ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Schemus LDAP Synchronization Tool and Secure LDAP

book

Article ID: 161530

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

You are using the Schemus LDAP Synchronization Tool and you have enforced strong authentication on your Active Directory which is preventing Schemus from being able to connect. 

Resolution

For Schemus to work with the default configuration it needs to connect using simple authentication. If you can change your Active Directory to allow simple authentication this will immediately resolve the issue.

If you cannot make this change you should be able to connect using simple/SSL. This protects the connection using SSL before initiating the simple authentication. Simple/SSL is the most flexible option - it should work across subdomains. If the Active Directory's certificate is signed by a well-known CA, you should be able to connect using SSL with no further changes.

If, as is more common, the Active Directory's CA uses its own self-signed root CA certificate, you will see an error about an invalid certification path. You will need to add Active Directory's root CA certificate to the Java certificate store. Typically this is saved on the Active Directory server in C:\server-name.crt. Copy this to the Schemus machine then import it into the java key store:

 

cd c:\Program Files\Schemus\jre\bin
keytool.exe -import -trustcacerts -alias ad-server-ca -file Z:\Certificates\CA\ad-server.crt -keystore ..\lib\security\cacerts

 

Assuming:

  • the certificate has been copied to Z:\Certificates\CA\ad-server.crt
  • you are using the version of Schemus which included a JRE
  • you want to add the certificate to the JRE's cacerts file

The default keystore password is changeit

If you don't want to modify the JRE's copy of the certificate store, you can copy the cacerts file to C:\Program Files\Schemus\application\lib\security directory and rename it to 'schemus-cacerts'. Then give this file as the keystore in the above command.