When using a self-signed certificate on the LDAP server, the Auth0 AD/LDAP Connector may throw the below error when connecting to the LDAP server:
self signed certificate in certificate chain
This document describes how to configure the Auth0 AD/LDAP Connector to allow the use of a self-signed certificate on the LDAP server.
The Auth0 AD/LDAP Connector reads the TLS certificates from the following locations:
- The system default certificates folder.
- Get the system default folder from which the AD/LDAP Connector reads the certificates in the AD/LDAP connector logs. For example, the following log shows the AD/LDAP connector reads the certificates from
Reading CA certificates from /etc/pki/tls/certs Adding 3 certificates
Note: The system default certificates folder may vary depending on the OS type (Windows, Linux) and release version, so please always use the AD/LDAP Connector log to determine folder location.
- Once located in the system default certificates folder, upload your own LDAP server certificate (self-signed) to the folder.
- Use the SSL_CA_PATH option to specify the certificates folder.
If there is no access to the system default certificates folder or if it is not possible to upload certificates to the system default certificates folder, use the SSL_CA_PATH option in the config.json file of the Auth0 AD/LDAP Connector to specify your own certificates folder.
See AD/LDAP Connector Configuration File Schema for more information
Note: If the SSL_CA_PATH option and the AD/LDAP Connector will read the certificates from SSL_CA_PATH and bypass the system default certificates folder, it is mandatory to add your own LDAP server certificate (self-signed) AND the system default CA certificates (in the system default certificates folder) to the SSL_CA_PATH. Otherwise, the AD/LDAP connector will throw a certificate error when connecting to the Auth0 tenant.