To be fair I don't know :( I never setup LDAP integration myself Maybe Sebastian can suggest anything?
On Wed, May 8, 2013 at 3:11 PM, Vieri <[email protected]> wrote: > # java -version > java version "1.6.0_24" > OpenJDK Runtime Environment (IcedTea6 1.11.1) (Gentoo build 1.6.0_24-b24) > OpenJDK Client VM (build 20.0-b12, mixed mode) > > I guess that would be: > /etc/java-config-2/current-system-vm/jre/lib/security/cacerts > > So I'd need to add the CA and only the CA cert to this file? > I'd run something like: > > keytool -import -alias root -keystore > /etc/java-config-2/current-system-vm/jre/lib/security/cacerts -storepass > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file > ${OM_TMP_DIR}/root.crt > > However, I have no experience whatsoever in this field and I currently > don't know what to use as the keystore password (or maybe it should be left > blank). > > So if you suggest to put the CA in the global store, does it mean that > JAVA_OPTS="-Djavax.net.ssl.keyStore=" > is not enough? > > Vieri > > --- On Wed, 5/8/13, Maxim Solodovnik <[email protected]> wrote: > > > I guess you need to add your CA to > > java (global one) > > > > > > On Wed, May 8, 2013 at 2:39 PM, Vieri <[email protected]> > > wrote: > > > > > Hi, > > > > > > From the same machine where OM is installed I can run > > the following > > > command: > > > > > > # ldapsearch -x -D "[email protected]" > > -b "cn=Users,dc=domain,dc=org" -H > > > ldaps://ldapserver.domain.org -W sAMAccountName=aduser > > > > > > # search result > > > search: 2 > > > result: 0 Success > > > > > > # numResponses: 2 > > > # numEntries: 1 > > > > > > ----------------- > > > > > > However, if I setup OM to authenticate users via > > LDAP/SSL I'm getting the > > > error reported at the end of this e-mail (LDAP without > > SSL works fine). > > > > > > My om_ldap.cfg is as follows: > > > > > > ldap_server_type=OpenLDAP > > > ldap_conn_url=ldaps://ldapserver.domain.org:636 > > > ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org > > > ldap_passwd=secret > > > ldap_search_base=CN:Users,DC:domain,DC:org > > > field_user_principal=sAMAccountName > > > ldap_auth_type=SIMPLE > > > ldap_sync_password_to_om=no > > > ldap_user_attr_lastname=sn > > > ldap_user_attr_firstname=givenName > > > ldap_user_attr_mail=mail > > > ldap_user_attr_street=streetAddress > > > ldap_user_attr_additionalname=description > > > ldap_user_attr_fax=facsimileTelephoneNumber > > > ldap_user_attr_zip=postalCode > > > ldap_user_attr_country=co > > > ldap_user_attr_town=l > > > ldap_user_attr_phone=telephoneNumber > > > ldap_user_picture_uri=wWWHomePage > > > ldap_use_lower_case=false > > > ldap_user_groups=memberOf > > > > > > Before running OM I export: > > > > > > OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore > > > > > > > > > OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore > > > > > JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE} > > > > > -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS} > > > > > -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE} > > > > > -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}" > > > > > > I'm using a self-signed certificate in my LDAP server > > (Active Directory). > > > Here's how I generated it: > > > selfssl.exe > > /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825" > > > run mmc and open the LOCAL COMPUTER > > Personal certificate store. The cert > > > should already be there. > > > Copy it within mmc to the "Trusted > > root authorities" > > > Export the certificate from the > > trusted root store within mmc as pfx > > > file and name it ldapserver.pfx > > (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}) > > > > > > Finally, on the OM machine I configured the truststore > > this way: > > > > > > > > OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore > > > rm -f $OM_J_TRUSTSTORE > > > keytool -validity 7300 -keysize 2048 -genkey -alias > > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA > > -keystore > > > ${OM_J_TRUSTSTORE} -storepass > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > > > -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname > > "${OPENMEETINGS_JAVA_DN}" > > > openssl pkcs12 -passin pass:"" -passout pass:"" -in > > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out > > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes > > > openssl x509 -in > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem > > > -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der > > -outform der > > > keytool -import -alias root -keystore > > ${OM_J_TRUSTSTORE} -storepass > > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts > > -file > > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der > > > > > > and the keystore (used for https): > > > > > > > > OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore > > > rm -f ${OM_J_KEYSTORE} > > > keytool -validity 7300 -keysize 2048 -genkey -alias > > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA > > -keystore ${OM_J_KEYSTORE} > > > -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > > -keypass > > > ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname > > "${OPENMEETINGS_JAVA_DN}" > > > keytool -certreq -keyalg RSA -alias > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} > > > -file > > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr > > -keystore > > > ${OM_J_KEYSTORE} -storepass > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > > > # > Now submit > > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to > > > custom CA and self-sign the certificate:" > > > # - the signed certificate is copied to > > > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt" > > > # - the CA root certificate is copied to > > ${OM_TMP_DIR}/root.crt" > > > keytool -import -alias root -keystore ${OM_J_KEYSTORE} > > -storepass > > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts > > -file > > > ${OM_TMP_DIR}/root.crt > > > keytool -import -alias > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore > > > ${OM_J_KEYSTORE} -storepass > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > > > -trustcacerts -file > > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt > > > cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen > > > > > > If I list the keystores: > > > > > > # keytool -list -alias > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore > > > ${OM_J_KEYSTORE} -storepass > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v > > > > > > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} > > > Creation date: Feb 21, 2013 > > > Entry type: PrivateKeyEntry > > > Certificate chain length: 2 > > > Certificate[1]: > > > Owner: CN=openmeetings.domain.org, OU=IT, O=domain, > > L=City, ST=State, > > > C=COUNTRY > > > Issuer: [email protected], > > CN=MYORG1 Signing Authority, > > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY > > > Serial number: 1 > > > Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb > > 20 09:57:44 CET > > > 2018 > > > Certificate fingerprints: > > > MD5: > > 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF > > > SHA1: > > FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56 > > > Signature algorithm > > name: SHA1withRSA > > > Version: 3 > > > > > > Extensions: > > > > > > #1: ObjectId: 2.5.29.14 Criticality=false > > > SubjectKeyIdentifier [ > > > KeyIdentifier [ > > > 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98 > > D2 2F C4 88 1D ...l....I.../... > > > 0010: 1F 45 73 78 > > > ] > > > ] > > > > > > #2: ObjectId: 2.5.29.19 Criticality=false > > > BasicConstraints:[ > > > CA:false > > > PathLen: undefined > > > ] > > > > > > #3: ObjectId: 2.5.29.35 Criticality=false > > > AuthorityKeyIdentifier [ > > > KeyIdentifier [ > > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE > > A9 E2 33 AE 70 ..g......]...3.p > > > 0010: 56 EF AB 51 > > > > V..Q > > > ] > > > > > > ] > > > > > > #4: ObjectId: 2.5.29.18 Criticality=false > > > IssuerAlternativeName [ > > > RFC822Name: [email protected] > > > ] > > > > > > #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false > > > > > > #6: ObjectId: 2.5.29.17 Criticality=false > > > SubjectAlternativeName [ > > > DNSName: openmeetings > > > DNSName: openmeetings.domain.org > > > ] > > > > > > Certificate[2]: > > > Owner: [email protected], > > CN=MYORG1 Signing Authority, > > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY > > > Issuer: [email protected], > > CN=MYORG1 Signing Authority, > > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY > > > Serial number: 0 > > > Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb > > 13 09:48:02 CET > > > 2048 > > > Certificate fingerprints: > > > MD5: > > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F > > > SHA1: > > 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85 > > > Signature algorithm > > name: SHA1withRSA > > > Version: 3 > > > > > > Extensions: > > > > > > #1: ObjectId: 2.5.29.15 Criticality=false > > > KeyUsage [ > > > Key_CertSign > > > Crl_Sign > > > ] > > > > > > #2: ObjectId: 2.5.29.14 Criticality=false > > > SubjectKeyIdentifier [ > > > KeyIdentifier [ > > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE > > A9 E2 33 AE 70 ..g......]...3.p > > > 0010: 56 EF AB 51 > > > > V..Q > > > ] > > > ] > > > > > > #3: ObjectId: 2.5.29.31 Criticality=false > > > CRLDistributionPoints [ > > > [DistributionPoint: > > > [URIName: http://domain.org/cert/crl.crl] > > > ]] > > > > > > #4: ObjectId: 2.5.29.19 Criticality=false > > > BasicConstraints:[ > > > CA:true > > > PathLen:2147483647 > > > ] > > > > > > #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false > > > NetscapeCertType [ > > > SSL CA > > > S/MIME CA > > > ] > > > > > > #6: ObjectId: 2.5.29.35 Criticality=false > > > AuthorityKeyIdentifier [ > > > KeyIdentifier [ > > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE > > A9 E2 33 AE 70 ..g......]