I'm attempting to configure LDAP to windows AD for an additional untrusted domain we need to authenticate. Running Websphere on windows. BOXI 3.1.
I've been issued a certificate from an untrusted domain. firewall ports have been opened and a user has been created with matching credentials in the untrusted domain. I am able to authenticate using ldp.exe.
I was able to configure LDAP without SSL successfully.
Now I'm running into the somewhat vague error you see in the subject.
Here is my configuration, attempting Server Authentication.
LDAP Host: DC02.remotedomain.root:636
LDAP Server Type: MSFT AD Application Server
Base LDAP DN: DC=remotedomain,DC=root
Maximum referral hops: 0
Type of SSL: Server Authentication
SSL Strength: Accept server certificate if it comes from a trusted CA.
SSL Settings: [default], D:\path\to\nssdb, mypassword
Authentication: Basic (No SSO)
The secLdap plugin failed to connect to the specified hosts.
The hosts may be down, the server certificate may have been rejected, or the
hosts may be configured for mutual authentication.
I know the host is not down. And the host is not configured with mutual authentication, since I connected without SSL before (just a guess on my part really).
So I'm guessing it's my certificate perhaps?
So here is how I created the keystore:
C:\Users\sam\Documents\Powershell\BOXI\nss-3.6\bin>.\certutil.exe -A -n "DC02.remotedomain.root" -t "CT" -d C:\path\to\nssdb -i C:\path\to\cert\PDCD02.cer
That seemed to work fine. I can see the resulting cert listing when I use -L. One issue though is that if I add another cert, for an alternate DC, they both end up with the name of the first cert. I tried a few things from this page - How to troubleshoot LDAP over SSL connection problems. I verified the certificate using certutil.exe, and that didn't return any issues, although windows is not able to verify the certificate when I open it with the GUI, maybe because I cannot see the remote CA.
Anything I should check for? Thanks, you have my appreciation in advance.