To be fair I don't know :(
I never setup LDAP integration myself
Maybe Sebastian can suggest anything?
On Wed, May 8, 2013 at 3:11 PM, Vieri <rentor...@yahoo.com> wrote:
> # java -version
> java version "1.6.0_24"
> OpenJDK Runtime Environment (IcedTea6 1.11.1) (Gentoo build 1.6.0_24-b24)
> OpenJDK Client VM (build 20.0-b12, mixed mode)
>
> I guess that would be:
> /etc/java-config-2/current-system-vm/jre/lib/security/cacerts
>
> So I'd need to add the CA and only the CA cert to this file?
> I'd run something like:
>
> keytool -import -alias root -keystore
> /etc/java-config-2/current-system-vm/jre/lib/security/cacerts -storepass
> ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts -file
> ${OM_TMP_DIR}/root.crt
>
> However, I have no experience whatsoever in this field and I currently
> don't know what to use as the keystore password (or maybe it should be left
> blank).
>
> So if you suggest to put the CA in the global store, does it mean that
> JAVA_OPTS="-Djavax.net.ssl.keyStore="
> is not enough?
>
> Vieri
>
> --- On Wed, 5/8/13, Maxim Solodovnik <solomax...@gmail.com> wrote:
>
> > I guess you need to add your CA to
> > java (global one)
> >
> >
> > On Wed, May 8, 2013 at 2:39 PM, Vieri <rentor...@yahoo.com>
> > wrote:
> >
> > > Hi,
> > >
> > > From the same machine where OM is installed I can run
> > the following
> > > command:
> > >
> > > # ldapsearch -x -D "adu...@domain.org"
> > -b "cn=Users,dc=domain,dc=org" -H
> > > ldaps://ldapserver.domain.org -W sAMAccountName=aduser
> > >
> > > # search result
> > > search: 2
> > > result: 0 Success
> > >
> > > # numResponses: 2
> > > # numEntries: 1
> > >
> > > -----------------
> > >
> > > However, if I setup OM to authenticate users via
> > LDAP/SSL I'm getting the
> > > error reported at the end of this e-mail (LDAP without
> > SSL works fine).
> > >
> > > My om_ldap.cfg is as follows:
> > >
> > > ldap_server_type=OpenLDAP
> > > ldap_conn_url=ldaps://ldapserver.domain.org:636
> > > ldap_admin_dn=CN:aduser,CN:Users,DC:domain,DC:org
> > > ldap_passwd=secret
> > > ldap_search_base=CN:Users,DC:domain,DC:org
> > > field_user_principal=sAMAccountName
> > > ldap_auth_type=SIMPLE
> > > ldap_sync_password_to_om=no
> > > ldap_user_attr_lastname=sn
> > > ldap_user_attr_firstname=givenName
> > > ldap_user_attr_mail=mail
> > > ldap_user_attr_street=streetAddress
> > > ldap_user_attr_additionalname=description
> > > ldap_user_attr_fax=facsimileTelephoneNumber
> > > ldap_user_attr_zip=postalCode
> > > ldap_user_attr_country=co
> > > ldap_user_attr_town=l
> > > ldap_user_attr_phone=telephoneNumber
> > > ldap_user_picture_uri=wWWHomePage
> > > ldap_use_lower_case=false
> > > ldap_user_groups=memberOf
> > >
> > > Before running OM I export:
> > >
> >
> OPENMEETINGS_JAVA_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> > >
> > >
> >
> OPENMEETINGS_JAVA_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> > >
> > JAVA_OPTS="-Djavax.net.ssl.keyStore=${OPENMEETINGS_JAVA_KEYSTORE}
> > >
> > -Djavax.net.ssl.keyStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}
> > >
> > -Djavax.net.ssl.trustStore=${OPENMEETINGS_JAVA_TRUSTSTORE}
> > >
> > -Djavax.net.ssl.trustStorePassword=${OPENMEETINGS_JAVA_STORE_PASS}"
> > >
> > > I'm using a self-signed certificate in my LDAP server
> > (Active Directory).
> > > Here's how I generated it:
> > > selfssl.exe
> > /N:CN=LDAPSERVER.DOMAIN.ORG /K:1024 /V:1825"
> > > run mmc and open the LOCAL COMPUTER
> > Personal certificate store. The cert
> > > should already be there.
