external ldaps

[ptulpen]

Hello, I really like the new feature using ldap, but currently have 2 Issues with an external DC as ldapserver:

• How do I include certificates to use ldapS?
• With wireshark I see that the bind is succesful, but the search operation results in "errorMessage: 000004DC: LdapErr: DSID-0C090A7D, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839"

Is there maybe something special to keep in mind then the ldapserver is an AD?

Best regards, Peter

[pjreed]

If the server's certificate is signed by a trusted authority, I would expect it to work without any issues; the URL for that would look something like ldaps://ldap.company.com:636.

Right now there's not a way in the config to easily add a custom certificate authority, although I can see how that would be useful. At the moment, the easiest way to add one would probably be to build a custom Docker image that adds your certificates. I think the Tomcat instance in the container uses the default Java certificate store, which should be at /usr/local/openjdk-11/lib/security/cacerts, and you could modify the default Dockerfile to use keytool to import your certificate. I haven't tested it, but I think that should work.

I haven't actually used Active Directory, only slapd, so I'm not sure if it has any special requirements, but if you have other programs that can bind to it successfully, I would expect it to work. Just to make sure you've got the bind DN, password, and search base all right, you might try using ldapsearch from the command line to see if it can connect and get results.