Spring security, ssl ldap and no certificate

Question

I use spring security to manage login. I've configured spring security to connect to a ldap server which is securized with ssl (ldaps).

This server is a test server and has no valid certificate. When I try to test the login, spring security complains that the certificate cannot be verified (of course!):

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
 valid certification path to requested target

My question is simple : I don't want to manage any kind of certificate, I would like to deactivate the certificate check and keep using a ssl ldap. How can I do that ?

Answer 1

It sounds like the certificate of the LDAP server is just self-cert rather than invalid.

To me the simplest solution would be to get that certificate and add it to the cacerts trust store in java. Once that's done the code will run without any modifications.

To get the certificate from the server:

$ openssl s_client -showcerts -connect ldapserver:636

The output will contain a number of entries delimited with

-----BEGIN CERTIFICATE-----
aklfhskfadljasdl1340234234ASDSDFSDFSDFSDFSD
....
-----END CERTIFICATE-----

Copy the last certificate entry into a file (ldapca.crt)

Then, add it to the java keystore in $JRE_HOME/lib/security

$ cd $JRE_HOME/lib/security
$ keytool -import -alias ldapca_self_sign -keystore cacerts -storepass changeit -file ldapca.crt

That means, you'll trust the certificate on the LDAP server and are using SSL correctly in your test environment (rather than having some custom code to switch off part of SSL checking).

Once you've done that (once) your code should run without any modifications.