Grouper Users - Open Discussion List

[Rob Gorrell <>]

i'm still not able to get the SSL ldap connection 
working through grouper loader. I've got both the domain's CA and the 
ldap server's authentication certificate (consequently signed by the 
domain CA) in Java's keystore (/etc/pki/java/cacerts).

since this is new ground for me, i wanted to make sure the certs and the keystore was working properly, so I borrowed a sample java program
 from oracle that connects to ldap over ssl thus requiring use of the 
same keystore. Running the program on the grouper server, it works. To prove my point, I 
backed the two certificates out of the keystore I had added and ran 
again, this time I received the expected "unable to find valid 
certification path to requested target" error (same java error grouper 
gives me on the original java keystore). so my confidence i have the 
keystore setup correctly with the appropriate certs is there.

but
 when I put back in place the keystore with my added certs, the one that
 works on the same java ssl program, grouper is still returning:
[main] ERROR DefaultLdapFactory.create(109) -  - unabled to connect to the ldap
javax.naming.NamingException:
 [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090DE6, comment: TLS or
 SSL already in effect, data 0, v1772]; remaining name ''

any suggestions? is there anyone out there using grouper to connect over SSL to an Active Directory LDAP source thats had to deal with this before? what does "TLS or SSL already in effect" possibly mean?

-Rob

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954