I've got external authentication working against our Active Directory controllers. I would now like to use LDAPS for secure LDAP connections to the AD servers.
We're using Windows Server 2003 Enterprise Edition. We have a CA that automatically generates certificates for Windows machines that join the domain so that they may speak LDAPS. I have exported what I believe is the CA's root certificate, and I'm trying to find where to tell Zimbra to use it, so that external authentication can use LDAPS when interrogating the AD.
I've modified /etc/ldap.conf, /etc/openldap/ldap.conf, and /opt/zimbra/openldap/etc/openldap/ldap.conf to add the following:
I've also tried adding the full path to the CA certificate to each of the files above.
Finally, I've tried to add the certificate to the Java keystore:
Code:
/opt/zimbra/java/bin/keytool -import -alias OURCA -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file /opt/zimbra/conf/CA.crt
When testing SSL LDAP from Zimbra, I get the following message:
Quote:
Authentication test failed
Server message:
SSL connect problem, most likely untrusted certificate
|
Quote:
javax.naming.CommunicationException: simple bind failed: ad2.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClie nt.java:197)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:263 7)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapC txFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Ldap CtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext (LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(N amingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(Init ialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.ja va:223)
at javax.naming.ldap.InitialLdapContext.<init>(Initia lLdapContext.java:134)
at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:256)
at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:160)
at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:53)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:270)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:168)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:90)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:223)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:709)
at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:162)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:541)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11 ConnectionHandler.processConnection(Http11BaseProt ocol.java:667)
at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:622)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedO utputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputS tream.java:123)
at com.sun.jndi.ldap.Connection.writeRequest(Connecti on.java:390)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.j ava:334)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClie nt.java:192)
... 35 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:221)
at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validato r.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:172)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:841)
... 47 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:216)
... 52 more
|
From a command line, I can initiate LDAPS connections using ldapsearch:
Code:
ldapsearch -x -v -H ldaps://ad1.example.com -b 'ou=Users,dc=example,dc=com' -D 'merrill@example.com' -W
What am I missing, in order to get Zimbra to speak LDAPS to our Active Directory controllers for external authentication? None of the wiki pages seem to address this configuration.
Thanks in advance!
Bugzilla
Wiki
Source
External Authentication with Active Directory via LDAPS 
Linear Mode
