Hi, I am trying to connect to LDAP in a secure way. This is what I have done to do the same.
1. Enabled the checkbox to "secure" in Control Center.
2. Provided secured ldap port number 636 in configuration.
Suggest if the above configuration is sufficient or further any more configuration to be done?
Also suggest what LDAP error 91 mean and how to resolve it.
Thanks and regards,
Monday 16 July, 2012
I did a search on LDAPS and found that you never received any response to this post. You have probably solved this by now, but during my tests I found a few things to consider to get this to work.
1. Verifiy that the complete certificate chain above your LDAPS server is available in your certificatestore\trusted\authorities.
2. Verify that these certificates are stored in base64 format.
3. Verify that the top certificate in the chain really is CA root certificate (self signed).
You can use a tool such as openssl s_client to connect to your LDAPS server and see what certificates that are returned in the SSL handshake.
openssl s_client -connect host:636 -showcerts
Wednesday 05 December, 2012
Tuesday 14 January, 2014
We are facing the same problem wherein we are unable to connect using port 636/3269.
We started facing this problem after hostname change activity at AD end.The AD team has updated the OS from Windows 2003 to Windows 2012 which complies with its settings and does not support Anonymous with port 636/3269 port so now we are unable to connect with & without certificate.
On trying "openssl s_client -connect host:636 -showcerts" , we are getting following error(PFA for your refernce):
depth=1 /C=SG/O=CLIENT/OU=Technology And Operation/CN=W01GSGCA01
verify error:num=20:unable to get local issuer certificate
defaulttrustedcertificateauthorityprofiles.xml file Authentication & Verification tag have been tested with as ‘Anonymous’ & ‘Disabled’ and ‘Mandatory’ & ‘Enabled’respectively :
• /opt/strs/ bin/streamserve-5.5.0.GA.1450/applications/managementgateway/etc/confi g/5.5.0/common/securityprofiles
Please suggest if any other change is required at our end?