...3.p > > > 0010: 56 EF AB 51 > > > > V..Q > > > ] > > > > > > [[email protected], > > CN=MYORG1 Signing Authority, OU=ORG IT, > > > O=MYORG, ST=State, C=COUNTRY] > > > SerialNumber: [ 00] > > > ] > > > > > > #7: ObjectId: 2.5.29.18 Criticality=false > > > IssuerAlternativeName [ > > > RFC822Name: [email protected] > > > ] > > > > > > #8: ObjectId: 2.5.29.17 Criticality=false > > > SubjectAlternativeName [ > > > RFC822Name: [email protected] > > > ] > > > > > > > > > # keytool -list -alias root -keystore ${OM_J_KEYSTORE} > > -storepass > > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} > > > > > > root, Feb 21, 2013, trustedCertEntry, > > > Certificate fingerprint (MD5): > > > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F > > > > > > > > > > > > And now for the trust store: > > > > > > # keytool -list -alias root -keystore > > ${OM_J_TRUSTSTORE} -storepass > > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v > > > Alias name: root > > > Creation date: May 7, 2013 > > > Entry type: trustedCertEntry > > > > > > Owner: CN=LDAPSERVER.DOMAIN.ORG > > > Issuer: CN=LDAPSERVER.DOMAIN.ORG > > > Serial number: -76629fd860703546b57165ba54276ec2 > > > Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun > > May 14 19:07:45 CEST > > > 2017 > > > Certificate fingerprints: > > > MD5: > > ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE > > > SHA1: > > 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29 > > > Signature algorithm > > name: SHA1withRSA > > > Version: 3 > > > > > > Extensions: > > > > > > #1: ObjectId: 2.5.29.15 Criticality=false > > > KeyUsage [ > > > DigitalSignature > > > Key_Encipherment > > > Data_Encipherment > > > ] > > > > > > #2: ObjectId: 2.5.29.37 Criticality=false > > > ExtendedKeyUsages [ > > > serverAuth > > > ] > > > > > > # keytool -list -alias > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore > > > ${OM_J_TRUSTSTORE} -storepass > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v > > > > > > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} > > > Creation date: May 7, 2013 > > > Entry type: PrivateKeyEntry > > > Certificate chain length: 1 > > > Certificate[1]: > > > Owner: CN=openmeetings.domain.org, OU=IT, > > O=MyCompanyOrg, L=City, > > > ST=State, C=COUNTRY > > > Issuer: CN=openmeetings.domain.org, OU=IT, > > O=MyCompanyOrg, L=City, > > > ST=State, C=COUNTRY > > > Serial number: 5188f626 > > > Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon > > May 02 14:40:06 CEST > > > 2033 > > > Certificate fingerprints: > > > MD5: > > C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F > > > SHA1: > > D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC > > > Signature algorithm > > name: SHA1withRSA > > > Version: 3 > > > > > > > > > When an LDAP user tries to log into OM, the log show > > the following > > > messages: > > > > > > DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242 > > 117 > > > org.apache.openmeetings.ldap.LdapAuthBase > > [NioProcessor-19] - > > > > > > Authentification to LDAP - Server start > > > DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244 > > 151 > > > org.apache.openmeetings.ldap.LdapAuthBase > > [NioProcessor-19] - > > > loginToLdapServer > > > ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278 > > 123 > > > org.apache.openmeetings.ldap.LdapAuthBase > > [NioProcessor-19] - > > > > > > Authentification on LDAP Server failed : simple bind > > failed: > > > ldapserver.domain.org:636 > > > ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294 > > 124 > > > org.apache.openmeetings.ldap.LdapAuthBase > > [NioProcessor-19] - > > > [Authentification on LDAP Server failed] > > > javax.naming.CommunicationException: simple bind > > failed: > > > ldapserver.domain.org:636 > > > at > > com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215) > > > ~[na:1.6.0_24] > > > at > > com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) > > > ~[na:1.6.0_24] > > > at > > com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) > > > ~[na:1.6.0_24] > > > at > > > > > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > > > ~[na:1.6.0_24] > > > at > > > > > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > > > ~[na:1.6.0_24] > > > at > > > > > > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > > > ~[na:1.6.0_24] > > > at > > > > > > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > > > ~[na:1.6.0_24] > > > at > > > > > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > > > ~[na:1.6.0_24] > > > at > > > > > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) > > > ~[na:1.6.0_24] > > > at > > javax.naming.InitialContext.init(InitialContext.java:240) > > > ~[na:1.6.0_24] > > > at > > javax.naming.InitialContext.