Active Directory ldaps authentication

Michael O Holstein michael.holstein at
Mon Aug 3 13:37:22 EDT 2015

>Well, if it didn't work then you didn't provide the IdP with a valid trust root. The IdP keystore has 
>nothing to do with this process and you should never, ever modify the Java root store (it should be >emptied out actually, if you want a truly secure system that you actually control the behavior of).

As I understood his question, he's not talking about the business of authenticating *peers* inside the IDP, he's getting the error from the ldaptive library because the self-signed cert that AD servers generate for their LDAPS isn't understood by the java crypto API. 

I suppose you could invoke Tomcat (or Jetty) with an explicit keystore that wasn't the generic system root (meaning it'd only use it for that process) and that keystore could be the same as the IDP .. but I've never seen such a think suggested outside manually declaring a keystore just to sort our this kind of problem (eg: is it the Oracle one I'm using? or the OpenJDK one?, or the Debian one? ...)

What you probably want to tack onto your $CATALINA_OPTS is something like this : (*)

IMHO there is a good way around this problem .. if you have multiple AD servers you can use something like ha-proxy with a 20year self-signed cert out the front and the -ignore option out the back .. so you don't have to fuss with it every year. Of course there are other ways, but that is the cheap one.


Michael Holstein
Cleveland State University

(*) :

More information about the users mailing list