Internet Express for Tru64 UNIX Version 6.10 Administration Guide (5900-1418, March 2011)
and server. For an SSL connection to be established successfully, the following conditions must be
satisfied:
• The LDAP server must be configured by its administrator to accept SSL connections. The default
port for LDAP over SSL is port 636. Many servers are not configured by default to accept SSL
connections, so check with the server administrator if there is any doubt.
• The authentication certificate presented to the LDAP Browser by the server must be signed by
a trusted certificate authority.
The LDAP Browser will automatically recognize and trust server certificates that are signed by any
one of a group of well-known certificate authorities. However, if an LDAP server presents a certificate
that is not signed by one of these well-known certificate authorities, the connection attempt will
fail. This is typically the case when attempting to connect to LDAP servers that have been configured
with self-signed certificates or certificates issued by a certificate authority internal to a company
or organization. In cases such as this, the server's certificate must be manually added to a certificate
store file that the LDAP Browser will use as a source of trusted certificates.
To add an LDAP server certificate to a trusted certificate store file, perform the following steps:
1. Obtain the LDAP server's digital certificate from the server's administrator.
Some administrators provide access to this certificate by posting a link to it on an associated
Web site or by storing it in a publicly accessible entry in the LDAP directory. Either the binary
form of the certificate or the printable Base64-encoded form defined by the Internet RFC 1421
standard is acceptable.
2. Import the certificate into a trusted certificate store file called .keystore in the user's home
directory.
To accomplish this, use the keytool utility that ships as part of the Java installation. For
example:
# keytool -import -alias someserver -file \
someserver.cer -keystore ~/.keystore storepass mypassword
Where someserver is an alias that will be used to refer to this certificate, someserver.cer
is a file containing the certificate, and mypassword is a password used to access the keystore.
3. Restart the LDAP Browser to load the new keystore.
4. Connect to the LDAP server.
If the previous steps have been performed and the connection still cannot be made, verify that the
host name, port, base distinguished name, and bind authentication information are all configured
correctly. If the problem still remains, the LDAP Browser can be run from the command line with a
special qualifier that turns on SSL debugging; this can sometimes reveal the problem. To use the
qualifier, run the LDAP Browser from the directory where the ldapbrowser.jar file resides. For
example:
# java -jar ldapbrowser.jar -Djavax.net.debug=all
Disconnecting from an LDAP Server
To terminate the currently established LDAP connection, choose Disconnect from the File menu.
Reconnecting to an LDAP Server
To disconnect and then reconnect from an established connection, or to reestablish a connection
that was terminated, choose Reconnect from the File menu.
Using the Main Browsing Window
Once a connection is established, the main browsing window allows you to view and manage
the information in the directory. The directory is graphically represented in tree form, with each
Using the LDAP Browser 199