search cancel

Schemus LDAP Synchronization Tool and Secure LDAP


Article ID: 161530


Updated On:




You are using the Schemus LDAP Synchronization Tool and you have enforced strong authentication on your Active Directory which is preventing Schemus from being able to connect. 


For Schemus to work with the default configuration it needs to connect using simple authentication. If you can change your Active Directory to allow simple authentication this will immediately resolve the issue.

If you cannot make this change you should be able to connect using simple/SSL. This protects the connection using SSL before initiating the simple authentication. Simple/SSL is the most flexible option - it should work across subdomains. If the Active Directory's certificate is signed by a well-known CA, you should be able to connect using SSL with no further changes.

If, as is more common, the Active Directory's CA uses its own self-signed root CA certificate, you will see an error about an invalid certification path. You will need to add Active Directory's root CA certificate to the Java certificate store. Typically this is saved on the Active Directory server in C:\server-name.crt. Copy this to the Schemus machine then import it into the java key store:


cd c:\Program Files\Schemus\jre\bin
keytool.exe -import -trustcacerts -alias ad-server-ca -file Z:\Certificates\CA\ad-server.crt -keystore ..\lib\security\cacerts



  • the certificate has been copied to Z:\Certificates\CA\ad-server.crt
  • you are using the version of Schemus which included a JRE
  • you want to add the certificate to the JRE's cacerts file

The default keystore password is changeit

If you don't want to modify the JRE's copy of the certificate store, you can copy the cacerts file to C:\Program Files\Schemus\application\lib\security directory and rename it to 'schemus-cacerts'. Then give this file as the keystore in the above command.