Internet Express for Tru64 UNIX Version 6.8 Administration Guide (14233)
the browser and server. For an SSL connection to be established successfully, the following
conditions must be satisfied:
• The LDAP server must be configured by its administrator to accept SSL connections. The
default port for LDAP over SSL is port 636. Many servers are not configured by default to
accept SSL connections, so check with the server administrator if there is any doubt.
• The authentication certificate presented to the LDAP Browser by the server must be signed
by a trusted certificate authority.
The LDAP Browser will automatically recognize and trust server certificates that are signed by
any one of a group of well-known certificate authorities. However, if an LDAP server presents
a certificate that is not signed by one of these well-known certificate authorities, the connection
attempt will fail. This is typically the case when attempting to connect to LDAP servers that have
been configured with self-signed certificates or certificates issued by a certificate authority internal
to a company or organization. In cases such as this, the server's certificate must be manually
added to a certificate store file that the LDAP Browser will use as a source of trusted certificates.
To add an LDAP server certificate to a trusted certificate store file, perform the following steps:
1. Obtain the LDAP server's digital certificate from the server's administrator.
Some administrators provide access to this certificate by posting a link to it on an associated
Web site or by storing it in a publicly accessible entry in the LDAP directory. Either the
binary form of the certificate or the printable Base64-encoded form defined by the Internet
RFC 1421 standard is acceptable.
2. Import the certificate into a trusted certificate store file called .keystore in the user's home
directory.
To accomplish this, use the keytool utility that ships as part of the Java installation. For
example:
# keytool -import -alias someserver -file \
someserver.cer -keystore ~/.keystore -storepass mypassword
Where someserver is an alias that will be used to refer to this certificate, someserver.cer
is a file containing the certificate, and mypassword is a password used to access the keystore.
3. Restart the LDAP Browser to load the new keystore.
4. Connect to the LDAP server.
If the previous steps have been performed and the connection still cannot be made, verify that
the host name, port, base distinguished name, and bind authentication information are all
configured correctly. If the problem still remains, the LDAP Browser can be run from the command
line with a special qualifier that turns on SSL debugging; this can sometimes reveal the problem.
To use the qualifier, run the LDAP Browser from the directory where the ldapbrowser.jar
file resides. For example:
# java -jar ldapbrowser.jar -Djavax.net.debug=all
11.2.2.4 Disconnecting from an LDAP Server
To terminate the currently established LDAP connection, choose Disconnect from the File menu.
11.2.2.5 Reconnecting to an LDAP Server
To disconnect and then reconnect from an established connection, or to reestablish a connection
that was terminated, choose Reconnect from the File menu.
11.2.3 Using the Main Browsing Window
Once a connection is established, the main browsing window allows you to view and manage
the information in the directory. The directory is graphically represented in tree form, with each
11.2 Using the LDAP Browser 205