I am using JNDI to connect to a remote OpenLDAP server via ldaps by the following code:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, connectionType);
env.put(Context.PROVIDER_URL, ldapUrl);
env.put(Context.SECURITY_PRINCIPAL, userDn);
env.put(Context.SECURITY_CREDENTIALS, password);
String truststorePath = "C:\\Software\\OpenSSL-Win64\\CertificateEntityMatching\\truststore.ks";
String keystorePath = "C:\\Software\\OpenSSL-Win64\\CertificateEntityMatching\\keystore.ks";
String keyStorePassword = "123456789";
System.setProperty("javax.net.ssl.trustStore", truststorePath);
System.setProperty("javax.net.ssl.keyStore", keystorePath);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
try {
InitialLdapContext ldap = new InitialLdapContext(env, null);
System.out.println("Connect to LDAP successfully.");
return ldap;
} catch (AuthenticationException e) {
e.printStackTrace();
return null;
} catch (NamingException e) {
e.printStackTrace();
return null;
}
Here is how I enable TLS in my slapd.conf file on the OpenLDAP server:
# Enable TLS
TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
TLSVerifyClient demand
TLSCertificateFile /usr/local/etc/openldap/tls/certificate.pem
TLSCertificateKeyFile /usr/local/etc/openldap/tls/key.pem
The server's certificate.pem has alreay been added to the truststore of my application, so if TLSVerifyClient was set to never, my applicaiton can connect to LDAP server successfully. The problem is when I set TLSVerifyClient to demand, LDAP server rejects the connection because my applicaton uses a self-signed certificate:
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_accept:error in error
TLS: can't accept: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (self signed certificate).
5bd922de connection_read(16): TLS accept failure error=-1 id=1001, closing
Could anyone guide me how to make OpenLDAP server trust the self-signed certificate of my application? Is there something similar to "truststore" for OpenLDAP server? Thanks in advance.