<init>(InitialContext.java:214) > > > ~[na:1.6.0_24] > > > at > > > > > > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) > > > ~[na:1.6.0_24] > > > at > > > > > > org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161) > > > ~[openmeetings-2.1.1-SNAPSHOT.jar:na] > > > at > > > > > > org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119) > > > ~[openmeetings-2.1.1-SNAPSHOT.jar:na] > > > at > > > > > > org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422) > > > [openmeetings-2.1.1-SNAPSHOT.jar:na] > > > at > > > > > > org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333) > > > [openmeetings-2.1.1-SNAPSHOT.jar:na] > > > at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > ~[na:1.6.0_24] > > > at > > java.lang.reflect.Method.invoke(Method.java:616) > > ~[na:1.6.0_24] > > > at > > > > > org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196) > > > [red5.jar:na] > > > at > > > > > org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115) > > > [red5.jar:na] > > > at > > > > > org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157) > > > [red5.jar:na] > > > at > > > > > org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399) > > > [red5.jar:na] > > > at > > > > > > org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130) > > > [red5.jar:na] > > > at > > > > > > org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164) > > > [red5.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124) > > > [red5.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > > > [mina-core-2.0.4.jar:na] > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) > > > [na:1.6.0_24] > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) > > > [na:1.6.0_24] > > > at > > java.lang.Thread.run(Thread.java:679) [na:1.6.0_24] > > > Caused by: javax.net.ssl.SSLHandshakeException: > > > sun.security.validator.ValidatorException: PKIX path > > building failed: > > > > > sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find > > > valid certification path to requested target > > > at > > sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > > ~[na:1.6.0_24] > > > at > > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697) > > > ~[na:1.6.0_24] > > > at > > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257) > > > ~[na:1.6.0_24] > > > at > > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154) > > > ~[na:1.6.0_24] > > > at > > sun.security.ssl.Handshaker.processLoop(Handshaker.java:609) > > > ~[na:1.6.0_24] > > > at > > sun.security.ssl.Handshaker.process_record(Handshaker.java:545) > > > ~[na:1.6.0_24] > > > at > > > > > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) > > > ~[na:1.6.0_24] > > > at > > > > > sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657) > > > ~[na:1.6.0_24] > > > at > > > > > sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108) > > > ~[na:1.6.0_24] > > > at > > > > > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > > > ~[na:1.6.0_24] > > > at > > > > > java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > > > ~[na:1.6.0_24] > > > at > > com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409) > > > ~[na:1.6.0_24] > > > at > > com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352) > > > ~[na:1.6.0_24] > > > at > > com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210) > > > ~[na:1.6.0_24] > > > ... 55 common > > frames omitted > > > Caused by: sun.security.validator.ValidatorException: > > PKIX path building > > > failed: > > sun.security.provider.certpath.SunCertPathBuilderException: > > unable > > > to find valid certification path to requested target > > > at > > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224) > > > ~[na:1.6.0_24] > > > at > > sun.security.validator.Validator.validate(Validator.java:235) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270) > > > ~[na:1.6.0_24] > > > at > > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144) > > > ~[na:1.6.0_24] > > > ... 67 common > > frames omitted > > > Caused by: > > sun.security.provider.certpath.SunCertPathBuilderException: > > > unable to find valid certification path to requested > > target > > > at > > > > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197) > > > ~[na:1.6.0_24] > > > at > > > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) > > > ~[na:1.6.0_24] > > > at > > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319) > > > ~[na:1.6.0_24] > > > ... 73 common > > frames omitted > > > > > > How can I solve the "unable to find valid certification > > path" issue? What > > > does it refer to exactly? > > > > > > I can correctly connect to > https://openmeetings.domain.org/openmeetings/but the > > LDAPS authentication/login is failing. > > > > > > My ldapsearch example at the beginning succeeded > > probably because I have > > > 'TLS_REQCERT never' in ldap.conf. Is there a way to > > "loosen up" OM/java as > > > far as self-signed certs are concerned? > > > > > > Thanks, > > > > > > Vieri > > > > > > > > > > > > -- > > WBR > > Maxim aka solomax > > > -- WBR Maxim aka solomax
