Make Dspace talk to LDAP

Option 1, which should work, near as I can tell from several hours googling, is to build a "Trusted Keystore" — put a copy of the LDAP servers cert into a different keystore:

    keytool -import -file my_ldap_cert.cer -alias my_ldap_cert -keystore trusted.keystore

Now add that to your Tomcat (version 5.0.27 or better) container. For example,

    <Connector port="443"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" debug="0" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        keystoreFile="/usr/share/ssl/certs/tomcat.p12" keystorePass="xxxxxx"
        truststoreFile="/usr/share/ssl/certs/trusted.keystore" truststorePass="xxxx"

Note that in this example, my Tomcat SSL cert is saved in PKCS12 (I generated my key and CSR with openssl), while my truststoreFile (created with keytool) is in JKS format.

Looks good, on paper, and I found a number of web references that suggest this should work — but it didn’t

Option 2, which did work (but I found a reference that said it didn’t, try option 1) was to put a copy of the LDAP servers cert into the default JAVA keystore:

    keytool -import -file my_ldap_cert.cer -alias my_ldap_cert -keystore $JAVA_HOME/jre/lib/security/cacerts

This did work, thus ending 5 or 6 hours of head banging.

Here’s one of my references

About Wesley Wright

Born on a mountain top near New York City, Craziest state in the land of the pretty. Raised in the woods so's he knew every tree, Killed him a bear when he was only three.
This entry was posted in Projects, Systems and Servers. Bookmark the permalink.

Leave a Reply