> > > Copy it within mmc to the "Trusted
> > root authorities"
> > > Export the certificate from the
> > trusted root store within mmc as pfx
> > > file and name it ldapserver.pfx
> > (${OPENMEETINGS_LDAP_SERVER_CERTIFICATE})
> > >
> > > Finally, on the OM machine I configured the truststore
> > this way:
> > >
> > >
> > OM_J_TRUSTSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/truststore
> > > rm -f $OM_J_TRUSTSTORE
> > > keytool -validity 7300 -keysize 2048 -genkey -alias
> > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA
> > -keystore
> > > ${OM_J_TRUSTSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > > -keypass ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname
> > "${OPENMEETINGS_JAVA_DN}"
> > > openssl pkcs12 -passin pass:"" -passout pass:"" -in
> > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE} -out
> > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -nodes
> > > openssl x509 -in
> > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}.pem -inform pem
> > > -out ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
> > -outform der
> > > keytool -import -alias root -keystore
> > ${OM_J_TRUSTSTORE} -storepass
> > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts
> > -file
> > > ${OPENMEETINGS_LDAP_SERVER_CERTIFICATE}-x509.der
> > >
> > > and the keystore (used for https):
> > >
> > >
> > OM_J_KEYSTORE=${OPENMEETINGS_INSTALL_ROOT}/red5/conf/keystore
> > > rm -f ${OM_J_KEYSTORE}
> > > keytool -validity 7300 -keysize 2048 -genkey -alias
> > > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keyalg RSA
> > -keystore ${OM_J_KEYSTORE}
> > > -storepass ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > -keypass
> > > ${OPENMEETINGS_JAVA_KEY_PASSWORD} -dname
> > "${OPENMEETINGS_JAVA_DN}"
> > > keytool -certreq -keyalg RSA -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > > -file
> > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr
> > -keystore
> > > ${OM_J_KEYSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > > # > Now submit
> > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.csr to
> > > custom CA and self-sign the certificate:"
> > > # - the signed certificate is copied to
> > > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt"
> > > # - the CA root certificate is copied to
> > ${OM_TMP_DIR}/root.crt"
> > > keytool -import -alias root -keystore ${OM_J_KEYSTORE}
> > -storepass
> > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -trustcacerts
> > -file
> > > ${OM_TMP_DIR}/root.crt
> > > keytool -import -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > > ${OM_J_KEYSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > > -trustcacerts -file
> > ${OM_TMP_DIR}/${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}.crt
> > > cp ${OM_J_KEYSTORE} ${OM_J_KEYSTORE}.screen
> > >
> > > If I list the keystores:
> > >
> > > # keytool -list -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > > ${OM_J_KEYSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> > >
> > > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > > Creation date: Feb 21, 2013
> > > Entry type: PrivateKeyEntry
> > > Certificate chain length: 2
> > > Certificate[1]:
> > > Owner: CN=openmeetings.domain.org, OU=IT, O=domain,
> > L=City, ST=State,
> > > C=COUNTRY
> > > Issuer: EMAILADDRCOUNTRYS=i...@domain.org,
> > CN=MYORG1 Signing Authority,
> > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > > Serial number: 1
> > > Valid from: Thu Feb 21 09:57:44 CET 2013 until: Tue Feb
> > 20 09:57:44 CET
> > > 2018
> > > Certificate fingerprints:
> > > MD5:
> > 49:08:9E:CC:AD:19:C8:49:8F:67:5C:3E:64:1C:34:AF
> > > SHA1:
> > FD:DD:A9:A9:76:16:77:4A:67:96:34:0B:CE:10:93:68:F7:1D:DC:56
> > > Signature algorithm
> > name: SHA1withRSA
> > > Version: 3
> > >
> > > Extensions:
> > >
> > > #1: ObjectId: 2.5.29.14 Criticality=false
> > > SubjectKeyIdentifier [
> > > KeyIdentifier [
> > > 0000: E5 C3 EE 6C 85 80 D7 C1 49 7F 98
> > D2 2F C4 88 1D ...l....I.../...
