On 30/04/2019 16:06, Julien TEHERY wrote: > Now I have: > > avr. 30 15:54:30 - ERROR - org.lsc.exception.LscConfigurationException: > Configuration exception: javax.naming.CommunicationException: simple bind > failed: myserver.mydomain.lan:636 [Root exception is > javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: > No name matching myserver.mydomain.lan found] > > > Certificates have been imported with: > > For Samba4 (destination) > > keytool -import -storepass changeit -noprompt -file > /var/lib/samba/private/tls/ca.pem -keystore cacerts > > > => This certificate is generated automatically with samba4 installer and > works perfectly > > For Remote LDAP (source) > > keytool -import -alias myserver.mydomain.lan -storepass changeit > -noprompt -file /tmp/cacert.pem -keystore cacerts > > => This certificate is a self-signed certificate provided by a customer, i > contains a CN which seems to be valid but doesn't contain a SAN, which i > suppose is mandatory. ?
The CA root certificate need to be added on the server that execute LSC, in the JVM that execute LSC (on my machine, it's in /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security); with the JVM embedded keytool : # cd $JAVA_HOME/jre/lib/security # ../../bin/keytool -import -file /path/to/ca.crt -alias ldap -keystore jssecacerts If you have several CA root certificates to add in your trust store (eg one for destination, one for source), change the alias. For the error, I have used self-signed certificates with no SAN name, just the CN, and never got that error. Using this command : keytool -printcert -sslserver $host[:$port] you can check the CN of the server and compare it to your the one in your URL, it should match exactly or it won't work. -- Soisik Froger | Software Architect [email protected] Worteks | https://www.worteks.com _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
