Problem statement
When using a self-signed certificate on the LDAP server, the Auth0 AD/LDAP Connector may throw the below error when connecting to the LDAP server:
self signed certificate in certificate chain
This document describes how to configure the Auth0 AD/LDAP Connector to allow the use of a self-signed certificate on the LDAP server.
Solution
The Auth0 AD/LDAP Connector reads the TLS certificates from the following locations:
- The system default certificates folder.
- Get the system default folder from which the AD/LDAP Connector reads the certificates in the AD/LDAP connector logs. For example, the following log shows the AD/LDAP connector reads the certificates from
/etc/pki/tls/certsfolder:
Reading CA certificates from /etc/pki/tls/certs Adding 3 certificates
Note: The system default certificates folder may vary depending on the OS type (Windows, Linux) and release version, so please always use the AD/LDAP Connector log to determine folder location.
- Once located in the system default certificates folder, upload your own LDAP server certificate (self-signed) to the folder.
- Use the SSL_CA_PATH option to specify the certificates folder.
-
If there is no access to the system default certificates folder or if it is not possible to upload certificates to the system default certificates folder, use the SSL_CA_PATH option in the config.json file of the Auth0 AD/LDAP Connector to specify your own certificates folder.
-
See AD/LDAP Connector Configuration File Schema for more information
Note: If the SSL_CA_PATH option and the AD/LDAP Connector will read the certificates from SSL_CA_PATH and bypass the system default certificates folder, it is mandatory to add your own LDAP server certificate (self-signed) AND the system default CA certificates (in the system default certificates folder) to the SSL_CA_PATH. Otherwise, the AD/LDAP connector will throw a certificate error when connecting to the Auth0 tenant.