我使用以下命令为 OpenLdap 创建了证书
openssl req -new -x509 -nodes -out /etc/openldap/certs/ldap.crt -keyout /etc/openldap/certs/ldap.key -days 1460
完成其余设置后,我可以通过 Apache Directory Studio 使用 Port 636 连接 Openldap .
现在的挑战是我编写了一个简单的Java程序来连接Openldap并执行一些基本操作,例如创建用户/创建组/删除等。在此之前我通过keytool命令将证书导入本地机器Java keystore 中
keytool -import -noprompt -trustcacerts -alias "ldap1" -file ldap.crt -keystore "C:\Program Files\Java\jdk1.8.0_221\jre\lib\security\cacerts"
添加成功
现在在C:\Windows\System32\drivers\etc\hosts文件中输入了 <IP-ADDRESS> HOSTNAME但是Java程序抛出错误
javax.naming.CommunicationException: simple bind failed: surerest2:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at com.asiainfo.bdx.ocdp.LdapClient.initLDAPContext(LdapClient.java:148)
at com.asiainfo.bdx.ocdp.LdapClient.createLDAPUser(LdapClient.java:30)
at com.asiainfo.bdx.ocdp.LdapClientTest.main(LdapClientTest.java:14)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read1(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at com.sun.jndi.ldap.Connection.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 19 more
Exception in thread "main" java.lang.NullPointerException
at com.asiainfo.bdx.ocdp.LdapClient.closeLdapContext(LdapClient.java:157)
at com.asiainfo.bdx.ocdp.LdapClient.createLDAPUser(LdapClient.java:49)
at com.asiainfo.bdx.ocdp.LdapClientTest.main(LdapClientTest.java:14)
最佳答案
经过几天的努力,问题在 InstallCert 的帮助下解决了它工作得很好。我做了什么?
下载InstallCert项目
编译java文件
javac InstallCert.java访问服务器并尝试获取证书
java InstallCert <IP ADDRESS>:<PORT>提供您想要下载服务器的 IP 地址/端口,在我的例子中是 Openldap 服务器详细信息。从创建的 jssecacerts keystore 中提取证书
keytool -importcert -alias "1xx.2xx.1xx.97-1" -keystore "C:\Program Files\Java\jre1.8.0_221\lib\security\cacerts" -storepass changeit -file surerest2在这里1xx.2xx.1xx.97-1此端口号和surerest2是hostname将证书导入系统 keystore
keytool -importcert -alias "1xx.2xx.1xx.97-1" -keystore /workspace/tools/jdk/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/lib/security/cacerts -storepass changeit -file surerest2这个改变效果很好
关于Java 代码 无法与安全 openldap 连接?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60853580/