我正在使用JNDI通过ldaps通过以下代码连接到远程OpenLDAP服务器:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, connectionType);
env.put(Context.PROVIDER_URL, ldapUrl);
env.put(Context.SECURITY_PRINCIPAL, userDn);
env.put(Context.SECURITY_CREDENTIALS, password);
String truststorePath = "C:\\Software\\OpenSSL-Win64\\CertificateEntityMatching\\truststore.ks";
String keystorePath = "C:\\Software\\OpenSSL-Win64\\CertificateEntityMatching\\keystore.ks";
String keyStorePassword = "123456789";
System.setProperty("javax.net.ssl.trustStore", truststorePath);
System.setProperty("javax.net.ssl.keyStore", keystorePath);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
try {
InitialLdapContext ldap = new InitialLdapContext(env, null);
System.out.println("Connect to LDAP successfully.");
return ldap;
} catch (AuthenticationException e) {
e.printStackTrace();
return null;
} catch (NamingException e) {
e.printStackTrace();
return null;
}
这是在OpenLDAP服务器上的slapd.conf文件中启用TLS的方式:
# Enable TLS
TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
TLSVerifyClient demand
TLSCertificateFile /usr/local/etc/openldap/tls/certificate.pem
TLSCertificateKeyFile /usr/local/etc/openldap/tls/key.pem
已将服务器的certificate.pem添加到我的应用程序的信任库中,因此,如果TLSVerifyClient设置为never,则我的应用程序可以成功连接到LDAP服务器。问题是当我将TLSVerifyClient设置为需求时,LDAP服务器拒绝连接,因为我的应用程序使用了自签名证书:
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_accept:error in error
TLS: can't accept: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (self signed certificate).
5bd922de connection_read(16): TLS accept failure error=-1 id=1001, closing
有人可以指导我如何使OpenLDAP服务器信任我的应用程序的自签名证书吗? OpenLDAP服务器是否有类似于“ truststore”的内容?预先感谢。