Active Directory ldaps authentication

Cantor, Scott cantor.2 at
Mon Aug 3 13:07:31 EDT 2015

On 8/3/15, 12:11 PM, "users on behalf of Mr. Christopher Bland" <users-bounces at on behalf of chris at> wrote:
>I am sure someone has figured this out but I seem to be missing something.  We are in the process of converting to an AD server for authentication.  I can do regular unencrypted auth no problem so I know my config is ok.  I can also do ldapsearch using ldaps by ignoring the cert using "TLS_REQCERT never”.  I keep getting "PKIX path building failed”.  I know from previous post it is a problem with tracing my cert back to a CA.  I have tried sslSocketFactory="{trustCertificates=file:path_to_AD_CA_cert}” in my login.config file.  I also tried adding the cert to my IDP keystone.  Neither have worked for me.  When I use openssl to get the AD ldap server cert I noticed that it is the CA cert.  The subject is blank and the issuer is my AD CA server. 

Well, if it didn't work then you didn't provide the IdP with a valid trust root. The IdP keystore has nothing to do with this process and you should never, ever modify the Java root store (it should be emptied out actually, if you want a truly secure system that you actually control the behavior of).

openssl s_client -showcerts will dump the entire chain the LDAP port sends. Once you have that you can determine what the EE cert is and where it chains to.

As a test you can always install the EE cert as the trusted certificate for the IdP so it chains to itself. Once that works, you can try bumping it up to the CA being used.

-- Scott

More information about the users mailing list