cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The secLdap plugin failed to connect to the specified hosts

Former Member

on ‎09-16-2014 1:32 AM

0 Kudos

Hi,

I'm attempting to configure LDAP to windows AD for an additional untrusted domain we need to authenticate.  Running Websphere on windows.  BOXI 3.1.

I've been issued a certificate from an untrusted domain.  firewall ports have been opened and a user has been created with matching credentials in the untrusted domain.  I am able to authenticate using ldp.exe.

I was able to configure LDAP without SSL successfully.

Now I'm running into the somewhat vague error you see in the subject.

Here is my configuration, attempting Server Authentication.

LDAP Host:  DC02.remotedomain.root:636

LDAP Server Type:  MSFT AD Application Server

Base LDAP DN:  DC=remotedomain,DC=root

Credentials:  CN=User,OU=MyOU,OU=Users,OU=Other,DC=remotedomain,DC=root

Maximum referral hops:  0

Type of SSL:  Server Authentication

SSL Strength:  Accept server certificate if it comes from a trusted CA.

SSL Settings:  [default], D:\path\to\nssdb, mypassword

Authentication:  Basic (No SSO)

The secLdap plugin failed to connect to the specified hosts.
The hosts may be down, the server certificate may have been rejected, or the
hosts may be configured for mutual authentication.

I know the host is not down.  And the host is not configured with mutual authentication, since I connected without SSL before (just a guess on my part really).

So I'm guessing it's my certificate perhaps?

So here is how I created the keystore:

C:\Users\sam\Documents\Powershell\BOXI\nss-3.6\bin>.\certutil.exe -A -n "DC02.remotedomain.root" -t "CT" -d C:\path\to\nssdb -i C:\path\to\cert\PDCD02.cer

That seemed to work fine.  I can see the resulting cert listing when I use -L.  One issue though is that if I add another cert, for an alternate DC, they both end up with the name of the first cert.  I tried a few things from this page - How to troubleshoot LDAP over SSL connection problems.  I verified the certificate using certutil.exe, and that didn't return any issues, although windows is not able to verify the certificate when I open it with the GUI, maybe because I cannot see the remote CA.

Anything I should check for?  Thanks,  you have my appreciation in advance.

Sam

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎09-17-2014 4:20 PM
0 Kudos

I managed to get a certificate from another team that does similar authentication and compare to the certificate I was given.

My cert:

Key Usage:  Digital Signature, Key Encipherment

New cert:

Key Usage:  Non-Repudiation, Certificate Signing, Off-line CRL Signing, CRL Signing (46)

Cert Template Name:  CA

Using the new cert, this began to work.  I was able to pull users and will be able to proceed testing login.


Show replies
Show replies
Ask a Question