I'm using MWG 7.8.2.2.0 (26805).

I'm attempting to use my organization's Red Hat IPA server to handle user credentials for the admin accounts of the MWG.

I have successfully made this work for regular LDAP queries, but the MWG sends passwords in cleartext when operating in this mode. I would like to use LDAPS instead.

My organization has its own root CA, and the IPA server sends four certificates when making a secure connection. >openssl s_client -showcerts -connect [ipa server]:636 shows four certificates, each pointing to the next one up the chain all the way to the self-signed root certificate.

I extracted these four certificates to four .crt files, each containing the base64 encoded certificate block. I went to the Policy->Lists section of the MWG GUI, and added an entry under Custom Lists-> Certificate Authority. I then added the four certificates using the green + button and selecting import. Each certificate appears to have been imported correctly; the CN/O/OU, valid dates and fingerprints look correct. Each has 'true' in the trusted column.

I then saved the settings, went to the accounts tab, and updated the LDAP Specific Parameters to use LDAPS and 636, and selected my newly created CA from the drop down list. When I attempt to test authentication, I get an authentication failed, and a tcpdump shows that the MWG sent an 'TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)' message.

I've been working on this for a few days, trying different settings for the CA and LDAPS sections, but can't get past this issue.