Active Directory ldaps authentication

Cantor, Scott cantor.2 at
Mon Aug 3 13:40:22 EDT 2015

On 8/3/15, 1:37 PM, "users on behalf of Michael O Holstein" <users-bounces at on behalf of michael.holstein at> wrote:
>As I understood his question, he's not talking about the business of authenticating *peers* inside the IDP, he's getting the error from the ldaptive library because the self-signed cert that AD servers generate for their LDAPS isn't understood by the java crypto API. 

Yes, that was my understanding.

>I suppose you could invoke Tomcat (or Jetty) with an explicit keystore that wasn't the generic system root (meaning it'd only use it for that process) and that keystore could be the same as the IDP .. but I've never seen such a think suggested outside manually declaring a keystore just to sort our this kind of problem (eg: is it the Oracle one I'm using? or the OpenJDK one?, or the Debian one? ...)

The IdP has no requirement for relying on the Java root store in any capacity.

>IMHO there is a good way around this problem .. if you have multiple AD servers you can use something like ha-proxy with a 20year self-signed cert out the front and the -ignore option out the back .. so you don't have to fuss with it every year. Of course there are other ways, but that is the cheap one.

Indeed, any server (other than web) should use a long-lived, self-signed certificate.

-- Scott

More information about the users mailing list