Openfire over LDAPS

I am trying to get a secure connection to active directory, I can connect just fine over ldap port 389, but when I switch to ldaps over port 636 I get an error message. H

I have found little information as implementing ldaps, hoping I can get some help here. I am currently testing this on a windows 10 x64 box before production. Also want to mention my DC is set up for ldaps, I am using other applications for that purpose without issue.

There are two places this has to be set. one, is the “use ssl” needs to be set to true…on another screen, you’ll have to change the port from 389 to 636

Speedy,

Thanks fore the reply, do I need to import a CA so it is trusted? If so, how and where would I do that? Also, are these the 2 fields that need to be updated?

yes…that is correct. you do not have to import your CA as of right now, openfire will accept any certificate.

I changed those 2 settings, now I am not able to log in, but I am able to connect to ldaps over 636 using ldap.exe from the same pc. In doing some research I found some post that seem to be related to this where you indicated the Root CA does need to be imported into the java truststore, has that changed?

https://discourse.igniterealtime.org/t/ldap-ssl-issues-in-openfire-3-10-2/60768/8

What version are you running. in some of the 3.10 builds, that was the case. We reverted back in 3.10.3 and newer so that a user no longer needed to import their CA

4.2.3, just downloaded it yesterday. So since this does not seem to work for me, is it likely I have an issue with my ldap certificate? Any debug I can look at?

try using ldp.exe to connect via ssl. Since you said other apps are using ldaps without issue, than I doubt its your cert.

Did you restart openfire after you made the system config changes?

Think I might have found the issue, ldaps is working on connections to the server over ssl, but I do not have Active Directory Lightweight Services installed as a role on my DC. Can you speak to this as a requirement?

Yes I did bounce openfire after changes were made.

I set up a virtual lap, duplicating my environment. I was able to successfully connect via ldaps on port 636 from openfire, so I must have something wrong on my certificate.

Hope this helps someone else, after fighting this all day I have determined the only difference in the certificates issued in my production environment and my lab is production issues a md5, lab issued a sha256. Once I switched to md5 on my lab it did not work, so I’m guessing this is my issue.

1 Like

Thanks for coming back and reporting your findings!

This makes a lot of sense, support for RC4-MD5 was dropped in Java 8 Update 51 - http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html

Greg

1 Like