > [red5.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141) > [mina-core-2.0.4.jar:na] > at > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > [mina-core-2.0.4.jar:na] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) > [na:1.6.0_24] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) > [na:1.6.0_24] > at java.lang.Thread.run(Thread.java:679) [na:1.6.0_24] > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > ~[na:1.6.0_24] > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697) > ~[na:1.6.0_24] > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257) > ~[na:1.6.0_24] > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251) > ~[na:1.6.0_24] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165) > ~[na:1.6.0_24] > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154) > ~[na:1.6.0_24] > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609) > ~[na:1.6.0_24] > at sun.security.ssl.Handshaker.process_record(Handshaker.java:545) > ~[na:1.6.0_24] > at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945) > ~[na:1.6.0_24] > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) > ~[na:1.6.0_24] > at > sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657) > ~[na:1.6.0_24] > at > sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108) > ~[na:1.6.0_24] > at > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > ~[na:1.6.0_24] > at > java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > ~[na:1.6.0_24] > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409) > ~[na:1.6.0_24] > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352) > ~[na:1.6.0_24] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210) > ~[na:1.6.0_24] > ... 55 common frames omitted > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324) > ~[na:1.6.0_24] > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224) > ~[na:1.6.0_24] > at sun.security.validator.Validator.validate(Validator.java:235) > ~[na:1.6.0_24] > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) > ~[na:1.6.0_24] > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230) > ~[na:1.6.0_24] > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270) > ~[na:1.6.0_24] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144) > ~[na:1.6.0_24] > ... 67 common frames omitted > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197) > ~[na:1.6.0_24] > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) > ~[na:1.6.0_24] > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319) > ~[na:1.6.0_24] > ... 73 common frames omitted > > How can I solve the "unable to find valid certification path" issue? What > does it refer to exactly? > > I can correctly connect to https://openmeetings.domain.org/openmeetings/but > the LDAPS authentication/login is failing. > > My ldapsearch example at the beginning succeeded probably because I have > 'TLS_REQCERT never' in ldap.conf. Is there a way to "loosen up" OM/java as > far as self-signed certs are concerned? > > Thanks, > > Vieri > > -- WBR Maxim aka solomax
