AD with TLS?

[RAFd3v]

What would be the best practice to troubleshoot AD Login issues with the LDAP Plugin?

Is there a log file?
Are the options to allow self-signed certificates?

Great Project by the way!

[RAFd3v]

If someone should face the same problems here’s was what worked for me:

I imported the self-signed cert.

openssl s_client -connect XXX:389 \ -starttls ldap \ -showcerts < /dev/null | \ openssl x509 -text | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

copy the certificate from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and place it in a file

sudo nano /etc/ssl/certs/XXX.pem

sudo keytool -importcert -alias XXX \ -file /etc/ssl/certs/XXX.pem \ -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts \ -storepass changeit \ -noprompt

Restart Apache Tomcat

systemctl restart tomcat9

[itiligent]

Hey thanks for the excellent input... so I can include your learnings in the AD instructions and enhance them, would you mind providing a little more info and context about your specific environment and issue ? I've not tested with AD and TLS, but this is a common scenario I should adddress.
I think I'm reading that your AD was already using TLS, so you extracted the existing AD TLS cert with the first command and then imported the resultant command output (the cert file) into the java keystore?

[RAFd3v]

Sorry for the dealy answer. A little busy at the moment.

But yes, that's correct. First I read the self signed certificate (In this case a synology AD Server) put it into a file an imported the certificate to the trust store.

I was struggling with the Guacamole LDAP integration since a couple of weeks. That's the reason why I add the comment. I think I'm not only person with this problem. So its great the hear you will make your already great documentation better.