IDP 3.1.2 LDAP without SSL
Jing Xiao
jing at springshare.com
Thu Aug 13 01:25:01 EDT 2015
I am having similar issue with LDAP without SSL. My LDAP does not even
support TLS/SSL, and I keep getting related errors. Here is the
idp.properties
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldap://localhost:389
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = false
idp.authn.LDAP.sslConfig = jvmTrust
idp.authn.LDAP.trustCertificates =
%{idp.home}/credentials/ldap-server.crt
idp.authn.LDAP.trustStore =
%{idp.home}/credentials/ldap-server.truststore
idp.authn.LDAP.returnAttributes = cn,givenName,mail,sn
idp.authn.LDAP.baseDN =
ou=people,dc=example,dc=com
idp.authn.LDAP.userFilter = (uid={user})
idp.authn.LDAP.bindDN =
uid=james,ou=people,dc=example,dc=com
idp.authn.LDAP.bindDNCredential = springy
idp.authn.LDAP.dnFormat =
uid=%s,ou=people,dc=example,dc=com
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN}
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN}
idp.attribute.resolver.LDAP.bindDNCredential =
%{idp.authn.LDAP.bindDNCredential}
idp.attribute.resolver.LDAP.trustCertificates =
%{idp.authn.LDAP.trustCertificates}
idp.attribute.resolver.LDAP.searchFilter =
(uid=$requestContext.principalName)
If I comment
idp.authn.LDAP.trustCertificates
idp.authn.LDAP.trustCertificates
out, which I don't need, I got
2015-08-13 05:13:09,596 - WARN
[net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:487]
- Exception encountered during context initialization - cancelling
refresh attempt
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid
bean definition with name 'LDAPtoIdPCredential' defined in null: Could
not resolve placeholder 'idp.authn.LDAP.trustCertificates' in string
value "%{idp.authn.LDAP.trustCertificates}"; nested exception is
java.lang.IllegalArgumentException: Could not resolve placeholder
'idp.authn.LDAP.trustCertificates' in string value
"%{idp.authn.LDAP.trustCertificates}"
at
org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:211)
Caused by: java.lang.IllegalArgumentException: Could not resolve
placeholder 'idp.authn.LDAP.trustCertificates' in string value
"%{idp.authn.LDAP.trustCertificates}"
at
org.springframework.util.PropertyPlaceholderHelper.parseStringValue(PropertyPlaceholderHelper.java:174)
2015-08-13 05:13:09,605 - ERROR
[net.shibboleth.utilities.java.support.service.AbstractReloadableService:181]
- Service 'shibboleth.AttributeResolverService': Initial load failed
net.shibboleth.utilities.java.support.service.ServiceException:
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid
bean definition with name 'LDAPtoIdPCredential' defined in null: Could
not resolve placeholder 'idp.authn.LDAP.trustCertificates' in string
value "%{idp.authn.LDAP.trustCertificates}"; nested exception is
java.lang.IllegalArgumentException: Could not resolve placeholder
'idp.authn.LDAP.trustCertificates' in string value
"%{idp.authn.LDAP.trustCertificates}"
at
net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:334)
Caused by:
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid
bean definition with name 'LDAPtoIdPCredential' defined in null: Could
not resolve placeholder 'idp.authn.LDAP.trustCertificates' in string
value "%{idp.authn.LDAP.trustCertificates}"; nested exception is
java.lang.IllegalArgumentException: Could not resolve placeholder
'idp.authn.LDAP.trustCertificates' in string value
"%{idp.authn.LDAP.trustCertificates}"
at
org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:211)
Caused by: java.lang.IllegalArgumentException: Could not resolve
placeholder 'idp.authn.LDAP.trustCertificates' in string value
"%{idp.authn.LDAP.trustCertificates}"
at
org.springframework.util.PropertyPlaceholderHelper.parseStringValue(PropertyPlaceholderHelper.java:174)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
If I generate ldap-server.crt by openssl I got
2015-08-13 04:57:51,528 - ERROR
[net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector:123]
- Data Connector 'myLDAP': Invalid connector configuration
net.shibboleth.idp.attribute.resolver.dc.impl.ValidationException:
[org.ldaptive.provider.ConnectionException at 1505424616::resultCode=null,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
providerException=javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid cer
tification path to requested target]
at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector$DefaultValidator.validate(LDAPDataConnector.java:165)
Caused by: org.ldaptive.provider.ConnectionException:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilder
Exception: unable to find valid certification path to requested target
at
org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:100)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certificati
on path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
2015-08-13 04:57:51,538 - WARN
[net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:487]
- Exception encountered during context initialization - cancelling
refresh attempt
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'myLDAP': Invocation of init method failed; nested
exception is net.shibboleth.utilities.java.support.component.ComponentIn
itializationException: Data Connector 'myLDAP': Invalid connector
configuration
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1566)
Caused by:
net.shibboleth.utilities.java.support.component.ComponentInitializationException:
Data Connector 'myLDAP': Invalid connector configuration
at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.doInitialize(LDAPDataConnector.java:124)
Caused by:
net.shibboleth.idp.attribute.resolver.dc.impl.ValidationException:
[org.ldaptive.provider.ConnectionException at 1505424616::resultCode=null,
matchedDn=null, responseControls=null, referralURLs=null, me
ssageId=-1, providerException=javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to fin
d valid certification path to requested target]
at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector$DefaultValidator.validate(LDAPDataConnector.java:165)
Caused by: org.ldaptive.provider.ConnectionException:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilder
Exception: unable to find valid certification path to requested target
at
org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:100)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certificati
on path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
2015-08-13 04:57:51,545 - ERROR
[net.shibboleth.utilities.java.support.service.AbstractReloadableService:181]
- Service 'shibboleth.AttributeResolverService': Initial load failed
net.shibboleth.utilities.java.support.service.ServiceException:
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'myLDAP': Invocation of init method failed; nested exceptio
n is
net.shibboleth.utilities.java.support.component.ComponentInitializationException:
Data Connector 'myLDAP': Invalid connector configuration
at
net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:334)
Caused by: org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'myLDAP': Invocation of init method
failed; nested exception is net.shibboleth.utilities.java.support.component.
ComponentInitializationException: Data Connector 'myLDAP': Invalid
connector configuration
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1566)
Caused by:
net.shibboleth.utilities.java.support.component.ComponentInitializationException:
Data Connector 'myLDAP': Invalid connector configuration
at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.doInitialize(LDAPDataConnector.java:124)
Caused by:
net.shibboleth.idp.attribute.resolver.dc.impl.ValidationException:
[org.ldaptive.provider.ConnectionException at 1505424616::resultCode=null,
matchedDn=null, responseControls=null, referralURLs=null, me
ssageId=-1, providerException=javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to fin
d valid certification path to requested target]
at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector$DefaultValidator.validate(LDAPDataConnector.java:165)
Caused by: org.ldaptive.provider.ConnectionException:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilder
Exception: unable to find valid certification path to requested target
at
org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:100)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certificati
on path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
*********************
I have already setup false for SSL or TLS, and now need help about how
to set it up just with plain LDAP.
--
Jing
More information about the users
mailing list