Thanks for the response, Alan. It seems the problem for me is that our ldap (AD) server is using a PKI certificate, which appears to be self-signed. I really don't understand how that works. But from what I've read, that's what's causing the problem.
On Thu, 12 Nov 2020 at 11:23, Alan Orth <[email protected]> wrote: > Hi Sean, > > I'm using LDAPS on both DSpace 5.8 and 6.3. For DSpace 5 I have the > following in my sitename.properties: > > ldap.provider_url = ldaps://blahblah.org:636/ > > For DSpace 6 I have this in my local.cfg: > > authentication-ldap.provider_url = ldaps://blahblah.org:636/ > > I have not configured any STARTTLS parameters in DSpace or the system's > ldap.conf. We are using Ubuntu 18.04. > > Regards, > > On Thu, Nov 12, 2020 at 9:34 AM Sean Carte <[email protected]> wrote: > >> I'm trying to configure DSpace-CRIS 5.10 and DSpace 6.3 to use ldaps, but >> get this error in the log: >> >> 2020-11-11 15:05:03,464 WARN org.dspace.authenticate.LDAPAuthentication >> @ >> anonymous:session_id=F261C03287498D5AEE67FFE7F53CBCAF:ip_addr=10.0.36.134:ldap_authentication:type=failed_auth >> javax.naming.CommunicationException\colon; simple bind failed\colon; >> <server_url>\colon;636 [Root exception is >> javax.net.ssl.SSLHandshakeException\colon; PKIX path building failed\colon; >> sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to >> find valid certification path to requested target] >> >> LDAP authentication is working without SSL. All I've changed in the >> configuration is ldap -> ldaps in the provider_url property. >> >> On the DSpace 6.3 server I've also tried: >> authentication-ldap.starttls=true >> while leaving the scheme at ldap >> >> That results in the following error: >> >> 2020-11-12 09:06:32,112 WARN org.dspace.authenticate.LDAPAuthentication >> @ >> anonymous:session_id=0BD2A90CE7458F21149D8505D76D7E78:ip_addr=10.0.36.134:ldap_authentication:type=failed_auth >> javax.net.ssl.SSLHandshakeException\colon; PKIX path building failed\colon; >> sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to >> find valid certification path to requested target >> >> I also tried using ldapsearch and found that that fails on ldaps with the >> error 'TLS: peer cert untrusted or revoked (0x142)' unless I add the >> following line to /etc/ldap/ldap.conf: >> >> TLS_REQCERT NEVER >> >> That setting in ldap.conf doesn't seem to have any effect on DSpace; is >> there a way of telling DSpace to not expect a server certificate? Or is >> there a better way to get secure LDAP working? >> >> -- >> All messages to this mailing list should adhere to the DuraSpace Code of >> Conduct: https://duraspace.org/about/policies/code-of-conduct/ >> --- >> You received this message because you are subscribed to the Google Groups >> "DSpace Technical Support" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNZ4oB76KB57%2B4xrWybbOYqDyiytVUjvNTq%2B8%2BoWJWENg%40mail.gmail.com >> <https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNZ4oB76KB57%2B4xrWybbOYqDyiytVUjvNTq%2B8%2BoWJWENg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Alan Orth > [email protected] > https://picturingjordan.com > https://englishbulgaria.net > https://mjanja.ch > -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPBrrL1tcJWJomE7xTgLRR_W0Fbsr3WkBywVe7-xOzP-Q%40mail.gmail.com.
