Last modified by Pascal Bastien on 2017/07/17 10:26

From version 36.1
edited by Thomas Mortagne
on 2016/08/03 17:12
To version 37.1
edited by Pascal Bastien
on 2016/11/03 18:05
Change comment: Add Use LDAP over SSL (ldaps authentication) section



Page properties
... ... @@ -1,1 +1,1 @@
1 -xwiki:XWiki.ThomasMortagne
1 +xwiki:XWiki.pbas
... ... @@ -186,3 +186,36 @@
186 186  {{code}}
187 187  xwiki.authentication.ldap.user_group=(&(accountstatus=active)(allowedservice=xwiki))
188 188  {{/code}}
189 +
190 +== Use LDAP over SSL (ldaps authentication) ==
191 +To adds support for SSL connections to the ldap server you need:
192 +* to set (xwiki.authentication.ldap.ssl) parameter in xwiki.cfg(((
193 +{{code language="properties"}}
194 +#-# SSL connection to LDAP server
195 +#-# - 0: normal
196 +#-# - 1: SSL
197 +#-# The default is 0
198 +xwiki.authentication.ldap.ssl=1
199 +{{/code}})))
200 +* and add to the trust store of the JSSE extension the CA certificate which delivered the SSL certificate of the ldap server.(((
201 +From the Sun JSSE documentation: The search order for the locating the trust store is:
202 +1. <java-home>/lib/security/jssecacerts, then
203 +1. <java-home>/lib/security/cacerts
204 +If the file jssecacerts exists, then cacerts is not consulted. So in order to make it work you have to create a trust store named jssecacerts with the following command and place it in the suitable directory of the JRE or JDK used by your container:
205 +{{code}}
206 +keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts
207 +{{/code}}
208 +(answer yes when asked if you want to trust the certificate). I read on the web the default password for cacerts is 'changeit' so I used that, I didn't try yet with another password for the trust store.
209 +Since xwiki 8.3, the default extension repositories use httpS and if the file jssecacerts exists (here fore ldapS) then cacerts is not consulted and extension update (and probably install too) display an error: //unable to find valid certification path to requested target//.
210 +The problem is:
211 +* cacerts containing all certificate/keys (and the one for httpS extension repositories)
212 +* jssecacerts containing only ldapS certificate
213 +Then, to use ldapS and extension update, you must import ldapS certicate in existent cacerts file instead to create a new one (and rename it in jssecacerts to not forget it)
214 +{{code}}
215 +cp <java-home>/lib/security/cacerts <java-home>/jre/lib/security/cacerts.ori
216 +<java-home>/bin/keytool -import -trustcacerts -alias ca -file /my/path/ToLdapS/cert/MyLdapCertificate.pem -keystore <java-home>/lib/security/cacerts
217 +mv <java-home>/lib/security/cacerts <java-home>/lib/security/jssecacerts
218 +mv <java-home>/lib/security/cacerts.ori <java-home>/jre/lib/security/cacerts
219 +{{/code}}
220 +)))
221 +(Source:

Get Connected