Results 1 to 2 of 2

Thread: External Authentication with Active Directory via LDAPS

  1. #1
    Join Date
    Jul 2007
    Columbus, OH
    Rep Power

    Default External Authentication with Active Directory via LDAPS

    I've got external authentication working against our Active Directory controllers. I would now like to use LDAPS for secure LDAP connections to the AD servers.

    We're using Windows Server 2003 Enterprise Edition. We have a CA that automatically generates certificates for Windows machines that join the domain so that they may speak LDAPS. I have exported what I believe is the CA's root certificate, and I'm trying to find where to tell Zimbra to use it, so that external authentication can use LDAPS when interrogating the AD.

    I've modified /etc/ldap.conf, /etc/openldap/ldap.conf, and /opt/zimbra/openldap/etc/openldap/ldap.conf to add the following:
    TLS_REQCERT never
    I've also tried adding the full path to the CA certificate to each of the files above.

    Finally, I've tried to add the certificate to the Java keystore:
    /opt/zimbra/java/bin/keytool -import -alias OURCA -keystore /opt/zimbra/java/jre/lib/security/cacerts -import -trustcacerts -file /opt/zimbra/conf/CA.crt
    When testing SSL LDAP from Zimbra, I get the following message:

    Authentication test failed
    Server message:
    SSL connect problem, most likely untrusted certificate
    javax.naming.CommunicationException: simple bind failed: [Root exception is PKIX path building failed: xception: unable to find valid certification path to requested target]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClie
    at com.sun.jndi.ldap.LdapCtx.connect( 7)
    at com.sun.jndi.ldap.LdapCtx.<init>(
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapC
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Ldap
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext (
    at javax.naming.spi.NamingManager.getInitialContext(N
    at javax.naming.InitialContext.getDefaultInitCtx(Init
    at javax.naming.InitialContext.init(InitialContext.ja va:223)
    at javax.naming.ldap.InitialLdapContext.<init>(Initia
    at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(
    at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C
    at com.zimbra.cs.service.admin.CheckAuthConfig.handle (
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:168)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:90)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:223)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:709)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
    at ternalDoFilter(
    at Filter(
    at org.apache.catalina.core.StandardWrapperValve.invo ke(
    at org.apache.catalina.core.StandardContextValve.invo ke(
    at org.apache.catalina.core.StandardHostValve.invoke(
    at org.apache.catalina.valves.ErrorReportValve.invoke (
    at org.apache.catalina.core.StandardEngineValve.invok e(
    at org.apache.catalina.valves.AccessLogValve.invoke(A
    at org.apache.catalina.connector.CoyoteAdapter.servic e(
    at org.apache.coyote.http11.Http11Processor.process(H
    at org.apache.coyote.http11.Http11BaseProtocol$Http11 ConnectionHandler.processConnection(Http11BaseProt
    at Socket(
    at ead.runIt(
    at org.apache.tomcat.util.threads.ThreadPool$ControlR
    Caused by: PKIX path building failed: xception: unable to find valid certification path to requested target
    at n(
    at erCertificate(
    at essMessage(
    at p(
    at cord(
    at ord(
    at InitialHandshake(
    at cord(
    at (
    at com.sun.jndi.ldap.Connection.writeRequest(Connecti
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.j ava:334)
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClie
    ... 35 more
    Caused by: PKIX path building failed: xception: unable to find valid certification path to requested target
    at e(
    at checkServerTrusted(
    at checkServerTrusted(
    at erCertificate(
    ... 47 more
    Caused by: xception: unable to find valid certification path to requested target
    at engineBuild(
    ... 52 more
    From a command line, I can initiate LDAPS connections using ldapsearch:
     ldapsearch -x -v -H ldaps:// -b 'ou=Users,dc=example,dc=com' -D '' -W
    What am I missing, in order to get Zimbra to speak LDAPS to our Active Directory controllers for external authentication? None of the wiki pages seem to address this configuration.

    Thanks in advance!

  2. #2
    Join Date
    Oct 2007
    Rep Power

    Default CA Validation

    It looks like you need to import the root CA of the server you are connecting to into your java certificate store. If this is a self-signed certificate, you need to import that certificate, otherwise you need to certificate of the signing authority. I believe keytool will allow you to do this, but I don't know the command syntax off-hand.

Similar Threads

  1. LDAP External and Active Directory!!!
    By celeron in forum Administrators
    Replies: 8
    Last Post: 02-23-2012, 05:58 PM
  2. centos 5 zimbra 4.5.6 no statistics
    By rutman286 in forum Installation
    Replies: 9
    Last Post: 08-14-2007, 10:30 AM
  3. Switching from Internal Auth to External Active Directory
    By MindexAdmin in forum Installation
    Replies: 5
    Last Post: 07-19-2007, 12:14 PM
  4. Active directory authentication
    By ewakim in forum Administrators
    Replies: 2
    Last Post: 02-28-2007, 02:39 AM
  5. Active Directory / Email Address Authentication Question
    By dlochart in forum Administrators
    Replies: 7
    Last Post: 12-19-2006, 11:40 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts