Start a new topic

CrushLDAPGroup - Connect to LDAP over SSL

dcstalls @ Wed Mar 05 14:31:32 EET 2014
I am trying to configure Crush to authenticate users from my LDAP over an encrypted session. I can authenticate users successfully using:

ldap://domain.org:389/

However if I try to use port 636 it fails. I have tried the following:

ldap://domain.org:636/
ldap://server.domain.org:636/
ldaps://domain.org:636/
ldaps://server.domain.org:636/

but I get the following error:

ERROR:javax.naming.NamingException: simple bind failed (URL)

I know LDAPS on my domain controllers work as I have other devices that use them to authenticate as well. I am using a wildcard SSL from GoDaddy on the DC.

spinkb @ Wed Mar 05 15:33:10 EET 2014
If your certificate that the server presents with LDAPS on port 636 is not a publicly trusted cert for the DNS name used...(yours isn't) then you need to first import your ca certificate into the Java install's cacerts file so that it can be trusted.

Then ldaps://yourdomain.com:636/ will work fine.

Thanks,
Ben
dcstalls @ Wed Mar 05 15:50:46 EET 2014
But it is a publicly trusted certificate. It is a wildcard ssl cert from GoDaddy.
spinkb @ Wed Mar 05 16:08:43 EET 2014
Your certain connectivity is in place? You can reach port 636?

Connect with a web browser and verify using https://domain.com:636/ reports a valid certificate (ignore the rest of the errors)...but the browser will validate the SSL certifications.

Thanks,
Ben
dcstalls @ Wed Mar 05 16:38:49 EET 2014
I am certain about the connectivity, however your test does not work (and I dont know why it would). My DC's do not have IIS installed so I am not sure how an HTTP/HTTPS request would be answered.

I do have other appliances (firewalls/ vpn/ etc) that use 636 in order to authenticate users that are working fine. I am able to telnet to the server without any error - but that is not going to tell me about the cert, just that 636 is listening. However on Windows 2012 port 636 will only start listening if there is a single, valid certificate in the local store (which there is).
dcstalls @ Wed Mar 05 20:15:22 EET 2014
Just for giggles... how would I import the cert into the "Java install's cacerts file" on the Windows Server that crushftp is running on? I know in the past I have heard things about Java not trusting GoDaddy's G2 CA certificates as GoDaddy has not submitted them to Java. All wildcard certs are issues from GoDaddy G2, instead of the normal GoDaddy CA.
spinkb @ Thu Mar 06 02:00:34 EET 2014
cacerts is in the java install location, lib, security folder I believe. You can open this with the graphical tool "portecle" easily, and add in the G2 cert ca there.

You can do it on the command line with a key tool import as well. Googled, and here is a simple guide.

http://www.windowsazure.com/en-us/documentation/articles/java-add-certificate-ca-store/
spinkb @ Thu Mar 06 02:12:59 EET 2014
[quote=dcstalls]I am certain about the connectivity, however your test does not work (and I dont know why it would). My DC's do not have IIS installed so I am not sure how an HTTP/HTTPS request would be answered.

I do have other appliances (firewalls/ vpn/ etc) that use 636 in order to authenticate users that are working fine. I am able to telnet to the server without any error - but that is not going to tell me about the cert, just that 636 is listening. However on Windows 2012 port 636 will only start listening if there is a single, valid certificate in the local store (which there is).[/quote]

Has nothing to do with IIS. You are simply using the web browser to connect to a SSL port so you can validate the SSL cert chain.

But since you mention the other things that are using it, you don't need to test that.
dcstalls @ Thu Mar 06 04:04:21 EET 2014
I am still getting the same error... I have loaded the all of the godaddy root/ca/intermediate certs and even the wildcard cert itself and nothing works :(
spinkb @ Thu Mar 06 10:33:53 EET 2014
And CrushFTP was restarted too?

What is CrushFTP logging in its CrushFTP.log file when you test the connection?
dcstalls @ Thu Mar 06 11:18:26 EET 2014
Ok, I will admit that I was still playing with this at 3:00am... I retested so I could send the logs and BAM it worked!!??

However it only appears to work on a specific DC so let me do some more digging/testing with that DC as well as the cert requirements within Java.
dcstalls @ Thu Mar 06 13:20:07 EET 2014
thanks for the patience and awsome support... it looks like when i started testing, between my manual settings of server.domain.net and domain.net were both going to the same DC (that also had a corrupt certificate). After deleting and re-importing on that one DC, all LDAPS test to all DC's are successful!
dcstalls @ Fri Mar 14 00:52:58 EET 2014
Just as an update, the GoDaddy G2 CA cert does need to be added to the Java certificate store. Once that is done, Java (and CrushFTP) will trust all certs signed using GoDaddy G2. By default all wildcard certs are signed using the G2 cert and GoDaddy has not provided this to Java, and Java will not simply go to GoDaddy's website , download it and include it with their other updates.
Login to post a comment