Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Active Directory, LDAPS, and Grouper (docker based config)

Chronological Thread 
  • From: "David Mak" <>
  • To:
  • Subject: [grouper-users] Active Directory, LDAPS, and Grouper (docker based config)
  • Date: Mon, 11 Sep 2023 14:44:26 +0000


In need of some advice on configuring Grouper 4.1.6 running in a Docker
environment with an External systems configuration to connect to an Active
Directory server.

The server is configured with a self signed SSL certificate/CA cert and is
extracted via the following command:
openssl s_client -connect -showcerts 2>/dev/null </
dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Configured in our Dockerfile with something along the lines of:

RUN openssl s_client -connect -showcerts 2>/dev/null
</dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/
RUN keytool -importcert -trustcacerts -cacerts -noprompt -storepass changeit -
file /tmp/AD_Server.crt -alias AD_Server

Connecting to the resultant container, with a bash shell, shows that the
certificate chain was successfully added as verified with "keytool list" but
attempts to test the connection from the Grouper UI results in:

Caused by:
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
message=javax.naming.CommunicationException: simple bind failed: [Root exception is
Connection or outbound has closed],
providerException=javax.naming.CommunicationException: simple bind failed: [Root exception is
Connection or outbound has closed]]

And indeed, a TCPDump on the host running docker shows the connection is
closed due to a SSL handshake issue:
4 0.010043 MYHOSTIP ADHOSTIP TLSv1.2 560 Client
5 0.028978 ADHOSTIP MYHOSTIP TLSv1.2 4381
Server Hello, Certificate, Server Key Exchange, Certificate Request, Server
Hello Done
7 0.030552 MYHOSTIP ADHOSTIP TLSv1.2 73
Alert (Level: Fatal, Description: Certificate Unknown)
60236 → 636 [FIN, ACK] Seq=502 Ack=4316 Win=64128 Len=0 TSval=3083478926

1) Is it the cacerts file in the JDK that I should be installing the certs
into? I even tried manually separating the certs into two files (openssl
returns two) and using two separate Docker COPY commands to put them into
separate files, and importing them with unique aliases using two different RUN
keytool commands, but get the same tcpdump behavior.
2) Is there documentation on connecting Grouper external systems with "custom"
configurations such as self signed certs, etc?

Thanks in advance for any advice.

Archive powered by MHonArc 2.6.24.

Top of Page