On Thu, Feb 25, 2021 at 2:31 AM wrote: We are having a problem with our Single sign On config. > When using ldap - all works well. > > When switiching to ldaps , the User loses to connection all together > (Server not reachable) > > server.xml > > Good: > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldap://xxxxx.xxxx.com:3268" > userBase="DC=XXXINTRA,DC=CH" > userSubtree="true" > userSearch="(sAMAccountName={0})" > userRoleName="memberOf" > > > roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch > " > roleName="CN" > roleSearch="(member:1.2.840.113556.1.4.1941:={0})" > roleSubtree="true" > roleNested="true" /> > > bad: > > <Realm className="org.apache.catalina.realm.JNDIRealm" > connectionURL="ldaps://xxxxx.xxxx.com:3269" > userBase="DC=XXXINTRA,DC=CH" > userSubtree="true" > userSearch="(sAMAccountName={0})" > userRoleName="memberOf" > > > roleBase="OU=PF00_App-Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINTRA,DC=ch" > roleName="CN" > roleSearch="(member:1.2.840.113556.1.4.1941:={0})" > roleSubtree="true" > roleNested="true" /> >
If you are running Tomcat on Windows, my question is whether the Java running your Tomcat server trusts the Windows certificate store for the secure LDAP. If you are running Tomcat on Windows, try adding the following parameter to the Java command line for your application: -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT (If you are using procrun which is likely on Windows, this means to go to the "Java" tab for the Tomcat service configuration and add the above line to the "Java Options" text box.) Bill