This article describes how to connect to an LDAP data source using a secure connection.
To connect to an LDAP data source using SSL follow these steps:
"<DENODO_HOME>/jre/bin/keytool" -import -alias ldapSSL -file "C:/certs/server.cer" -keystore "../lib/security/cacerts"
<DENODO_HOME>/jre/bin/keytool" -import -alias ldapSSL -file "C:/certs/server.cer" -keystore "<DENODO_HOME>/certs/truststore.jks"
Uncomment and modify the property: com.denodo.security.ssl.trustStore=<DENODO_HOME>/certs/truststore.jks
Note: if you are getting an error during the connection handshake when specifying the port number in the URI, you could also try with ldaps://hostname without specifying the port.
Troubleshooting: No subject alternative DNS name matching <HOSTNAME> found.
Due to some changes in recent Java versions (since 1.8.181 and newer), the endpoint verification has been enabled by default for LDAPS connections. This could lead to the following error message, when trying to connect via LDAPS to your source:
Unable to connect to the database:
javax.naming.CommunicationException: simple bind failed: <HOSTNAME>:<PORT> [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching <HOSTNAME> found.]
The error message indicates that the hostname used for connecting to the LDAP Server (i.e. in the Server URI ldaps://hostname) does not match with the CN or any subject alternative name (SAN) specified in the certificate.
There are different solutions to address that issue.
Example: If the CN inside your LDAP SSL certificate is host1, but the LDAP Server hostname you are connecting to is host2, you need to add an entry in the hosts file similar to this to map the IP address of host2 to host1:
Now if you change the Server URI in your LDAP data source to host1 you should be able to access the LDAP Server via SSL, as the CN of the certificate and the hostname match.