Project

General

Profile

SSL for LDAP connector

Slava Bendersky
Added over 5 years ago

Hello Everyone,

I wonder about SSL connection for LDAP connector. I can't find any info about it.

--auth-db-uri = ldaps://myldap:636

Replies (6)

Added by Wojciech Kapcia TigaseTeam over 5 years ago

Given that you have followed guide LDAP authentication connector and configured also user-dn-pattern using ldaps URI should work. Is it not working in your case? Do you have any exceptions in the logs?

Added by Slava Bendersky over 5 years ago

Here some logs. I imported root ldap cert to key store.

[volga629@cadevsrv01 ~]$ sudo keytool -list -keystore /etc/pki/tigase/rsa-keystore
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entries

root, Nov 27, 2013, trustedCertEntry, 
Certificate fingerprint (SHA1): 
ldap-root, Nov 28, 2013, trustedCertEntry, 

2013-11-28 20:14:58.787 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 0]  LdapAuthProvider.doBindAuthentication()  WARNING: Can't authenticate user
javax.naming.CommunicationException: simple bind failed: myldap:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
        at javax.naming.InitialContext.init(InitialContext.java:242)
        at javax.naming.InitialContext.<init>(InitialContext.java:216)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
        at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
        at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
        at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
        at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
        at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
                                                                                                            4391,45-52     0%

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)

Added by Wojciech Kapcia TigaseTeam over 5 years ago

Can you connect to your LDAP over SSL using any other java based tools, eg. JXplorer or Apache Directory Studio?

Added by Slava Bendersky over 5 years ago

No I didn't tried.

Added by Wojciech Kapcia TigaseTeam over 5 years ago

Please verify that such connection works and if it does and Tigase still can't connect, please submit an issue.

Added by Slava Bendersky over 5 years ago

I opened ticket, because can't make it work.

    (1-6/6)