JAAS ldap issue

IAM David Bantz dabantz at alaska.edu
Wed Jun 3 00:35:42 UTC 2020 

I'm using JAAS to take advantage of the "sufficient" logic to fail over to
a proxy to allow expired accounts to authenticate.

Using this configuration in JAAS.config for the proxy connection

>   // UA Authenticator is proxy to AD allows some expired accounts to
> authenticate
>
>   org.ldaptive.jaas.LdapLoginModule sufficient
>
>     ldapUrl="ldap://cas-auth-t.alaska.edu:6361"
>
>     baseDn="dc=ur,dc=addev,dc=alaska,dc=edu"
>
>     bindDn="CN=•••••,ou=...,dc=ua,dc=adt,dc=alaska,dc=edu"
>
>     bindCredential="••••••••••"
>
>     subtreeSearch="true"
>
>     sslSocketFactory="{trustCertificates=file:/.../•••.pem}"
>
>     ssl="true"
>
>     tls="false"
>
>     userFilter="(|(sAMAccountName={user})(uaIdentifier={user}))"
>
>     connectTimeout="3000"
>
>     resultTimeout="3000"
>
>     ;
>

 I see the following error when attempting to use this fail-over:

> *  DEBUG [10.25.250.26]
> org.ldaptive.provider.jndi.NamingExceptionUtils:358 >  naming exception
> class javax.naming.ServiceUnavailableException is ambiguous, maps to
> multiple result codes: [BUSY, UNAVAILABLE]*

(Larger log snippet surrounding this error is below)

Folks here quickly say "that should be ldaps:// not ldap://" but the
examples in Shib wiki use ldap:// with ssl="true"; if I do use ldaps:// in
the configuration above, the connection is refused outright:

 DEBUG [137.229.6.124] org.ldaptive.provider.jndi.JndiConnectionFactory:105
> >  Error connecting to LDAP URL: ldaps://cas-auth-t.alaska.edu:6361
>
> org.ldaptive.provider.ConnectionException:
> javax.naming.CommunicationException: cas-auth-t.alaska.edu:6361 [Root
> exception is javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderExceptio
>
> n: unable to find valid certification path to requested target]
>

 Any pointers, hints, interpretation appreciated!

David Bantz

----

Here's the larger snippet:
14:05:42:455  DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:104 >
 Retrieved authenticator from factory:
[org.ldaptive.auth.Authenticator at 1889354517
::dnResolver=[org.ldaptive.auth.SearchDnResolver at 849231888
::factory=[org.ldaptive.DefaultConnectionFactory at 1944062102
::provider=org.ldaptive.provider.jndi.JndiProvider at 2b1f07a,
config=[org.ldaptive.ConnectionConfig at 414093010::ldapUrl=ldap://
cas-auth-t.alaska.edu:6361, connectTimeout=3000, responseTimeout=-1,
sslConfig=null, useSSL=false, useStartTLS=false,
connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1483789079::bindDn=CN=cas
c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu,
bindSaslConfig=null, bindControls=null]]],
baseDn=dc=ur,dc=addev,dc=alaska,dc=edu,
userFilter=(|(sAMAccountName={user})(uaIdentifier={user})),
userFilterParameters=null, allowMultipleDns=false, subtreeSearch=true,
derefAliases=null, followReferrals=false],
authenticationHandler=[org.ldaptive.auth.BindAuthenticationHandler at 724026423
::factory=[org.ldaptive.DefaultConnectionFactory at 639157001
::provider=org.ldaptive.provider.jndi.JndiProvider at 4aac1106,
config=[org.ldaptive.ConnectionConfig at 345672495::ldapUrl=ldap://
cas-auth-t.alaska.edu:6361, connectTimeout=3000, responseTimeout=-1,
sslConfig=null, useSSL=false, useStartTLS=false,
connectionInitializer=[org.ldaptive.BindConnectionInitializer at 17429495::bindDn=CN=cas
c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu,
bindSaslConfig=null, bindControls=null]]], saslConfig=null, controls=null],
entryResolver=null, authenticationResponseHandlers=null]

14:05:42:455  DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:108 >
 Retrieved authentication request from factory:
[org.ldaptive.auth.AuthenticationRequest at 1634297940::user=null,
retAttrs=[1.1], controls=null]

14:05:42:458  DEBUG [10.25.250.26] org.ldaptive.BindOperation:138 >
 execute request=[org.ldaptive.BindRequest at 1273459038::bindDn=CN=cas c.
casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu,
saslConfig=null, controls=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 199510270
::config=[org.ldaptive.ConnectionConfig at 414093010::ldapUrl=ldap://
cas-auth-t.alaska.edu:6361, connectTimeout=3000, responseTimeout=-1,
sslConfig=null, useSSL=false, useStartTLS=false,
connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1483789079::bindDn=CN=cas
c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu,
bindSaslConfig=null, bindControls=null]],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1169982526
::metadata=[ldapUrl=ldap://cas-auth-t.alaska.edu:6361, count=1],
environment={com.sun.jndi.ldap.connect.timeout=3000,
java.naming.ldap.version=3,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1866297109::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 2f383546,
controlProcessor=org.ldaptive.provider.ControlProcessor at 1f209e2d,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 362a968f]

14:05:42:462  DEBUG [10.25.250.26]
org.ldaptive.provider.jndi.NamingExceptionUtils:358 >  naming exception
class javax.naming.ServiceUnavailableException is ambiguous, maps to
multiple result codes: [BUSY, UNAVAILABLE]

14:05:42:462  DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:178 >
 Error occurred attempting authentication
org.ldaptive.OperationException: javax.naming.ServiceUnavailableException:
cas-auth-t.alaska.edu:6361; socket closed
        at
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)
Caused by: javax.naming.ServiceUnavailableException:
cas-auth-t.alaska.edu:6361; socket closed
        at com.sun.jndi.ldap.Connection.readReply(Connection.java:454)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200602/7b9b5063/attachment.htm>

More information about the users mailing list