2013/11/13 André Coelho <[email protected]>:
> Hello
>
> My ldap server requires TLS certificate and I can consult it using TLS form
> the server (ldapsearch -x -ZZ -LLL -b dc=ind,dc=edu 'uid=test' cn).
>
> I have followed these instructions on:
> http://lsc-project.org/wiki/documentation/2.0/howtos/ssltls
>
> To enable TLS on the LDAP connection, set the following node in lsc.xml:
>
> <connection>
> <.../>
> <tlsActivated>false</tlsActivated>
> </connection>
> Replace “dst” with “src” above if necessary.
>
> But these instructions looks wrong. Where is the dst and src to change? and
> it is supposed to be true instead of false.
Yes, there were mistakes in the documentation, thanks for reporting
them, they are fixed now.
>
> Even so I have changed my lsc.xml to: <tlsActivated>true</tlsActivated>
>
> And imported the cacert.pem
> keytool -import -file cacert.pem -keystore
> /root/scripts/lsc-2.0.2/etc/ldapcert
>
> Updated the lsc script to this:
>
> "${JAVA_COMMAND}" -cp $CLASSPATH \
> -Djavax.net.ssl.trustStore=/root/scripts/lsc-2.0.2/etc/ldapcert \
> -Djavax.net.ssl.trustStorePassword=xxxxx \
> org.lsc.Launcher $PARAMETERS
>
> And the following error keeps showing up:
>
> Error opening the LDAP connection to the destination!
> (javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 -
> TLS confidentiality required])
>
> I have done these same steps importing the certifcate on
> "/etc/ssl/certs/java/cacerts" and
> "/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts" without
> modifieng the lsc script, but the same error appears.
>
> Interesting is that if you change the parameter on Djavax.net.ssl.trustStore
> to any invalid file path no error is reported, looks like it is being
> ignored.
>
> What I'm missing?
I don't see. Could you have a tcpdump to check if the startTLS
operation is sent by LSC?
Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
