Active Directory traffic not encrypted

Steven Teixeira steixeira at csustan.edu
Wed Sep 12 16:34:19 EDT 2018 

Try dropping the port off the URL leaving only "ldaps://DC.starkstate.net".  useStartTLS = false, useSSL = true

See if that does it.

Steven Teixeira

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Rochford, Mike
Sent: Wednesday, September 12, 2018 13:03
To: users at shibboleth.net
Subject: Active Directory traffic not encrypted

I am trying to setup a new installation of Shibboleth v3.3.3.1.

I have the shibboleth idP setup and working to authenticate users to our Active Directory using the TestShib site.  However, after doing a packet capture on the network I can see that the user name and password is being sent in clear text between the shibboleth server and the domain controller.  This is happening with both the bind user and the user authenticating via shibboleth.

I have enabled startTLS, I can see the TLS traffic is being used for most of the traffic between the servers but when user account information is being passed its in clear text.  I have attempted to use  useSSL but receive an error anytime I restart the shibboleth service and shibboleth with not start.

Here is the current code I'm using in the ldap.properties file for useStartTLS (usernames and passwords are in clear text):
idp.authn.LDAP.authenticator= bindSearchAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL= ldap://DC.starkstate.net
idp.authn.LDAP.useStartTLS                     = true
idp.authn.LDAP.useSSL                          = false
# Time in milliseconds that connects will block
#idp.authn.LDAP.connectTimeout                  = PT3S
# Time in milliseconds to wait for responses
#idp.authn.LDAP.responseTimeout                 = PT3S

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates= %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore= %{idp.home}/credentials/ldap-server.truststore


Here is the code I've used in the ldap.properties file for useSSL (Shibboleth will not start with these settings):
idp.authn.LDAP.authenticator= bindSearchAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL= ldaps://DC.starkstate.net:636
idp.authn.LDAP.useStartTLS                     = false
idp.authn.LDAP.useSSL                          = true
# Time in milliseconds that connects will block
#idp.authn.LDAP.connectTimeout                  = PT3S
# Time in milliseconds to wait for responses
#idp.authn.LDAP.responseTimeout                 = PT3S

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates= %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore= %{idp.home}/credentials/ldap-server.truststore

Error when starting shibboleth with these settings, Error repeats 5-6 times:
2018-09-12 15:59:21,055 - ERROR [org.ldaptive.pool.BlockingConnectionPool:509] - [org.ldaptive.pool.BlockingConnectionPool at 503319063::name=resolver-pool, poolConfig=[org.ldaptive.pool.PoolConfig at 2010733041::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300, validateTimeout=5000], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator at 298424794::searchRequest=[org.ldaptive.SearchRequest at 1951037998::baseDn=, searchFilter=[org.ldaptive.SearchFilter at 1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy at 2006168925::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory at 717874492::provider=org.ldaptive.provider.jndi.JndiProvider at 4ac7856f, config=[org.ldaptive.ConnectionConfig at 1911725457::ldapUrl=ldaps://dc.starkstate.net:636, connectTimeout=3000, responseTimeout=3000, sslConfig=[org.ldaptive.ssl.SslConfig at 1631826609::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2 at a63643e, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=true, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1126780571::bindDn=CN=shibboleth,OU=Specific purpose logon accounts,DC=starkstate,DC=net, bindSaslConfig=null, bindControls=null]]], initialized=false, availableCount=0, activeCount=0] unable to connect to the ldap
org.ldaptive.provider.ConnectionException: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090E44, comment: TLS or SSL already in effect, data 0, v1772 ]; remaining name ''
                at org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory.createInternal(JndiStartTLSConnectionFactory.java:95)
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090E44, comment: TLS or SSL already in effect, data 0, v1772 ]
                at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)



Thanks,
Mike Rochford
IT Manager
Stark State College
mrochford at starkstate.edu<mailto:mrochford at starkstate.edu>
330-494-6170 x 4244

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180912/71ee8ed1/attachment.html>

More information about the users mailing list