Skip to Content.
Sympa Menu

grouper-users - [grouper-users] dealing with grouper, certificates, and connecting to sldap

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] dealing with grouper, certificates, and connecting to sldap


Chronological Thread 
  • From: Rob Gorrell <>
  • To:
  • Subject: [grouper-users] dealing with grouper, certificates, and connecting to sldap
  • Date: Fri, 12 Jul 2013 16:12:08 -0400

I'm trying to connect to my standard Active Directory domain via ssl/636 to import groups as part of grouper loader job. we have an internal CA that signs everything for the domain, but of course, this is not a trusted 3rd party signer and as such, grouper seems to be having trouble establishing a sldap connection to my AD source without being able the validate the certificate.

trying to run a sample load job was giving me errors like the following in my grouper-error.log:
2013-07-12 14:07:25,653: [main] ERROR DefaultLdapFactory.create(109) -  - unabled to connect to the ldap
javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Then I found a note about needing to use the java keytool command to import the ldap cert into the java keystore. so i ran the following:
keytool -import -file /path/to/cacert/file.pem -keystore $JAVA_HOME/lib/security/cacerts
...giving it the CA from my AD domain. I reran the loader and received the same error as before. this time, I changed my loader configuration to target a specifc domain controlller and then went to that domain controller and used the mmc certificate snapin to export that servers certificate. using the keytool, I added the servers specific cert to the keystore and reran. now I'm getting a different error:

2013-07-12 14:43:56,817: [main] ERROR DefaultLdapFactory.create(109) -  - unabled to connect to the ldap
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090DE6, comment: TLS or SSL already in effect, data 0, v1772^@]; remaining name ''

Any idea what this means? and for those of you that are using Grouper to connect to AD over SSL, how did you set up the certificates to be trusted by grouper?

Thanks
-Rob

--
Robert W. Gorrell
Middleware Engineer, Identity and Access Management
University of NC at Greensboro
336-334-5954



Archive powered by MHonArc 2.6.16.

Top of Page