geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Error: "unable to find valid certification path to requested target"
Date Thu, 16 Jul 2009 22:34:55 GMT

On Jul 16, 2009, at 2:08 PM, alehx wrote:

> I have searched google and the geronimo knowledge base far and wide  
> and have
> not been able to come up with a solution to my issue.
> We are developing a web application that requires LDAP  
> authentication to 1)
> Determine if the user exists and his/her credentials are correct 2)  
> to serve
> the correct pages and privileges to authenticated users.
> However, we have reached a road block. After implementing the security
> realms, keystores, and web-specific deployment plans, we have been  
> unable to
> get past the authentication prompt for user credentials.
> No matter what I have tried, the error message is always
> ERROR [LDAPLoginModule] javax.naming.CommunicationException: simple  
> bind
> failed: my.ldap.server:636 [Root exception is
> PKIX path building failed:
> unable  
> to find
> valid certification path to requested target]
> WARN  [log] AUTH FAILURE: user UserName
> I followed the keytool directives for obtaining a valid certificate  
> and
> created a new certificate via the Geronimo console. I have also tried
> importing a valid certificate manually buy copy/paste and changes to  
> the
> config.xml file.. all to no avail.
> If the issue is the security realm, we have contacted the LDAP server
> administrators and obtained the correct settings for our use. I have  
> tried
> creating a server via the console and via the geronimo-application.xml
> I'm not sure if the issue is the server believes the certificate is  
> invalid
> or it cannot find a matching certificate after the LDAP server is  
> contacted.
> The keystore I am using is in the geronimo var/security/keystore  
> directory
> and also registered in the system wide java keystore (cacerts.)
> If anyone could suggest some things to get geronimo to accept the
> certificates in my keystore or to somehow link them so they will be  
> of use
> would be great.

I think this is a user list question.  I think the absolute minimum  
information anyone would need to start guessing at what is wrong would  
- the entire stack trace from the exception
- details of how you are trying to connect to the ldap server.

In particular... is this an ssl connection? tls?  does the ldap server  
expect the client to authenticate with a client side certificate or  

Despite the lack of this information I'd guess that you are connecting  
over ssl and the geronimo truststore does not have a certificate to  
enable it to trust the certificate from the ldap server.

david jencks

> Thanks
> -- 
> View this message in context:
> Sent from the Apache Geronimo - Dev mailing list archive at  

View raw message