LDAP Certificate change,

1,262 views
Skip to first unread message

ianven...@gmail.com

unread,
Feb 10, 2014, 12:31:38 PM2/10/14
to pwm-g...@googlegroups.com
Hi Everyone,

Is there a way we can change the LDP Certificates that PWM is using? We made some changes with our infra and decommissioned the primary Domain Controller where the PWM server is pointing.

I made some changes on the LDAP urls setting and change the server name to point to the new server, but no dice.

Heres the error that I'm seeing:

Directory unavailable. If this error occurs repeatedly please contact your helpdesk. { 5017 ERROR_DIRECTORY_UNAVAILABLE ( error connecting as proxy user: unable to create connection: unable to connect to any configured ldap url, last error: unable to bind to ldaps://servername.domainname.com:636 as cn=Password Reset Service Account,cn=Managed Service Accounts,dc=domainname,dc=com reason: CommunicationException (servername.domainame.com:636; servername.domainname.com)) }


Thanks in Advance.

Best
Ian

Jared Jennings

unread,
Feb 10, 2014, 1:02:14 PM2/10/14
to pwm-g...@googlegroups.com, ianven...@gmail.com
Maybe it's only on a certain version, but it appears to me that you can re-import the certificate. I was able to on a test I ran here.

ianven...@gmail.com

unread,
Feb 10, 2014, 1:43:03 PM2/10/14
to pwm-g...@googlegroups.com, ianven...@gmail.com

Thanks for the Response Jared. It seem's that its only available on a certain version but I have found similar option under "Action". Let me try that one and will post an update here on how it goes.

Thanks,
Ian

ianven...@gmail.com

unread,
Feb 10, 2014, 4:13:14 PM2/10/14
to pwm-g...@googlegroups.com, ianven...@gmail.com

I just tried to clear the LDAP certificate and Import a new one but it seems that it can't connect to the new AD server.I have all the entries change to point to the new server.

Am I missing something here?

Thanks,
Ian

Jared Jennings

unread,
Feb 10, 2014, 4:23:27 PM2/10/14
to pwm-g...@googlegroups.com, ianven...@gmail.com, ianven...@gmail.com
Can you try using an LDAP browser?
-- 
Jared
From: ianven...@gmail.com ianven...@gmail.com
Reply: pwm-g...@googlegroups.com pwm-g...@googlegroups.com
Date: February 10, 2014 at 3:13:16 PM
To: pwm-g...@googlegroups.com pwm-g...@googlegroups.com
Cc: ianven...@gmail.com ianven...@gmail.com
Subject:  [pwm-general] Re: LDAP Certificate change,

paul.b...@gmail.com

unread,
Feb 10, 2014, 6:13:36 PM2/10/14
to pwm-g...@googlegroups.com, ianven...@gmail.com
Assuming the LDAP server has moved of the PDC onto a new host?  If this is the case, the new server is presenting a certificate but who has signed the cert?  Is it a self-signed cert or signed by an internal CA? 

In either case, you'll want to import the CA certificate into the java keystore with something like this - change the location for the cacerts file relevant for the JVM running tomcat:

% keytool -import -keystore ....java/jre/lib/security/cacerts -file /var/tmp/ca.pem

Also, it's worth going back to basics - can you query using ldapsearch from the command line?

Haven't got PWM in front of me at the moment but think there's also an option in the config manager to disable strict SSL certificates - it's somewhere in the LDAP section.  This will tell PWM to accept the LDAPS connection even if it can't validate the certificate chain of trust.  Doing that will probably get you off the ground if it's a certificate trust issue but you will want to revisit this, import the CA cert and then re-enable strong use of SSL

Regards

Paul
--
Reply all
Reply to author
Forward
0 new messages