8 Replies Latest reply on Nov 26, 2007 7:03 AM by 807573

    Can't authenticate against LDAP running on port 636

    807573
      Hi,

      I have a login page on my website that authenticates users against an active directory. I have been successful in connecting and authenticating my users when I connect and authenticate them against the active directory when I use the following:

      int port = 389;
      String host = "hostA";
      LDAPConnection ld = new LDAPConnection();
      ld.connect(host, port);
      ld.authenticate(dname, password);

      But I am unsuccessful when I do the following:

      int port = 636;
      String host = "hostB";
      LDAPConnection ld = new LDAPConnection();
      ld.connect(host, port);
      ld.authenticate(dname, password);

      The "ld.connect(host, port)" will be successful but the "ld.authenticate(dname, password)" will return the following error:

      netscape.ldap.LDAPException: Server or network error (81)
      at netscape.ldap.LDAPConnThread.networkError(LDAPConnThread.java:687)
      at netscape.ldap.LDAPConnThread.run(LDAPConnThread.java:479)

      It seems that hostB uses SSL LDAP, therefore, that is why the port is 636. When I output "ld.isConnected()" after "ld.connect(host, port)", it states that it is connected, so I'm not sure what the error message means. Is there anything I need to change in my code so that I can authenticate my users against the active directory in hostB? Please help. Thanks.!
        • 1. Re: Can't authenticate against LDAP running on port 636
          807573
          You want to use LDAPConnection(LDAPSocketFactory factory) to connect with SSL.

          From the documentation:

          Constructs a new LDAPConnection object that will use the specified socket factory class to create socket connections. The socket factory class must implement the LDAPSocketFactory interface.
          (For example, the LDAPSSLSocketFactory class implements this interface.)

          Regards,

          Ludovic.
          • 2. Re: Can't authenticate against LDAP running on port 636
            807573
            Hi,

            I found some code elsewhere which passed in a JSSESocketFactory into the LDAPConnection, like the following:

            JSSESocketFactory fact = new JSSESocketFactory(null);
            LDAPConnection ld = new LDAPConnection(fact);

            I've implemented that into my code but now I have a new error:

            netscape.ldap.LDAPException: SSL connection to <hostname>:636, sun.security.validator.ValidatorException: No trusted certificate found (91)
            at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:105)
            at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:418)
            at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:350)
            at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:244)
            at netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:170)
            at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1042)
            at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:924)
            at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:768)

            Where is it looking for this certificate?
            Is it looking for it at the LDAP server or the server running my application?
            What is this certificate?

            Anyone?

            Thanks.
            • 3. Re: Can't authenticate against LDAP running on port 636
              807573
              Hi guys,

              Ok, I've just received a certificate from the LDAP admin. It's called "BMSICA_Cert.cer".

              What am I supposed to do with this cert?

              My application is running on Linux.

              I will continue to do my research, but if you know the answer, please reply. Thanks.

              Edited by: killdurst on Nov 23, 2007 12:08 PM
              • 4. Re: Can't authenticate against LDAP running on port 636
                EJP
                Import it into your truststore, e.g. $JAVA_HOME/lib/security/cacerts, with 'keytool'.
                • 5. Re: Can't authenticate against LDAP running on port 636
                  807573
                  Hi,

                  I typed the following:

                  keytool -import -file BMSICA_Cert.cer -keystore /usr/java/j2sdk1.4.2_06/jre/lib/security/cacerts

                  When it asked for the password, i typed, "changeit".

                  After adding, I re-started my Tomcat and tried to login.

                  I still get the following error:

                  netscape.ldap.LDAPException: SSL connection to BMSIAD01.bmsi.a-star.edu.sg:636, sun.security.validator.ValidatorException: No trusted certificate found (91)

                  Is there something else I need to do?

                  Thanks.
                  • 6. Re: Can't authenticate against LDAP running on port 636
                    EJP
                    Sounds like Tomcat is using a different truststore.
                    • 7. Re: Can't authenticate against LDAP running on port 636
                      807573
                      Oh dear, then what should I do?

                      Below is my code:

                      JSSESocketFactory fact = new JSSESocketFactory(null);
                      LDAPConnection ld = new LDAPConnection(fact);
                      ld.connect("BMSIAD01.bmsi.a-star.edu.sg", 636)

                      The third line is the one giving the error:

                      netscape.ldap.LDAPException: SSL connection to BMSIAD01.bmsi.a-star.edu.sg:636, sun.security.validator.ValidatorException: No trusted certificate found (91)
                      at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:105)
                      at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:418)
                      at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:350)
                      at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:244)
                      at netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:170)
                      at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1042)
                      at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:924)
                      at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:768)

                      If anyone has encountered a similar error and have successfully solve it, please help me... it's driving me nuts. Thanks.

                      Edited by: killdurst on Nov 26, 2007 10:34 AM
                      • 8. Re: Can't authenticate against LDAP running on port 636
                        807573
                        I've solved it!

                        I created a keystore.

                        Imported the certificate into the keystore.

                        Told Tomcat where the keystore is.

                        And now I can login successfully!

                        Thanks all for your help....