> > > 0010: 1F 45 73 78
> > > ]
> > > ]
> > >
> > > #2: ObjectId: 2.5.29.19 Criticality=false
> > > BasicConstraints:[
> > > CA:false
> > > PathLen: undefined
> > > ]
> > >
> > > #3: ObjectId: 2.5.29.35 Criticality=false
> > > AuthorityKeyIdentifier [
> > > KeyIdentifier [
> > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> > A9 E2 33 AE 70 ..g......]...3.p
> > > 0010: 56 EF AB 51
> >
> > V..Q
> > > ]
> > >
> > > ]
> > >
> > > #4: ObjectId: 2.5.29.18 Criticality=false
> > > IssuerAlternativeName [
> > > RFC822Name: i...@domain.org
> > > ]
> > >
> > > #5: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
> > >
> > > #6: ObjectId: 2.5.29.17 Criticality=false
> > > SubjectAlternativeName [
> > > DNSName: openmeetings
> > > DNSName: openmeetings.domain.org
> > > ]
> > >
> > > Certificate[2]:
> > > Owner: EMAILADDRCOUNTRYS=i...@domain.org,
> > CN=MYORG1 Signing Authority,
> > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > > Issuer: EMAILADDRCOUNTRYS=i...@domain.org,
> > CN=MYORG1 Signing Authority,
> > > OU=ORG IT, O=MYORG, ST=State, C=COUNTRY
> > > Serial number: 0
> > > Valid from: Thu Feb 21 09:48:02 CET 2013 until: Thu Feb
> > 13 09:48:02 CET
> > > 2048
> > > Certificate fingerprints:
> > > MD5:
> > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> > > SHA1:
> > 4B:A9:E0:50:EA:D5:E1:8F:4E:01:AC:11:B9:85:A5:E3:D7:3E:25:85
> > > Signature algorithm
> > name: SHA1withRSA
> > > Version: 3
> > >
> > > Extensions:
> > >
> > > #1: ObjectId: 2.5.29.15 Criticality=false
> > > KeyUsage [
> > > Key_CertSign
> > > Crl_Sign
> > > ]
> > >
> > > #2: ObjectId: 2.5.29.14 Criticality=false
> > > SubjectKeyIdentifier [
> > > KeyIdentifier [
> > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> > A9 E2 33 AE 70 ..g......]...3.p
> > > 0010: 56 EF AB 51
> >
> > V..Q
> > > ]
> > > ]
> > >
> > > #3: ObjectId: 2.5.29.31 Criticality=false
> > > CRLDistributionPoints [
> > > [DistributionPoint:
> > > [URIName: http://domain.org/cert/crl.crl]
> > > ]]
> > >
> > > #4: ObjectId: 2.5.29.19 Criticality=false
> > > BasicConstraints:[
> > > CA:true
> > > PathLen:2147483647
> > > ]
> > >
> > > #5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
> > > NetscapeCertType [
> > > SSL CA
> > > S/MIME CA
> > > ]
> > >
> > > #6: ObjectId: 2.5.29.35 Criticality=false
> > > AuthorityKeyIdentifier [
> > > KeyIdentifier [
> > > 0000: 9B 1E 67 7D 0E CE FB 0B 02 5D AE
> > A9 E2 33 AE 70 ..g......]...3.p
> > > 0010: 56 EF AB 51
> >
> > V..Q
> > > ]
> > >
> > > [EMAILADDRCOUNTRYS=i...@domain.org,
> > CN=MYORG1 Signing Authority, OU=ORG IT,
> > > O=MYORG, ST=State, C=COUNTRY]
> > > SerialNumber: [ 00]
> > > ]
> > >
> > > #7: ObjectId: 2.5.29.18 Criticality=false
> > > IssuerAlternativeName [
> > > RFC822Name: i...@domain.org
> > > ]
> > >
> > > #8: ObjectId: 2.5.29.17 Criticality=false
> > > SubjectAlternativeName [
> > > RFC822Name: i...@domain.org
> > > ]
> > >
> > >
> > > # keytool -list -alias root -keystore ${OM_J_KEYSTORE}
> > -storepass
> > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD}
> > >
> > > root, Feb 21, 2013, trustedCertEntry,
> > > Certificate fingerprint (MD5):
> > > 95:60:3A:CA:B0:4E:EE:18:59:3A:EB:DB:17:9C:D8:0F
> > >
> > >
> > >
> > > And now for the trust store:
> > >
> > > # keytool -list -alias root -keystore
> > ${OM_J_TRUSTSTORE} -storepass
> > > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> > > Alias name: root
> > > Creation date: May 7, 2013
> > > Entry type: trustedCertEntry
> > >
> > > Owner: CN=LDAPSERVER.DOMAIN.ORG
> > > Issuer: CN=LDAPSERVER.DOMAIN.ORG
