AnsweredAssumed Answered

Active Directory over SSL

Question asked by mjt99 on May 31, 2018
Latest reply on Jun 1, 2018 by mjt99

Good day,

 

I'm in the middle of my first Alfresco installation and configuration and need some assistance configuring Alfresco to work with Active Directory over SSL.

 

Here's a summary of what I've done so far:

- Exported the certificate from my AD server

- Imported the cert into the default keystore: C:\alfresco-current\alf_data\keystore\ssl.keystore via the command:

keytool -importcert -alias myad.mydomain -file cert.crt -keystore C:\alfresco-current\alf_data\keystore\ssl.keystore -storetype JCEKS (was I supposed to import this cert into the default keystore?)

 

alfresco-global.properties

### LDAP Configuration ###

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
# Disable guest logins
ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.java.naming.provider.url=ldaps://myserver.mydomain:636
ldap.authentication.defaultAdministratorUserNames=svc-alfresco
ldap.synchronization.java.naming.security.principal=svc-alfresco
ldap.synchronization.java.naming.security.credentials=<redacted>
ldap.synchronization.groupSearchBase=OU=SecurityGroups,OU=Groups,OU=Accounts,DC=mydomain
ldap.synchronization.userSearchBase=OU=Users,OU=Groups,OU=Accounts,DC=mydomain

 

Here's the error I'm seeing in the alfresco.log:
2018-05-31 13:37:46,122 ERROR [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] [localhost-startStop-1] Unable to connect to LDAP Server; check LDAP configuration
javax.naming.CommunicationException: simple bind failed: myad.mydomain:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)

 

I've been trying to piece all the documentation together to try to troubleshoot this issue, but I'm not getting very far and could use some help from some experienced users in where to go from here.

 

Any help would be appreciated.

Outcomes