Enable OpenLDAP Server to Trust Self-Signed Certificate from Client

ldapopenldapslapdssl

I am using JNDI to connect to a remote OpenLDAP server via ldaps by the following code:

         Hashtable env = new Hashtable();
         env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
         env.put(Context.SECURITY_AUTHENTICATION, connectionType);
         env.put(Context.PROVIDER_URL, ldapUrl);
         env.put(Context.SECURITY_PRINCIPAL, userDn);
         env.put(Context.SECURITY_CREDENTIALS, password);
         String truststorePath = "C:\\Software\\OpenSSL-Win64\\CertificateEntityMatching\\truststore.ks";
         String keystorePath = "C:\\Software\\OpenSSL-Win64\\CertificateEntityMatching\\keystore.ks";
         String keyStorePassword = "123456789";
         System.setProperty("javax.net.ssl.trustStore", truststorePath);
         System.setProperty("javax.net.ssl.keyStore", keystorePath);
         System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
         try {
             InitialLdapContext ldap = new InitialLdapContext(env, null);
             System.out.println("Connect to LDAP successfully.");
             return ldap;
         } catch (AuthenticationException e) {
             e.printStackTrace();
             return null;
         } catch (NamingException e) {
             e.printStackTrace();
             return null;
         }

Here is how I enable TLS in my slapd.conf file on the OpenLDAP server:

# Enable TLS
TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
TLSVerifyClient demand
TLSCertificateFile /usr/local/etc/openldap/tls/certificate.pem
TLSCertificateKeyFile /usr/local/etc/openldap/tls/key.pem

The server's certificate.pem has alreay been added to the truststore of my application, so if TLSVerifyClient was set to never, my applicaiton can connect to LDAP server successfully. The problem is when I set TLSVerifyClient to demand, LDAP server rejects the connection because my applicaton uses a self-signed certificate:

TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_accept:error in error
TLS: can't accept: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (self signed certificate).
5bd922de connection_read(16): TLS accept failure error=-1 id=1001, closing

Could anyone guide me how to make OpenLDAP server trust the self-signed certificate of my application? Is there something similar to "truststore" for OpenLDAP server? Thanks in advance.

Best Answer

slapd.conf(5)

TLSCACertificateFile Specifies the file that contains certificates for all of the Certificate Authorities that slapd will recognize. The certificate for the CA that signed the server certificate must be included among these certificates.
If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.

TLSCACertificatePath Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this or the TLSCACertificateFile is used. This directive is not supported when using GnuTLS.
When using Mozilla NSS, may contain a Mozilla NSS cert/key database. If contains a Mozilla NSS cert/key database and CA cert files, OpenLDAP will use the cert/key database and will ignore the CA cert files.

Related Topic