> > > Serial number: -76629fd860703546b57165ba54276ec2
> > > Valid from: Tue May 15 19:07:45 CEST 2012 until: Sun
> > May 14 19:07:45 CEST
> > > 2017
> > > Certificate fingerprints:
> > > MD5:
> > ED:D1:BA:21:27:67:9F:33:26:E7:9E:DC:FB:B8:5B:EE
> > > SHA1:
> > 08:6F:5F:A6:D1:81:E0:43:1A:82:9C:F4:CD:42:A6:88:6E:4E:81:29
> > > Signature algorithm
> > name: SHA1withRSA
> > > Version: 3
> > >
> > > Extensions:
> > >
> > > #1: ObjectId: 2.5.29.15 Criticality=false
> > > KeyUsage [
> > > DigitalSignature
> > > Key_Encipherment
> > > Data_Encipherment
> > > ]
> > >
> > > #2: ObjectId: 2.5.29.37 Criticality=false
> > > ExtendedKeyUsages [
> > > serverAuth
> > > ]
> > >
> > > # keytool -list -alias
> > ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS} -keystore
> > > ${OM_J_TRUSTSTORE} -storepass
> > ${OPENMEETINGS_JAVA_KEYSTORE_PASSWORD} -v
> > >
> > > Alias name: ${OPENMEETINGS_JAVA_KEYSTORE_ALIAS}
> > > Creation date: May 7, 2013
> > > Entry type: PrivateKeyEntry
> > > Certificate chain length: 1
> > > Certificate[1]:
> > > Owner: CN=openmeetings.domain.org, OU=IT,
> > O=MyCompanyOrg, L=City,
> > > ST=State, C=COUNTRY
> > > Issuer: CN=openmeetings.domain.org, OU=IT,
> > O=MyCompanyOrg, L=City,
> > > ST=State, C=COUNTRY
> > > Serial number: 5188f626
> > > Valid from: Tue May 07 14:40:06 CEST 2013 until: Mon
> > May 02 14:40:06 CEST
> > > 2033
> > > Certificate fingerprints:
> > > MD5:
> > C1:DD:BD:F5:1E:99:C5:89:25:0F:42:E5:0D:E4:09:5F
> > > SHA1:
> > D9:4D:AF:2D:C2:1E:99:52:A2:AD:CA:4A:D6:05:24:0E:C8:91:70:DC
> > > Signature algorithm
> > name: SHA1withRSA
> > > Version: 3
> > >
> > >
> > > When an LDAP user tries to log into OM, the log show
> > the following
> > > messages:
> > >
> > > DEBUG 05-08 09:58:06.944 LdapAuthBase.java 68748242
> > 117
> > > org.apache.openmeetings.ldap.LdapAuthBase
> > [NioProcessor-19] -
> > >
> > > Authentification to LDAP - Server start
> > > DEBUG 05-08 09:58:06.946 LdapAuthBase.java 68748244
> > 151
> > > org.apache.openmeetings.ldap.LdapAuthBase
> > [NioProcessor-19] -
> > > loginToLdapServer
> > > ERROR 05-08 09:58:11.980 LdapAuthBase.java 68753278
> > 123
> > > org.apache.openmeetings.ldap.LdapAuthBase
> > [NioProcessor-19] -
> > >
> > > Authentification on LDAP Server failed : simple bind
> > failed:
> > > ldapserver.domain.org:636
> > > ERROR 05-08 09:58:11.996 LdapAuthBase.java 68753294
> > 124
> > > org.apache.openmeetings.ldap.LdapAuthBase
> > [NioProcessor-19] -
> > > [Authentification on LDAP Server failed]
> > > javax.naming.CommunicationException: simple bind
> > failed:
> > > ldapserver.domain.org:636
> > > at
> > com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
> > > ~[na:1.6.0_24]
> > > at
> > javax.naming.InitialContext.init(InitialContext.java:240)
> > > ~[na:1.6.0_24]
> > > at
> > javax.naming.InitialContext.<init>(InitialContext.java:214)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> org.apache.openmeetings.ldap.LdapAuthBase.loginToLdapServer(LdapAuthBase.java:161)
> > > ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> > > at
> > >
> >
> org.apache.openmeetings.ldap.LdapAuthBase.authenticateUser(LdapAuthBase.java:119)
> > > ~[openmeetings-2.1.1-SNAPSHOT.jar:na]
> > > at
> > >
> >
> org.apache.openmeetings.ldap.LdapLoginManagement.doLdapLogin(LdapLoginManagement.java:422)
> > > [openmeetings-2.1.1-SNAPSHOT.jar:na]
> > > at
> > >
> >
> org.apache.openmeetings.remote.MainService.loginUser(MainService.java:333)
> > > [openmeetings-2.1.1-SNAPSHOT.jar:na]
> > > at
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > ~[na:1.6.0_24]
