Grouper Users - Open Discussion List

[Al Lilianstrom <>]

Hi Chris,

Thanks for the response. I'll ask to join slack channel.

Adding follow didn't change anything but I decided to look at the certs again 
(based on your last comment) as this particular domain is using certs from 
our internal CA rather than a commercial CA. Turns out that the certificate 
issued for to enable smartcard usage also had also had client and server 
authentication enabled on it and no SANs. Once I fixed the template and 
reissued the cert it worked as expected.

Thanks again for the assist.

  al

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov



________________________________________
From: Hyzer, Chris <>
Sent: Monday, February 15, 2021 8:58 AM
To:  Mailing List; Al Lilianstrom
Subject: Re: LDAP over SSL error - CertificateException

Are you slack to discuss this?  🙂

(ask to join incommon-grouper slack): 
https://incommon.org/help/<https://urldefense.proofpoint.com/v2/url?u=https-3A__incommon.org_help_&d=DwMGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rQ3TM3NpD_w5d1AUdjZVQrwQeaiqXxT1OGcEz5JhD1U&s=wj3w1Rav8a8hvkC7FwKK-kngPjTm4IAz_wOWSigr9h0&e=>


can you try in grouper-loader.properties (or database config):

ldap.fsLdap.referral = follow

or maybe we need to add all the certs into java as trusted... hmmm
________________________________
From:  
<> on behalf of Al Lilianstrom 
<>
Sent: Monday, February 15, 2021 9:21 AM
To:  Mailing List <>
Subject: [grouper-users] LDAP over SSL error - CertificateException

New to grouper. Running 2.5.41 in one container. Postgres and Shibboleth in 
separate containers. ADLDS over plain LDAP for the subject database.

All good.

Adding a AD domain over SSL to grouper. Trying to use the domain name for the 
connection as we do with other apps.

From grouper-loader.properties

ldap.fsLdap.configFileFromClasspath = ldap.fsLdap.properties
ldap.fsLdap.user = CN=dirm,OU=FSA,DC=fs,DC=fnal,DC=gov
ldap.fsLdap.pass = NotIt

ldap.fsLdap.properties

org.ldaptive.ldapUrl=ldaps://fs.fnal.gov/
org.ldaptive.useStartTLS=false
org.ldaptive.useSSL=true
org.ldaptive.credentialConfig=org.ldaptive.ssl.KeyStoreCredentialConfig{{trustStore=file:/opt/grouper/grouperWebapp/WEB-INF/classes/fs.ks}{trustStorePassword=NotIt}}

Getting the following error in the web interface when testing the connection 
(under Miscellaneous | External systems)

CertificateException: Hostname '[fs.fnal.gov]' does not match the hostname in 
the server's certificate ''

The domain name is in the certificate as a Subject Alternative Name

DNS Name=DC1.fs.fnal.gov
DNS Name=fs.fnal.gov
DNS Name=FS

If I disable SSL the test is successful. Or if I switch to a single DC.

org.ldaptive.ldapUrl=ldaps://dc1.fs.fnal.gov/
org.ldaptive.useStartTLS=false
org.ldaptive.useSSL=true
org.ldaptive.credentialConfig=org.ldaptive.ssl.KeyStoreCredentialConfig{{trustStore=file:/opt/grouper/grouperWebapp/WEB-INF/classes/fs.ks}{trustStorePassword=NotIt}}

Any thoughts on getting this to work?


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov<http://www.fnal.gov>