How to Use a Self-Signed Certificate on LDAP Server

Problem statement

When using a self-signed certificate on the LDAP server, the Auth0 AD/LDAP Connector may throw the below error when connecting to the LDAP server:

self signed certificate in certificate chain

This document describes how to configure the Auth0 AD/LDAP Connector to allow the use of a self-signed certificate on the LDAP server.

Solution

The Auth0 AD/LDAP Connector reads the TLS certificates from the following locations:

  1. The system default certificates folder.
  • Get the system default folder from which the AD/LDAP Connector reads the certificates in the AD/LDAP connector logs. For example, the following log shows the AD/LDAP connector reads the certificates from /etc/pki/tls/certs folder:
Reading CA certificates from /etc/pki/tls/certs
Adding 3 certificates

Note: The system default certificates folder may vary depending on the OS type (Windows, Linux) and release version, so please always use the AD/LDAP Connector log to determine folder location.

  • Once located in the system default certificates folder, upload your own LDAP server certificate (self-signed) to the folder.
  1. Use the SSL_CA_PATH option to specify the certificates folder.
  • If there is no access to the system default certificates folder or if it is not possible to upload certificates to the system default certificates folder, use the SSL_CA_PATH option in the config.json file of the Auth0 AD/LDAP Connector to specify your own certificates folder.

  • See AD/LDAP Connector Configuration File Schema for more information

Note: If the SSL_CA_PATH option and the AD/LDAP Connector will read the certificates from SSL_CA_PATH and bypass the system default certificates folder, it is mandatory to add your own LDAP server certificate (self-signed) AND the system default CA certificates (in the system default certificates folder) to the SSL_CA_PATH. Otherwise, the AD/LDAP connector will throw a certificate error when connecting to the Auth0 tenant.