JAAS ldap issue

Michael A Grady mgrady at unicon.net
Wed Jun 3 00:54:28 UTC 2020 

Well, is port 6361 an SSL/TLS port or not? I'd a gree, if you say SSL is true, that should be ldaps, not just ldap, and you need to be sure that iis presenting an appropriate set of certs (LDAP server cert and any needed intermediates) that are needed. But if it isn;'t actually an SSL/TLS port, and isn't actually presenting a set of certs, then I would expect that refusal of connection.

Do an:

  openssl s_client  -showcerts -connect cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>

and see waht you get back. And if that returns certs, then wherever you think you have the accepted Root certs, you could do that same command but add:

 openssl s_client  -showcerts -connect cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>  -CAfile /path/to/Root/certfile

and see if you get a verfiy at the end of it.

I haven't worked on JAAS config like that in a long time, so nothing else off the top of my head. Is this "new JAAS config", or was this exact same JAAS config working before in the IdP? I'd have to do some researech on the first error and JAAS/ldaptive before I could help more, and I'm not going to take the time to do that until you have a chance to respond on the above.

> On Jun 2, 2020, at 7:35 PM, IAM David Bantz <dabantz at alaska.edu> wrote:
> 
> I'm using JAAS to take advantage of the "sufficient" logic to fail over to a proxy to allow expired accounts to authenticate.
> 
> Using this configuration in JAAS.config for the proxy connection
>   // UA Authenticator is proxy to AD allows some expired accounts to authenticate
>   org.ldaptive.jaas.LdapLoginModule sufficient
>     ldapUrl="ldap://cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>"
>     baseDn="dc=ur,dc=addev,dc=alaska,dc=edu"
>     bindDn="CN=•••••,ou=...,dc=ua,dc=adt,dc=alaska,dc=edu"
>     bindCredential="••••••••••"
>     subtreeSearch="true"
>     sslSocketFactory="{trustCertificates=file:/.../•••.pem}"
>     ssl="true"
>     tls="false"
>     userFilter="(|(sAMAccountName={user})(uaIdentifier={user}))"
>     connectTimeout="3000"
>     resultTimeout="3000"
>     ;
> 
>  I see the following error when attempting to use this fail-over:
>   DEBUG [10.25.250.26] org.ldaptive.provider.jndi.NamingExceptionUtils:358 >  naming exception class javax.naming.ServiceUnavailableException is ambiguous, maps to multiple result codes: [BUSY, UNAVAILABLE]
> (Larger log snippet surrounding this error is below)
> 
> Folks here quickly say "that should be ldaps:// not ldap://" but the examples in Shib wiki use ldap:// with ssl="true"; if I do use ldaps:// in the configuration above, the connection is refused outright:
> 
>  DEBUG [137.229.6.124] org.ldaptive.provider.jndi.JndiConnectionFactory:105 >  Error connecting to LDAP URL: ldaps://cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>
> org.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/> [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExceptio
> n: unable to find valid certification path to requested target]
> 
>  Any pointers, hints, interpretation appreciated!
> 
> David Bantz
> 
> ----
> 
> Here's the larger snippet:
> 14:05:42:455  DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:104 >  Retrieved authenticator from factory: [org.ldaptive.auth.Authenticator at 1889354517::dnResolver=[org.ldaptive.auth.SearchDnResolver at 849231888::factory=[org.ldaptive.DefaultConnectionFactory at 1944062102::provider=org.ldaptive.provider.jndi.JndiProvider at 2b1f07a, config=[org.ldaptive.ConnectionConfig at 414093010::ldapUrl=ldap://cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1483789079::bindDn=CN=cas c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu, bindSaslConfig=null, bindControls=null]]], baseDn=dc=ur,dc=addev,dc=alaska,dc=edu, userFilter=(|(sAMAccountName={user})(uaIdentifier={user})), userFilterParameters=null, allowMultipleDns=false, subtreeSearch=true, derefAliases=null, followReferrals=false], authenticationHandler=[org.ldaptive.auth.BindAuthenticationHandler at 724026423::factory=[org.ldaptive.DefaultConnectionFactory at 639157001::provider=org.ldaptive.provider.jndi.JndiProvider at 4aac1106, config=[org.ldaptive.ConnectionConfig at 345672495::ldapUrl=ldap://cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 17429495::bindDn=CN=cas c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu, bindSaslConfig=null, bindControls=null]]], saslConfig=null, controls=null], entryResolver=null, authenticationResponseHandlers=null]
> 
> 14:05:42:455  DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:108 >  Retrieved authentication request from factory: [org.ldaptive.auth.AuthenticationRequest at 1634297940::user=null, retAttrs=[1.1], controls=null]
> 
> 14:05:42:458  DEBUG [10.25.250.26] org.ldaptive.BindOperation:138 >  execute request=[org.ldaptive.BindRequest at 1273459038::bindDn=CN=cas c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu, saslConfig=null, controls=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 199510270::config=[org.ldaptive.ConnectionConfig at 414093010::ldapUrl=ldap://cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1483789079::bindDn=CN=cas c. casacct,ou=sw_service accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1169982526::metadata=[ldapUrl=ldap://cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>, count=1], environment={com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1866297109::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 2f383546, controlProcessor=org.ldaptive.provider.ControlProcessor at 1f209e2d, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection at 362a968f]
> 
> 14:05:42:462  DEBUG [10.25.250.26] org.ldaptive.provider.jndi.NamingExceptionUtils:358 >  naming exception class javax.naming.ServiceUnavailableException is ambiguous, maps to multiple result codes: [BUSY, UNAVAILABLE]
> 
> 14:05:42:462  DEBUG [10.25.250.26] org.ldaptive.jaas.LdapLoginModule:178 >  Error occurred attempting authentication
> org.ldaptive.OperationException: javax.naming.ServiceUnavailableException: cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>; socket closed
>         at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)
> Caused by: javax.naming.ServiceUnavailableException: cas-auth-t.alaska.edu:6361 <http://cas-auth-t.alaska.edu:6361/>; socket closed
>         at com.sun.jndi.ldap.Connection.readReply(Connection.java:454)
> 
>  
> This email has been scanned for spam and viruses by Proofpoint Essentials. Click here <https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1591144600-3AcyHyG9DPZW&r_address=mgrady%40unicon.net&report=1> to report this email as spam.
> 
> 
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

--
Michael A. Grady
IAM Architect, Unicon, Inc.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200602/a3601157/attachment.htm>

More information about the users mailing list