Active Directory ldaps authentication

Michael O Holstein michael.holstein at
Mon Aug 3 12:38:18 EDT 2015

Try this :

keytool -import -file /my/ad.crt -trustcacerts -alias myad -keystore $JAVA_HOME/jre/lib/security/cacerts

Michael Holstein
Cleveland State University

From: users <users-bounces at> on behalf of Mr. Christopher Bland <chris at>
Sent: Monday, August 3, 2015 12:11 PM
To: Shib Users
Cc: Mr. Danovan Delray Golding
Subject: Active Directory ldaps authentication

Hi All,

I am sure someone has figured this out but I seem to be missing something.  We are in the process of converting to an AD server for authentication.  I can do regular unencrypted auth no problem so I know my config is ok.  I can also do ldapsearch using ldaps by ignoring the cert using "TLS_REQCERT never”.  I keep getting "PKIX path building failed”.  I know from previous post it is a problem with tracing my cert back to a CA.  I have tried sslSocketFactory="{trustCertificates=file:path_to_AD_CA_cert}” in my login.config file.  I also tried adding the cert to my IDP keystone.  Neither have worked for me.  When I use openssl to get the AD ldap server cert I noticed that it is the CA cert.  The subject is blank and the issuer is my AD CA server.

Do I need a different cert?  Am I missing something in my config?

Thank you in advance,

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list