I seem to be having the same issue as @zibeug, setting up LDAP auth to a Synology Directory Server (Samba AD) that is utilizing a LetsEncrypt certificate.
Assumed it was protocol to start my own thread here.
These are my settings (with domain and other info redacted)
#-# LDAP Settings xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl xwiki.authentication.ldap=1 xwiki.authentication.ldap.trylocal=1 xwiki.authentication.ldap.server=ldaps://auth.redacteddomain.com xwiki.authentication.ldap.port=636 xwiki.authentication.ldap.ssl=1 xwiki.authentication.ldap.UID_attr=sAMAccountName xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn xwiki.authentication.ldap.update_user=1 xwiki.authentication.ldap.bind_DNfirstname.lastname@example.org xwiki.authentication.ldap.bind_pass=######### xwiki.authentication.ldap.base_DN=OU=Users,dc=auth,dc=redacteddomain,dc=com
In the original thread, @Beat_Burgener requested two commands be run:
The first command returned:
CONNECTED(00000005) depth=0 CN = *.redacteddomain.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.redacteddomain.com verify error:num=27:certificate not trusted verify return:1 depth=0 CN = *.redacteddomain.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=*.redacteddomain.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- ### Redacted ### -----END CERTIFICATE----- --- Server certificate subject=/CN=*.redacteddomain.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent --- SSL handshake has read 1985 bytes and written 524 bytes --- New, TLSv1/SSLv3, Cipher is #### Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ##### Session-ID: #### Session-ID-ctx: Master-Key: ##### Start Time: 1576014785 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
The Second command kept giving me errors about bad arguments, somehow I thought this would be a relevant replacement (i could be totally wrong).
curl: (58) LDAP local: ERROR setting PEM CA cert: Can’t contact LDAP server
SO, based on all I’ve read… the Synology Directory Server Is not passing along the full cert chain. I’m separately reaching out on Synology support forms trying to figure out how to make it serve the certs properly. But, in the mean time… is there something I can do on the xwiki end to force things to work? Xwiki is running in a docker container on a mac mini.
And… if anyone knows how to fix the Synology I’ll take that feedback as well!