Hello,
I have a jenkins instance on Windows Server 2022, on which I want to switch from LDAP to LDAPS. LDAP is just working fine.
I also have enabled https, for that im using a java keystore in which my SSL certificate is located. For LDAPS I have to import another certificate, so that I have 2 in total in the keystore. If I do that and change the ldap URL to ldaps://server.ip:636, my service won’t come up anymore.
Anyone has an idea how to handle this properly? Is that a problem, that I have 2 certificates in my keystore? Where can I tell the application “use this for https” and “this for ldaps” ?
Having multiple certificates in a Java keystore is not a problem. The Java keystore can handle multiple certificates without any issues. The problem you’re experiencing might be due to the configuration of your LDAP server or the way Jenkins is set up to use LDAPS.
When you switch from LDAP to LDAPS, you need to make sure that your LDAP server is correctly configured to support LDAPS. This usually involves installing a certificate on the LDAP server and configuring the server to listen for LDAPS connections.
In Jenkins, you can specify the LDAP server URL in the LDAP security realm configuration. If you’re switching from LDAP to LDAPS, you need to change the LDAP server URL from ldap:// to ldaps://. You also need to specify the correct port for LDAPS, which is usually 636.
If your LDAP server’s certificate is not trusted by the Java runtime that Jenkins is using, you might also need to add the LDAP server’s certificate to the Java keystore (I guess that’s what you have already done).
You can do this using the keytool command that comes with Java: keytool -import -alias your-ldap-server -keystore path/to/your/keystore.jks -file path/to/your/ldap-server-certificate.crt
After adding the certificate to the keystore, you might need to restart Jenkins for the changes to take effect.
My LDAPS server is definitely correctly configured to support LDAPS, because I also have other applications which work with LDAPS just fine. The LDAPS server has installed the certificate, and what I’ve learned in the meantime, I dont need to install the certificate on the “client” as long as the client is a member of the active directory domain.
In Jenkins, you can specify the LDAP server URL in the LDAP security realm configuration. If you’re switching from LDAP to LDAPS, you need to change the LDAP server URL from ldap:// to ldaps:// . You also need to specify the correct port for LDAPS, which is usually 636 .
Thats what I already did try, but then my service won’t come up anymore.
In the jenkins log I found the following error message:
“WARNING h.security.LDAPSecurityRealm#throwUnlessConfigIsIgnorable: Failed communication with ldap server dvHIOo07oOFpDKLlfwxo7g== (ldaps://server.ip:636), will not try the next configuration
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”
