Toby, The issue is that many TLS client libraries expect that the host name used for the connection should either match the subject on the certificate, or a subject alternative name (SAN) on the certificate. In your case, "dev-ldap7-1.usd.edu" does not match "dev-ldap7-1.636.Directory Server.Sun Microsystems". Some libraries let you disable host name verification, which might be OK if this is a development environment, though I'm not sure how you'd do that in this case.
Other options might include: * Update the certificate on your LDAP service to include a subject or SAN that matches the DNS name used to connect. This is likely the only reasonable option in a production environment. * If it is a DEV environment, you could try running without TLS and just using port 389 of your DEV LDAP service can be configured that way. Thanks, Carl Waldbieser ITS Identity Management Lafayette College ----- Original Message ----- From: "Toby Archer" <sandsl...@gmail.com> To: "CAS Community" <cas-user@apereo.org> Sent: Wednesday, June 28, 2017 3:06:23 PM Subject: [cas-user] Attempting to connect CAS 5.1 to LDAP and running into cert issues We are currently running CAS 3.5. It took my all of a few seconds to realize that upgrading, while I suppose could be an option, is way more effort than just reimplementing it. So I've started work on reimplementing our arrangement with CAS 5.1. I cloned the gradle overlay template repo and got it up and running fairly easily on my local machine. Followed the instruction and made a self signed keystore and got cas running over https. So far so good. Then I figured ldap was next. So far this is my authn configuration cas.authn.accept.users= > cas.authn.ldap[0].type=AUTHENTICATED > cas.authn.ldap[0].ldapUrl=ldap://dev-ldap7-1.usd.edu > cas.authn.ldap[0].baseDn=o=usd.edu > cas.authn.ldap[0].userFilter=uid=%u > cas.authn.ldap[0].subtreeSearch=true > cas.authn.ldap[0].bindDn=cn=Directory Manager > cas.authn.ldap[0].bindCredential=lols you no see password > > cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore > cas.authn.ldap[0].keyStorePassword=changeit > cas.authn.ldap[0].name=dev-ldap7-1 > First line disables the demo auth service, and the rest is supposed to get ldap up and running. But when I do I get: Caused by: java.security.cert.CertificateException: Hostname > '[dev-ldap7-1.usd.edu]' does not match the hostname in the server's > certificate 'CN=dev-ldap7-1, CN=636, CN=Directory Server, O=Sun > Microsystems' > This is why I added "cas.authn.ldap[0].name" at the end of the properties list there. I was hoping that that would make it decide the hose name would be dev-ldap7-1. But no such luck. Looking over the available properties I can't find anything that helps me. Anyone got any clue on how to fix this? -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0feb6647-e139-43b1-adac-4c9aed32fb8e%40apereo.org. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1920226957.31222800.1498681826840.JavaMail.zimbra%40lafayette.edu.
