Graylog v3.0.0
Hi, I’ve been attempting unsuccessfully to get Graylog server to connect to Google’s Secure LDAP service which requires authentication via a client cert + key. I’ve added these files to a pkc12 formatted file and then into a keystore:
openssl pkcs12 -export -out java-application-ldap.pkcs12 -in test.crt -inkey test.key
keytool -v -importkeystore -srckeystore java-application-ldap.pkcs12 -srcstoretype PKCS12 -destkeystore java-application-ldap.jks -deststoretype JKS
And then added a path to the keystore by editing the JAVA_OPTS in /etc/default/graylog-server:
GRAYLOG_SERVER_JAVA_OPTS="-Djavax.net.ssl.keyStore=/home/test/java-application-ldap.jks -Djavax.net.ssl.keyStorePassword=XXXXXXX … "
When restarting the server, I can see the Java arguments have successfully been added, and also verified that the password is correct.
When I attempt to connect to Google LDAP (ldap.google.com:636) from Graylog (with SSL checked), the connection fails as if the client certificate is not being used. I’ve verified the certificate using ldapsearch.
Wondering if any of you have experience with the above, also wondering if the v3.3.3 LDAP changes for hostname validation could be related to this. Have not had a chance to take a deeper dive yet.
Thanks,
S. Tang