Skip to Content.
Sympa Menu

grouper-users - [grouper-users] LDAP over SSL error - CertificateException

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] LDAP over SSL error - CertificateException


Chronological Thread 
    < Chronological >      < Thread >
  • From: Al Lilianstrom <>
  • To: " Mailing List" <>
  • Subject: [grouper-users] LDAP over SSL error - CertificateException
  • Date: Mon, 15 Feb 2021 14:21:06 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fnal.gov; dmarc=pass action=none header.from=fnal.gov; dkim=pass header.d=fnal.gov; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=frmBAU+Ib3gWHKDDPgyqGebNTOW5CeDmGaUKwWVbjUw=; b=EAxrw+KDUdi028C4aetzmFLZO/ZCofjGBp/pFGGLQXx0x+X+o8iX70cY8LTzohBVc4C7ZwZBho6yf7L3yz4CiN3fEUkiH+O9k7hW7/lZ5wdgeXo0CZn64QzoilFtUNBU+wAUpOzHXMRVz10Thup8v6AbzcnWeRfIrkQ+XmqhWF8Lw7tp2eLsc5vnr7K04MPz479oF7Kp3qOJT+u8d1vfLs1lOz7QHBDWNp5H2NcAyDB3/Daj1EA8Ol8KOi6pmngCVmKFNwD/lJmOqGmcEnKd4oaDR6FWcDm0MilMrKBXnGN5RACKmuYEoTNmwbGWOmsT0IjRyGa5pnX4SSdZg5cxsA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eCTad5wFd8/7xQ35JB8WvK3XW7XZSdHWsipzls8c5orOBXGed6zmMZwZywzUgz0soSQ5TaNxPqCBqVP7Pr89zHqa7ZYu2b9Uv+kfOWE+phmrvV1JfTAmawqb9ECnAUg74oDV89xOlHKovs5tdtmd8jcD5XyGW003eyyXY1FYnFwEHKMOnnlUZmo27Z1FsiJ25ANu8XEaXkSODofhpO5KnaonX6173NSwAXjIFTMPjs8G00ryDR0E0kicKz4bRKNC9nI70/jRc5se861fQv79DMRn+oEu2/RArxeUl9Wjxp1W8lwFqFXGWBnVCVpqMJAi1/0R3cmqQy8j6FrYiDA6Aw==
New to grouper. Running 2.5.41 in one container. Postgres and Shibboleth in
separate containers. ADLDS over plain LDAP for the subject database.

All good.

Adding a AD domain over SSL to grouper. Trying to use the domain name for the
connection as we do with other apps.

From grouper-loader.properties

ldap.fsLdap.configFileFromClasspath = ldap.fsLdap.properties
ldap.fsLdap.user = CN=dirm,OU=FSA,DC=fs,DC=fnal,DC=gov
ldap.fsLdap.pass = NotIt

ldap.fsLdap.properties

org.ldaptive.ldapUrl=ldaps://fs.fnal.gov/
org.ldaptive.useStartTLS=false
org.ldaptive.useSSL=true
org.ldaptive.credentialConfig=org.ldaptive.ssl.KeyStoreCredentialConfig{{trustStore=file:/opt/grouper/grouperWebapp/WEB-INF/classes/fs.ks}{trustStorePassword=NotIt}}

Getting the following error in the web interface when testing the connection
(under Miscellaneous | External systems)

CertificateException: Hostname '[fs.fnal.gov]' does not match the hostname in
the server's certificate ''

The domain name is in the certificate as a Subject Alternative Name

DNS Name=DC1.fs.fnal.gov
DNS Name=fs.fnal.gov
DNS Name=FS

If I disable SSL the test is successful. Or if I switch to a single DC.

org.ldaptive.ldapUrl=ldaps://dc1.fs.fnal.gov/
org.ldaptive.useStartTLS=false
org.ldaptive.useSSL=true
org.ldaptive.credentialConfig=org.ldaptive.ssl.KeyStoreCredentialConfig{{trustStore=file:/opt/grouper/grouperWebapp/WEB-INF/classes/fs.ks}{trustStorePassword=NotIt}}

Any thoughts on getting this to work?


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov



Archive powered by MHonArc 2.6.24.

Top of Page