Updated LDAP cert not reflected in PWM
1,647 views
Skip to first unread message
ryan....@gmail.com
Apr 29, 2015, 1:43:59 PM4/29/15
to pwm-g...@googlegroups.com
Greetings,
Using the Java keytool commands, I deleted an older LDAP cert and imported a new one. However, the LDAP Certificate listed in PWM (Settings -> LDAP Directory) still shows the information for the cert that was removed from the Keystore. I cleared the imported LDAP server certificates in PWM and imported them again to see if that did anything but the old cert information still shows up. Should the updated cert info appear here? PWM is able to successfully connected to our domain controller so all seems to be working otherwise.
PWM Version: 1.7.1
Java JDK Version 1.8.0_45
Tomcat Version: 7
Host: Windows Server 2012 R2
Thanks,
Mark
Using the Java keytool commands, I deleted an older LDAP cert and imported a new one. However, the LDAP Certificate listed in PWM (Settings -> LDAP Directory) still shows the information for the cert that was removed from the Keystore. I cleared the imported LDAP server certificates in PWM and imported them again to see if that did anything but the old cert information still shows up. Should the updated cert info appear here? PWM is able to successfully connected to our domain controller so all seems to be working otherwise.
PWM Version: 1.7.1
Java JDK Version 1.8.0_45
Tomcat Version: 7
Host: Windows Server 2012 R2
Thanks,
Mark
Menno Pieters
Apr 30, 2015, 9:36:41 AM4/30/15
to pwm-g...@googlegroups.com
Those keystores are completely different ones. The one shown in the settings is stored in the configuration file, not the Java keystore.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/b4d48808-8637-433c-8da3-bcc28a82fc7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ryan....@gmail.com
Apr 30, 2015, 9:41:01 AM4/30/15
to pwm-g...@googlegroups.com
Menno,
Is there something I need to do to update the cert information that is stored in the PWM configuration file? If, so how would I go about doing that?
Thanks for your time and help.
Regards,
Mark
Is there something I need to do to update the cert information that is stored in the PWM configuration file? If, so how would I go about doing that?
Thanks for your time and help.
Regards,
Mark
Menno Pieters
May 3, 2015, 11:25:22 AM5/3/15
to pwm-g...@googlegroups.com
Via the configuration menu -> import LDAP Certificates.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/0030aa21-ee26-4aa4-b6d7-a2be599ce689%40googlegroups.com.
ryan....@gmail.com
May 4, 2015, 8:15:31 AM5/4/15
to pwm-g...@googlegroups.com
Menno,
Alrighty, I have cleared and imported the certs a few times but the old one keeps showing up. This is what I did:
1. Configuration Menu -> Clear Imported LDAP Server Cetificates
2. Reboot server
3. Configuration -> Import LDAP Certifcates
The old cert is what appears in the LDAP Certificates section on the LDAP Directory page.
4. Ran the Java keytool -list and -list -v commands to check the Java keystore - confirmed the new certificate is in the keystore, not the old one.
The old cert had a validity date that expire Aug 20, 2015. The new cert expires April 19, 2016 - this is the one in the keystore.
So, I'm at a bit of a loss.
Thanks again for your time.
Mark
Alrighty, I have cleared and imported the certs a few times but the old one keeps showing up. This is what I did:
1. Configuration Menu -> Clear Imported LDAP Server Cetificates
2. Reboot server
3. Configuration -> Import LDAP Certifcates
The old cert is what appears in the LDAP Certificates section on the LDAP Directory page.
4. Ran the Java keytool -list and -list -v commands to check the Java keystore - confirmed the new certificate is in the keystore, not the old one.
The old cert had a validity date that expire Aug 20, 2015. The new cert expires April 19, 2016 - this is the one in the keystore.
So, I'm at a bit of a loss.
Thanks again for your time.
Mark
Menno Pieters
May 4, 2015, 5:13:56 PM5/4/15
to pwm-g...@googlegroups.com
Could you run: openssl s_client -connect <ldap_host>:<ldap_ssl_port> -showcerts
This should show the certificate installed and active on the LDAP server.To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/1d750606-7553-438d-8913-4a488bbca5a5%40googlegroups.com.
Mark Ryan
May 5, 2015, 9:47:59 AM5/5/15
to pwm-g...@googlegroups.com
Okay, I ran that command on the PWM host server and it connected to our LDAP server. It "opened" up a cert that looks to be one I need to see and it looks like the characters in the cert between the "---Begin Certificate---" and "---End Certificate---" match up with what I see in the PwmConfiguration.xml file under the LDAP Certificates section.
Does this mean that PWM is reading the correct cert and I got myself confused when I saw a "newer" cert that our CA issued?--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/yqw_vRTBLUQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CALEP9trMBwMA7WZVPmiEDYagfNaR6u5dinFBzXOq_Q9vSQKPBA%40mail.gmail.com.
Menno Pieters
May 5, 2015, 3:47:57 PM5/5/15
to pwm-g...@googlegroups.com
You're seeing the LDAP server cert, not the CA cert... that may be the issue. If you add the CA cert to the Java cacerts, you do not need to import the LDAP certs into the configuration at all.
- MennoTo view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAMyuNcm_3eKtgJp8fvXVX07BbCxBjz1pQpw%2BL1K-uwxY4G9mXg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages