Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Frequent Contributor.. George D. Frequent Contributor..
Frequent Contributor..

LDAP Authentication, and LDAPCertDir parameter - not working


We are trying to get our LDAP authentication w/ Asset Manager (5.20) working using SSL - we have multiple CA's based on tier. If we use the LDAPCertFile config parameter, it works just fine. What we want to do is stick all our CA certs in one folder - which the LDAPCertDir parameter is supposed to allow.

The docs say we need to run the c_rehash function (which on Unix machines creates symbolic links with hashed filenames based on the subject) but considering windows does not have symbolic links, we renamed the cert files instead to the hash names.

For example:

prod.pem -> ff783690.0
uat.pem -> 3c58f906.0
dev.pem -> 46396010.0

The problem is that when LDAPCertDir is used, LDAP connections via SSL doesn't work and errors out.

The cert files are in PEM format and work just fine if used with the LDAPCertFile property.

Tags (3)
3 Replies
Absent Member.. MTWalsh Absent Member..
Absent Member..

Re: LDAP Authentication, and LDAPCertDir parameter - not working

I don't think I have an answer to your issue, but I saw your post and wanted to ask a question, and also mention something I found that might be relevent for you.  We haven't even been able to get LDAP over SSL in CIT to work at all.


If I am understanding correctly, you were able to use the SSL certificates if you specified your cert (.pem files) in the options parameter for LDAPCertFile (which I'm guessing cooresponds to the Certificate File option under edit--> options in the CIT gui).  But the issue is that you have multiple certs for multiple environments (DEV/PROD/UAT). 


I noticed that you are using a .pem file, which is not the extension of the cert file I was given.  So I looked that up and if i'm understanding correctly, a .pem file is something that contains multiple entries.  There was some info at http://www.digicert.com/ssl-support/pem-ssl-creation.htm that seemed like it may be relevant for you.  Perhaps you could paste all 3 of your certs in one file and include that file via the LDAPCertFile param. 


In my case, I wasn't given anything with a .pem file extension.  We are trying to connect to an AD 2008 server and getting in fine if we don't use SSL (i.e if we use port 389 and no SSL).  I included the certificate file I was given in the LDAPCertFile param, but when I try to switch to port 636 and check the use SSL checkbox, it fails to connect with a very non-helpful "could not connect" type error message.  I'm not altogether sure we are using the right certificate file though, as I am not an expert on SSL.  How did you obtain your .pem file...the one that works?  We requested one from Verisign for the CIT server.  But both I and the AD SME don't really think that this was correct.  I read some instructions somewhere saying that we should connect via https to the AD server to download the cert from there, but their AD server doesn't allow for that.  Is the cert used in the LDAPCertFile param a cert for the CIT server, or is it supposed to be something from teh AD (LDAP) server that we copy over to the CIT server somehow.  If so, how can we do that without going to https://<ldap_server_name?


Frequent Contributor.. George D. Frequent Contributor..
Frequent Contributor..

Re: LDAP Authentication, and LDAPCertDir parameter - not working

Sorry for the really late reply.   You can convert other certificate forms (eq. der) into PEM using openssl.   The AM docs state that the cerificates need to be in the PEM format. 


We are running into a weird issue when using LDAP-SSL (sometimes it works, sometimes it doesn't), and i'll create a writeup once we figure out what's going on (and maybe some helpful commands to convert certificates)

Absent Member.. stxhp Absent Member..
Absent Member..

Re: LDAP Authentication, and LDAPCertDir parameter - not working

It works here if I use the following command to create the hash:

    openssl x509 -subject_hash_old -noout -in cert.crt


Then renaming the file to the hash value and add a .0 extension will do the trick.


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.