Results 1 to 2 of 2

Thread: External Authentication with Active Directory via LDAPS

  1. #1
    Join Date
    Jul 2007
    Location
    Columbus, OH
    Posts
    9
    Rep Power
    8

    Default External Authentication with Active Directory via LDAPS

    I've got external authentication working against our Active Directory controllers. I would now like to use LDAPS for secure LDAP connections to the AD servers.

    We're using Windows Server 2003 Enterprise Edition. We have a CA that automatically generates certificates for Windows machines that join the domain so that they may speak LDAPS. I have exported what I believe is the CA's root certificate, and I'm trying to find where to tell Zimbra to use it, so that external authentication can use LDAPS when interrogating the AD.

    I've modified /etc/ldap.conf, /etc/openldap/ldap.conf, and /opt/zimbra/openldap/etc/openldap/ldap.conf to add the following:
    Code:
    TLS_REQCERT never
    I've also tried adding the full path to the CA certificate to each of the files above.

    Finally, I've tried to add the certificate to the Java keystore:
    Code:
    /opt/zimbra/java/bin/keytool -import -alias OURCA -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file /opt/zimbra/conf/CA.crt
    When testing SSL LDAP from Zimbra, I get the following message:

    Authentication test failed
    Server message:
    SSL connect problem, most likely untrusted certificate
    javax.naming.CommunicationException: simple bind failed: ad2.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClie nt.java:197)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:263 7)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapC txFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Ldap CtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(LdapCtxFactory.java:136)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext (LdapCtxFactory.java:66)
    at javax.naming.spi.NamingManager.getInitialContext(N amingManager.java:667)
    at javax.naming.InitialContext.getDefaultInitCtx(Init ialContext.java:247)
    at javax.naming.InitialContext.init(InitialContext.ja va:223)
    at javax.naming.ldap.InitialLdapContext.<init>(Initia lLdapContext.java:134)
    at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:256)
    at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:160)
    at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:53)
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:270)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:168)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:90)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:223)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:709)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:162)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:252)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
    at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:541)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:869)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11 ConnectionHandler.processConnection(Http11BaseProt ocol.java:667)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1518)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:174)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:168)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:848)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:106)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:495)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:433)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:818)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1030)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:622)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
    at java.io.BufferedOutputStream.flushBuffer(BufferedO utputStream.java:65)
    at java.io.BufferedOutputStream.flush(BufferedOutputS tream.java:123)
    at com.sun.jndi.ldap.Connection.writeRequest(Connecti on.java:390)
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.j ava:334)
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClie nt.java:192)
    ... 35 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:221)
    at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:145)
    at sun.security.validator.Validator.validate(Validato r.java:203)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:172)
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(SSLContextImpl.java:320)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:841)
    ... 47 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:236)
    at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:194)
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:216)
    ... 52 more
    From a command line, I can initiate LDAPS connections using ldapsearch:
    Code:
     ldapsearch -x -v -H ldaps://ad1.example.com -b 'ou=Users,dc=example,dc=com' -D 'merrill@example.com' -W
    What am I missing, in order to get Zimbra to speak LDAPS to our Active Directory controllers for external authentication? None of the wiki pages seem to address this configuration.

    Thanks in advance!

  2. #2
    Join Date
    Oct 2007
    Posts
    16
    Rep Power
    8

    Default CA Validation

    It looks like you need to import the root CA of the server you are connecting to into your java certificate store. If this is a self-signed certificate, you need to import that certificate, otherwise you need to certificate of the signing authority. I believe keytool will allow you to do this, but I don't know the command syntax off-hand.

Similar Threads

  1. LDAP External and Active Directory!!!
    By celeron in forum Administrators
    Replies: 8
    Last Post: 02-23-2012, 05:58 PM
  2. centos 5 zimbra 4.5.6 no statistics
    By rutman286 in forum Installation
    Replies: 9
    Last Post: 08-14-2007, 10:30 AM
  3. Switching from Internal Auth to External Active Directory
    By MindexAdmin in forum Installation
    Replies: 5
    Last Post: 07-19-2007, 12:14 PM
  4. Active directory authentication
    By ewakim in forum Administrators
    Replies: 2
    Last Post: 02-28-2007, 02:39 AM
  5. Active Directory / Email Address Authentication Question
    By dlochart in forum Administrators
    Replies: 7
    Last Post: 12-19-2006, 11:40 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •