/etc/ldap/ldap.conf is not involved in this, because the JVM has its own LDAP implementation and does not use OpenLDAP.
Whenever you see errors pointing to something like "PKIX path building," it means that SSL/TLS is validating a certificate but cannot find a sequence of signer certificates that ends at a self-signed certificate that it has been told to trust. In Java, "told to trust" means that that certificate is in $JRE_HOME/jre/lib/security/cacerts, or some other suitable certificate database identified by the system property 'javax.net.ssl.trustStore'. Here's some documentation as a starting point: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores Also this article might help: https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find Here are my own notes on how to install my own CA certificate in the default trust store: 'cd' to $JRE_HOME/jre/lib/security Make a copy of 'cacerts' for error recovery. keytool -import \ -alias my-root \ -file /some/path/to/my-root.pem \ -keystore cacerts On Thu, Nov 12, 2020 at 01:09:35PM +0200, Sean Carte wrote: > Thanks for the response, Alan. > > It seems the problem for me is that our ldap (AD) server is using a PKI > certificate, which appears to be self-signed. I really don't understand how > that works. But from what I've read, that's what's causing the problem. Yes, that certificate won't be in your JVM's trust store unless you add it. > On Thu, 12 Nov 2020 at 11:23, Alan Orth <alan.o...@gmail.com> wrote: > > > Hi Sean, > > > > I'm using LDAPS on both DSpace 5.8 and 6.3. For DSpace 5 I have the > > following in my sitename.properties: > > > > ldap.provider_url = ldaps://blahblah.org:636/ > > > > For DSpace 6 I have this in my local.cfg: > > > > authentication-ldap.provider_url = ldaps://blahblah.org:636/ > > > > I have not configured any STARTTLS parameters in DSpace or the system's > > ldap.conf. We are using Ubuntu 18.04. > > > > Regards, > > > > On Thu, Nov 12, 2020 at 9:34 AM Sean Carte <sean.ca...@gmail.com> wrote: > > > >> I'm trying to configure DSpace-CRIS 5.10 and DSpace 6.3 to use ldaps, but > >> get this error in the log: > >> > >> 2020-11-11 15:05:03,464 WARN org.dspace.authenticate.LDAPAuthentication > >> @ > >> anonymous:session_id=F261C03287498D5AEE67FFE7F53CBCAF:ip_addr=10.0.36.134:ldap_authentication:type=failed_auth > >> javax.naming.CommunicationException\colon; simple bind failed\colon; > >> <server_url>\colon;636 [Root exception is > >> javax.net.ssl.SSLHandshakeException\colon; PKIX path building failed\colon; > >> sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to > >> find valid certification path to requested target] > >> > >> LDAP authentication is working without SSL. All I've changed in the > >> configuration is ldap -> ldaps in the provider_url property. > >> > >> On the DSpace 6.3 server I've also tried: > >> authentication-ldap.starttls=true > >> while leaving the scheme at ldap > >> > >> That results in the following error: > >> > >> 2020-11-12 09:06:32,112 WARN org.dspace.authenticate.LDAPAuthentication > >> @ > >> anonymous:session_id=0BD2A90CE7458F21149D8505D76D7E78:ip_addr=10.0.36.134:ldap_authentication:type=failed_auth > >> javax.net.ssl.SSLHandshakeException\colon; PKIX path building failed\colon; > >> sun.security.provider.certpath.SunCertPathBuilderException\colon; unable to > >> find valid certification path to requested target > >> > >> I also tried using ldapsearch and found that that fails on ldaps with the > >> error 'TLS: peer cert untrusted or revoked (0x142)' unless I add the > >> following line to /etc/ldap/ldap.conf: > >> > >> TLS_REQCERT NEVER > >> > >> That setting in ldap.conf doesn't seem to have any effect on DSpace; is > >> there a way of telling DSpace to not expect a server certificate? Or is > >> there a better way to get secure LDAP working? > >> > >> -- > >> All messages to this mailing list should adhere to the DuraSpace Code of > >> Conduct: https://duraspace.org/about/policies/code-of-conduct/ > >> --- > >> You received this message because you are subscribed to the Google Groups > >> "DSpace Technical Support" group. > >> To unsubscribe from this group and stop receiving emails from it, send an > >> email to dspace-tech+unsubscr...@googlegroups.com. > >> To view this discussion on the web visit > >> https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNZ4oB76KB57%2B4xrWybbOYqDyiytVUjvNTq%2B8%2BoWJWENg%40mail.gmail.com > >> <https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhNZ4oB76KB57%2B4xrWybbOYqDyiytVUjvNTq%2B8%2BoWJWENg%40mail.gmail.com?utm_medium=email&utm_source=footer> > >> . > >> > > > > > > -- > > Alan Orth > > alan.o...@gmail.com > > https://picturingjordan.com > > https://englishbulgaria.net > > https://mjanja.ch > > > > -- > All messages to this mailing list should adhere to the DuraSpace Code of > Conduct: https://duraspace.org/about/policies/code-of-conduct/ > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPBrrL1tcJWJomE7xTgLRR_W0Fbsr3WkBywVe7-xOzP-Q%40mail.gmail.com. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/20201112152916.GA12603%40IUPUI.Edu.
signature.asc
Description: PGP signature