This walks through the steps required to securely access the Emory LDAP services running on our Active Directory infrastructure. It uses the ancient but still excellent LDAP Browser/Editor written by Jarek Gawor. Although the program is 10 years old, it works perfectly well with modern versions of Java. Also, as a Java application, it can be used on Windows, Linux, and Mac OSX.
The information presented is not new – most of it is based on this blog post: http://eldapo.lembobrothers.com/2009/03/26/ldap-browser-and-ssl/ . However, I’ve tailored it to more closely fit the Emory environment.
Installing the LDAP Browser/Editor on OSX
Follow the instructions here: http://www.novell.com/communities/node/8652/gawors-excellent-ldap-browsereditor-v282 to get a copy of the program to download. Once the zip file has been downloaded, uncompress it if not already done by your browser. I usually just copy the folder into my home directory.
From the finder, you can double-click on the lbe.jar file to launch the program.
Launching the program and attempting to connect to Emory LDAP
When the program is launched, it will bring up a Connect dialog.
Click on “New” to create a new connection profile.
As you can see above, I’ve named it “Emory AD”.
Next, click the “Connection” tab.
Adding connection parameters
1. Enter the name of an Emory domain controller. In this case, we’re using addcacvm1.eu.emory.edu.
2. Enter the port. Because we will be using SSL to communicate with the server, we use port 636.
3. For the base DN, we use dc=Eu,dc=Emory,dc=Edu. This is because we need to search a top-level OU. You may wish to use dc=People,dc=Eu,dc=Emory,dc=Edu, if you want to limit your search to the Emory people container.
4. Tick the SSL checkbox.
5. Enter the netid for a user with permissions to connect to the LDAP service. Generally, any valid NetID should work.
6. Enter the password for the bind user.
7. Click Save
Errors when attempting to connect securely
Once you click “Save”, you’ll be returned to the Connect screen with a new connection. Select that connection and click “Connect”.
This will generate the above error. The Emory domain controllers use a Certificate Authority that is not recognized by this Java application.
This means that you will also have this issue with other Java applications, such as Tomcat.
In the next step, we’ll start to fix this error, mostly based on the instructions from this blog post: http://eldapo.lembobrothers.com/2009/03/26/ldap-browser-and-ssl/
Adding the missing CA certificate
As the error message above indicates, we are missing a certificate authority certificate. We need to get this certificate, install it, and tell LDAP Browser where to find the certificate.
The first step is to get the certificate. We do that from the terminal in OSX. Open a terminal window and type in the following command:
openssl s_client -connect addcacvm1.eu.emory.edu:636 2>&1 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ >mycert.pem
Hit return twice – this will create the file mycert.pem, which contains the encoded certificate from the Emory server. It’s this file that we’ll need for the next step.
Create a new certificate store and add the certificate to the store
Now that you have the certificate file, you need to create a new certificate store and you need to add the certificate to it. The command is:
keytool -import -alias addcacvm1 -file mycert.pem -keystore lbe.keystore
You’re using the Java tool “keytool” to add the file to a keystore, which is a special encrypted file that holds certificate and key information. Here’s the breakdown of the arguments to the command:
“-import” means that we’re going to import the key into the keystore
“-alias” aliasname – gives you a way to refer to the certificate. Aliases must be unique within the keystore. They do not have to match the name of the server. In this case, I chose “addcacvm1” as the alias.
“-file” filename – the file containing the certificate you downloaded in the last step.
“-keystore” filename – the name of the keystore file. In the above example, we’re create a keystore named “lbe.keystore”.
Once you hit enter, you are prompted to enter a keystore password. Feel free to set any password you would like. In the Sun world, the password is often “changeit”.
Now that you have a keystore, you’re almost there.
Telling the application about the new keystore file
You need to create a properties file to tell LDAP Browser/Explorer the location of the keystore.
1. Create a new directory in your home directory named “.lbe”. Here’s how:
2. Create a new file in .lbe called lbe.properties.
3 This file only needs two lines:
Close the file and now you’re ready to launch LDAP Browser/Explorer.
Example of Successful Connection
Cross your fingers and launch lbe.jar.
You should something like the above and you can verify the ldaps URL, showing that you have a secure connection.
That’s it. You can use these instructions to manage keystores for any Java application that needs to retrieve LDAP information from the directory over SSL, notably adding the proper CA to the cacerts certificate store for Tomcat. If you would like more detail on that, just let me know.