Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Re: dealing with grouper, certificates, and connecting to sldap

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Re: dealing with grouper, certificates, and connecting to sldap

Chronological Thread 
  • From: David Langenberg <>
  • To: Rob Gorrell <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Re: dealing with grouper, certificates, and connecting to sldap
  • Date: Mon, 22 Jul 2013 09:19:12 -0600

From the looks of that error, it seems your problem isn't with the TLS part, but rather something like you're telling it to use STARTTLS while speaking to AD over SSL.  In other words, ensure if your ldapUrl is ldaps://  that later on you're not setting 



On Mon, Jul 22, 2013 at 9:02 AM, Rob Gorrell <> wrote:
i'm still not able to get the SSL ldap connection working through grouper loader. I've got both the domain's CA and the ldap server's authentication certificate (consequently signed by the domain CA) in Java's keystore (/etc/pki/java/cacerts).

since this is new ground for me, i wanted to make sure the certs and the keystore was working properly, so I borrowed a sample java program from oracle that connects to ldap over ssl thus requiring use of the same keystore. Running the program on the grouper server, it works. To prove my point, I backed the two certificates out of the keystore I had added and ran again, this time I received the expected "unable to find valid certification path to requested target" error (same java error grouper gives me on the original java keystore). so my confidence i have the keystore setup correctly with the appropriate certs is there.

but when I put back in place the keystore with my added certs, the one that works on the same java ssl program, grouper is still returning:
[main] ERROR DefaultLdapFactory.create(109) -  - unabled to connect to the ldap
javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090DE6, comment: TLS or SSL already in effect, data 0, v1772]; remaining name ''

any suggestions? is there anyone out there using grouper to connect over SSL to an Active Directory LDAP source thats had to deal with this before? what does "TLS or SSL already in effect" possibly mean?


Robert W. Gorrell
Middleware Engineer, Identity and Access Management
University of NC at Greensboro

David Langenberg
Identity & Access Management
The University of Chicago

Archive powered by MHonArc 2.6.16.

Top of Page