> > > at
> > java.lang.reflect.Method.invoke(Method.java:616)
> > ~[na:1.6.0_24]
> > > at
> > >
> > org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:196)
> > > [red5.jar:na]
> > > at
> > >
> > org.red5.server.service.ServiceInvoker.invoke(ServiceInvoker.java:115)
> > > [red5.jar:na]
> > > at
> > >
> > org.red5.server.net.rtmp.RTMPHandler.invokeCall(RTMPHandler.java:157)
> > > [red5.jar:na]
> > > at
> > >
> > org.red5.server.net.rtmp.RTMPHandler.onInvoke(RTMPHandler.java:399)
> > > [red5.jar:na]
> > > at
> > >
> >
> org.red5.server.net.rtmp.BaseRTMPHandler.messageReceived(BaseRTMPHandler.java:130)
> > > [red5.jar:na]
> > > at
> > >
> >
> org.red5.server.net.rtmp.RTMPMinaIoHandler.messageReceived(RTMPMinaIoHandler.java:164)
> > > [red5.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:716)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:427)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:245)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.red5.server.net.rtmpe.RTMPEIoFilter.messageReceived(RTMPEIoFilter.java:124)
> > > [red5.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:320)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:506)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > > [mina-core-2.0.4.jar:na]
> > > at
> > >
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> > > [na:1.6.0_24]
> > > at
> > >
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> > > [na:1.6.0_24]
> > > at
> > java.lang.Thread.run(Thread.java:679) [na:1.6.0_24]
> > > Caused by: javax.net.ssl.SSLHandshakeException:
> > > sun.security.validator.ValidatorException: PKIX path
> > building failed:
> > >
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find
> > > valid certification path to requested target
> > > at
> > sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
> > > ~[na:1.6.0_24]
> > > at
> > com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
> > > ~[na:1.6.0_24]
> > > ... 55 common
> > frames omitted
> > > Caused by: sun.security.validator.ValidatorException:
> > PKIX path building
> > > failed:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > unable
> > > to find valid certification path to requested target
> > > at
> > >
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
> > > ~[na:1.6.0_24]
> > > at
> > sun.security.validator.Validator.validate(Validator.java:235)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
> > > ~[na:1.6.0_24]
> > > at
> > >
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
> > > ~[na:1.6.0_24]
> > > ... 67 common
> > frames omitted
> > > Caused by:
> > sun.security.provider.certpath.SunCertPathBuilderException:
> > > unable to find valid certification path to requested
> > target
> > > at
> > >
> >
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
> > > ~[na:1.6.0_24]
> > > at
> > >
> > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
> > > ~[na:1.6.0_24]
> > > ... 73 common
> > frames omitted
> > >
> > > How can I solve the "unable to find valid certification
> > path" issue? What
> > > does it refer to exactly?
> > >
> > > I can correctly connect to
> https://openmeetings.domain.org/openmeetings/but the
> > LDAPS authentication/login is failing.
> > >
> > > My ldapsearch example at the beginning succeeded
> > probably because I have
> > > 'TLS_REQCERT never' in ldap.conf. Is there a way to
> > "loosen up" OM/java as
> > > far as self-signed certs are concerned?
> > >
> > > Thanks,
> > >
> > > Vieri
> > >
> > >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
> >
>
--
WBR
Maxim aka solomax
