I'm trying to set up our TRC server, using AD authentication via LDAP/SSL. I've verified that the LDAP account can bind without SSL, and am now trying to establish a proper SSL setup. Our vendor CA is InCommon; they chain off the AddTrust External CA. The domain controllers have InCommon certificates on their LDAP service; I have verified with openssl s_client that the certs are installed.
With ldap.security_protocol=ssl, however, the connection fails due to certificate chaining. However, I'm thoroughly lost on how to configure the LDAP client with the right intermediates/roots.
Does the LDAP client take advantage of the java/jre/lib/security/cacerts store?
AddTrust is in this file.
- Should I add the intermediate there?
- AddTrust is in this file.
What file should ldap.ssl_keyStore refer to?
- The cacerts store?
A new keystore that I haven't created yet?
- Is that where the intermediate should go?
All of this is _before_ I even tackle a proper cert for the incoming HTTPS connections. Should these be the same keystore as above?
Thanks for any insight.